Practical Windows Forensics电子书

Practical Windows Forensics

Practical Windows Forensics

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. The Foundations and Principles of Digital Forensics

What is digital crime?

Digital forensics

Digital evidence

Digital forensic goals

Analysis approaches

Summary

2. Incident Response and Live Analysis

Personal skills

Written communication

Oral communication

Presentation skills

Diplomacy

The ability to follow policies and procedures

Team skills

Integrity

Knowing one's limits

Coping with stress

Problem solving

Time management

Technical skills

Security fundamentals

Security principles

Security vulnerabilities and weaknesses

The Internet

Risks

Network protocols

Network applications and services

Network security issues

Host or system security issues

Malicious code

Programming skills

Incident handling skills

The hardware for IR and Jump Bag

Software

Live versus mortem

Volatile data

Nonvolatile data

Registry data

Remote live response

Summary

3. Volatile Data Collection

Memory acquisition

Issues related to memory access

Choosing a tool

DumpIt

FTK Imager

Acquiring memory from a remote computer using iSCSI

Using the Sleuth Kit

Network-based data collection

Hubs

Switches

Tcpdump

Wireshark

Tshark

Dumpcap

Summary

4. Nonvolatile Data Acquisition

Forensic image

Incident Response CDs

DEFT

Helix

Live imaging of a hard drive

FTK imager in live hard drive acquisition

Imaging over the network with FTK imager

Incident response CDs in live acquisition

Linux for the imaging of a hard drive

The dd tool

dd over the network

Virtualization in data acquisition

Evidence integrity (the hash function)

Disk wiping in Linux

Summary

5. Timeline

Timeline introduction

The Sleuth Kit

Super timeline – Plaso

Plaso architecture

Preprocessing

Collection

Worker

Storage

Plaso in practice

Analyzing the results

Summary

6. Filesystem Analysis and Data Recovery

Hard drive structure

Master boot record

Partition boot sector

The filesystem area in partition

Data area

The FAT filesystem

FAT components

FAT limitations

The NTFS filesystem

NTFS components

Master File Table (MFT)

The Sleuth Kit (TSK)

Volume layer (media management)

Filesystem layer

The metadata layer

istat

icat

ifind

The filename layer

Data unit layer (Block)

blkcat

blkls

Blkcalc

Autopsy

Foremost

Summary

7. Registry Analysis

The registry structure

Root keys

HKEY_CLASSES_ROOT or HKCR

HKEY_LOCAL_MACHINE

HKEY_USERS or HKU

HKEY_CURRENT_USER or HKCU

Mapping a hive to the filesystem

Backing up the registry files

Extracting registry hives

Extracting registry files from a live system

Extracting registry files from a forensic image

Parsing registry files

The base block

Hbin and CELL

Auto-run keys

Registry analysis

RegistryRipper

Sysinternals

MiTeC Windows registry recovery

Summary

8. Event Log Analysis

Event Logs - an introduction

Event Logs system

Security Event Logs

Extracting Event Logs

Live systems

Offline system

Event Viewer

Event Log Explorer

Useful resources

Analyzing the event log – an example

Summary

9. Windows Files

Windows prefetch files

Prefetch file analysis

Windows tasks

Windows Thumbs DB

Thumbcache analysis

Corrupted Windows.edb files

Windows RecycleBin

RECYCLER

$Recycle.bin

Windows shortcut files

Shortcut analysis

Summary

10. Browser and E-mail Investigation

Browser investigation

Microsoft Internet Explorer

History files

History.IE5

IEHistoryView

BrowsingHistoryView

MiTeC Internet History browser

Cache

Content.IE5

IECacheView

Msiecf parser (Plaso framework)

Cookies

IECookiesView

Favorites

FavoritesView

Session restore

MiTeC SSV

Inprivate mode

WebCacheV#.dat

ESEDatabaseView

Firefox

Places.sqlite

MozillaHistoryView

Cookies.sqlite

MozillaCookiesView

Cache

MozillaCacheView

Other browsers

E-mail investigation

Outlook PST file

Outlook OST files

EML and MSG files

DBX (Outlook Express)

PFF Analysis (libpff)

Other tools

Summary

11. Memory Forensics

Memory structure

Memory acquisition

The sources of memory dump

Hibernation file

Crash dump

Page files

Processes in memory

Network connections in memory

The DLL injection

Remote DLL injection

Remote code injection

Reflective DLL injection

API hooking

Memory analysis

The volatility framework

Volatility plugins

imagecopy

raw2dmp

imageprofile

pslist

psscan

pstree

psxview

getsids

dlllist

handles

filescan

procexedump

memdump

svcscan

connections

connscan

sockets

sockscan

Netscan

hivelist and printkey

malfind

vaddump

apihooks

mftparser

Summary

12. Network Forensics

Network data collection

Exploring logs

Using tcpdump

Using tshark

Using WireShark

Fields with more information

Knowing Bro

Summary

appA. Building a Forensic Analysis Environment

Factors that need to be considered

Size

Environment control

Security

Software

Hardware

Virtualization

Virtualization benefits for forensics

The distributed forensic system

GRR

Server installation

Client installation

Browsing with the newly-connected client

Start a new flow

appB. Case Study

Introduction

Scenario

Acquisition

Live analysis

The running processes

Network activities

Autorun keys

Prefetch files

Browser analysis

Postmortem analysis

Memory analysis

Network analysis

Timeline analysis

Summary