You are previewing Practical Windows Forensics.
O'Reilly logo
Practical Windows Forensics

Book Description

Leverage the power of digital forensics for Windows systems

About This Book

  • Build your own lab environment to analyze forensic data and practice techniques.

  • This book offers meticulous coverage with an example-driven approach and helps you build the key skills of performing forensics on Windows-based systems using digital artifacts.

  • It uses specific open source and Linux-based tools so you can become proficient at analyzing forensic data and upgrade your existing knowledge.

  • Who This Book Is For

    This book targets forensic analysts and professionals who would like to develop skills in digital forensic analysis for the Windows platform. You will acquire proficiency, knowledge, and core skills to undertake forensic analysis of digital data.

    Prior experience of information security and forensic analysis would be helpful. You will gain knowledge and an understanding of performing forensic analysis with tools especially built for the Windows platform.

    What You Will Learn

  • Perform live analysis on victim or suspect Windows systems locally or remotely

  • Understand the different natures and acquisition techniques of volatile and non-volatile data.

  • Create a timeline of all the system actions to restore the history of an incident.

  • Recover and analyze data from FAT and NTFS file systems.

  • Make use of various tools to perform registry analysis.

  • Track a system user's browser and e-mail activities to prove or refute some hypotheses.

  • Get to know how to dump and analyze computer memory.

  • In Detail

    Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process.

    We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.

    Style and approach

    This is a step-by-step guide that delivers knowledge about different Windows artifacts. Each topic is explained sequentially, including artifact analysis using different tools and techniques. These techniques make use of the evidence extracted from infected machines, and are accompanied by real-life examples.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Practical Windows Forensics
      1. Practical Windows Forensics
      2. Credits
      3. About the Authors
      4. About the Reviewers
      5. www.PacktPub.com
        1. Why subscribe?
        2. Free access for Packt account holders
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the color images of this book 
          2. Errata
          3. Piracy
          4. Questions
      7. 1. The Foundations and Principles of Digital Forensics
        1. What is digital crime?
        2. Digital forensics
        3. Digital evidence
        4. Digital forensic goals
        5. Analysis approaches
        6. Summary
      8. 2. Incident Response and Live Analysis
        1. Personal skills
          1. Written communication
          2. Oral communication
          3. Presentation skills
          4. Diplomacy
          5. The ability to follow policies and procedures
          6. Team skills
          7. Integrity
          8. Knowing one's limits
          9. Coping with stress
          10. Problem solving
          11. Time management
          12. Technical skills
        2. Security fundamentals
          1. Security principles
          2. Security vulnerabilities and weaknesses
          3. The Internet
          4. Risks
          5. Network protocols
          6. Network applications and services
          7. Network security issues
          8. Host or system security issues
          9. Malicious code
          10. Programming skills
          11. Incident handling skills
        3. The hardware for IR and Jump Bag
          1. Software
          2. Live versus mortem
          3. Volatile data
          4. Nonvolatile data
          5. Registry data
        4. Remote live response
        5. Summary
      9. 3. Volatile Data Collection
        1. Memory acquisition
          1. Issues related to memory access
            1. Choosing a tool
            2. DumpIt
            3. FTK Imager
          2. Acquiring memory from a remote computer using iSCSI
          3. Using the Sleuth Kit
        2. Network-based data collection
          1. Hubs
          2. Switches
          3. Tcpdump
          4. Wireshark
          5. Tshark
          6. Dumpcap
        3. Summary
      10. 4. Nonvolatile Data Acquisition
        1. Forensic image
        2. Incident Response CDs
          1. DEFT
          2. Helix
        3. Live imaging of a hard drive
          1. FTK imager in live hard drive acquisition
          2. Imaging over the network with FTK imager
          3. Incident response CDs in live acquisition
        4. Linux for the imaging of a hard drive
          1. The dd tool
            1. dd over the network
        5. Virtualization in data acquisition
        6. Evidence integrity (the hash function)
        7. Disk wiping in Linux
        8. Summary
      11. 5. Timeline
        1. Timeline introduction
        2. The Sleuth Kit
        3. Super timeline – Plaso
        4. Plaso architecture
          1. Preprocessing
          2. Collection
          3. Worker
          4. Storage
        5. Plaso in practice
          1. Analyzing the results
        6. Summary
      12. 6. Filesystem Analysis and Data Recovery
        1. Hard drive structure
          1. Master boot record
          2. Partition boot sector
          3. The filesystem area in partition
          4. Data area
        2. The FAT filesystem
          1. FAT components
          2. FAT limitations
        3. The NTFS filesystem
          1. NTFS components
          2. Master File Table (MFT)
        4. The Sleuth Kit (TSK)
          1. Volume layer (media management)
          2. Filesystem layer
          3. The metadata layer
            1. istat
            2. icat
            3. ifind
          4. The filename layer
          5. Data unit layer (Block)
            1. blkcat
            2. blkls
            3. Blkcalc
        5. Autopsy
        6. Foremost
        7. Summary
      13. 7. Registry Analysis
        1. The registry structure
          1. Root keys
            1. HKEY_CLASSES_ROOT or HKCR
            2. HKEY_LOCAL_MACHINE
            3. HKEY_USERS or HKU
            4. HKEY_CURRENT_USER or HKCU
          2. Mapping a hive to the filesystem
        2. Backing up the registry files
        3. Extracting registry hives
          1. Extracting registry files from a live system
          2. Extracting registry files from a forensic image
        4. Parsing registry files
          1. The base block
          2. Hbin and CELL
        5. Auto-run keys
        6. Registry analysis
          1. RegistryRipper
          2. Sysinternals
          3. MiTeC Windows registry recovery
        7. Summary
      14. 8. Event Log Analysis
        1. Event Logs - an introduction
        2. Event Logs system
          1. Security Event Logs
        3. Extracting Event Logs
          1. Live systems
          2. Offline system
          3. Event Viewer
          4. Event Log Explorer
          5. Useful resources
          6. Analyzing the event log – an example
        4. Summary
      15. 9. Windows Files
        1. Windows prefetch files
          1. Prefetch file analysis
        2. Windows tasks
        3. Windows Thumbs DB
          1. Thumbcache analysis
          2. Corrupted Windows.edb files
        4. Windows RecycleBin
          1. RECYCLER
          2. $Recycle.bin
        5. Windows shortcut files
          1. Shortcut analysis
        6. Summary
      16. 10. Browser and E-mail Investigation
        1. Browser investigation
        2. Microsoft Internet Explorer
          1. History files
            1. History.IE5
            2. IEHistoryView
            3. BrowsingHistoryView
            4. MiTeC Internet History browser
          2. Cache
            1. Content.IE5
            2. IECacheView
            3. Msiecf parser (Plaso framework)
          3. Cookies
            1. IECookiesView
            2. Favorites
            3. FavoritesView
          4. Session restore
            1. MiTeC SSV
            2. Inprivate mode
          5. WebCacheV#.dat
            1. ESEDatabaseView
        3. Firefox
          1. Places.sqlite
            1. MozillaHistoryView
          2. Cookies.sqlite
            1. MozillaCookiesView
          3. Cache
            1. MozillaCacheView
        4. Other browsers
        5. E-mail investigation
          1. Outlook PST file
          2. Outlook OST files
          3. EML and MSG files
          4. DBX (Outlook Express)
          5. PFF Analysis (libpff)
          6. Other tools
        6. Summary
      17. 11. Memory Forensics
        1. Memory structure
        2. Memory acquisition
        3. The sources of memory dump
          1. Hibernation file
          2. Crash dump
          3. Page files
        4. Processes in memory
        5. Network connections in memory
        6. The DLL injection
          1. Remote DLL injection
          2. Remote code injection
          3. Reflective DLL injection
        7. API hooking
        8. Memory analysis
          1. The volatility framework
            1. Volatility plugins
              1. imagecopy
              2. raw2dmp
              3. imageprofile
              4. pslist
              5. psscan
              6. pstree
              7. psxview
              8. getsids
              9. dlllist
              10. handles
              11. filescan
              12. procexedump
              13. memdump
              14. svcscan
              15. connections
              16. connscan
              17. sockets
              18. sockscan
              19. Netscan
              20. hivelist and printkey
              21. malfind
              22. vaddump
              23. apihooks
              24. mftparser
        9. Summary
      18. 12. Network Forensics
        1. Network data collection
        2. Exploring logs
        3. Using tcpdump
        4. Using tshark
        5. Using WireShark
          1. Fields with more information
        6. Knowing Bro
        7. Summary
      19. appA. Building a Forensic Analysis Environment
        1. Factors that need to be considered
          1. Size
          2. Environment control
          3. Security
          4. Software
          5. Hardware
            1. Virtualization
            2. Virtualization benefits for forensics
          6. The distributed forensic system
            1. GRR
              1. Server installation
              2. Client installation
              3. Browsing with the newly-connected client
              4. Start a new flow
      20. appB. Case Study
        1. Introduction
        2. Scenario
        3. Acquisition
        4. Live analysis
          1. The running processes
          2. Network activities
          3. Autorun keys
        5. Prefetch files
        6. Browser analysis
        7. Postmortem analysis
          1. Memory analysis
          2. Network analysis
          3. Timeline analysis
        8. Summary