Windows Forensics Cookbook电子书

Title Page

Copyright

Windows Forensics Cookbook

Credits

About the Authors

About the Reviewer

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Conventions

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Digital Forensics and Evidence Acquisition

Introduction

Why Windows?

Windows file system

Identifying evidence sources

Ensuring evidence is forensically sound

Writing reports

Digital forensic investigation - an international field

What can we do to make things easier for ourselves in the meantime?

Challenges of acquiring digital evidence from Windows systems

Windows Memory Acquisition and Analysis

Introduction

Windows memory acquisition with Belkasoft RAM Capturer

Getting ready

How to do it…

How it works…

See also

Windows memory acquisition with DumpIt

Getting ready

How to do it…

How it works…

See also

Windows memory image analysis with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Windows memory image analysis with Volatility

Getting ready

How to do it...

How it works...

See also

Variations in Windows versions

Getting ready

How to do it...

There is more...

Windows Drive Acquisition

Introduction

Drive acquisition in E01 format with FTK Imager

Getting ready

How to do it...

How it works...

See more

Drive acquisition in RAW format with dc3dd

Getting ready

How to do it...

How it works...

See also

Mounting forensic images with Arsenal Image Mounter

Getting ready

How to do it...

How it works...

See also

Windows File System Analysis

Introduction

NTFS Analysis with The Sleuth Kit

Getting ready

How to do it...

How it works...

See also

Undeleting files from NTFS with Autopsy

Getting ready...

How to do it...

How it works...

See also

Undeleting files from ReFS with ReclaiMe File Recovery

Getting ready

How to do it...

How it works...

See also

File carving with PhotoRec

Getting ready

How to do it...

How it works...

See more

Windows Shadow Copies Analysis

Introduction

Browsing and copying files from VSCs on a live system with ShadowCopyView

Getting ready

How to do it...

How it works...

See also

Mounting VSCs from disk images with VSSADMIN and MKLINK

Getting ready

How to do it...

How it works...

See also

Processing and analyzing VSC data with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Windows Registry Analysis

Introduction

Extracting and viewing Windows Registry files with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Parsing registry files with RegRipper

Getting ready

How to do it...

How it works...

See also

Recovering deleted Registry artifacts with Registry Explorer

Getting ready

How to do it...

How it works...

See also

Registry analysis with FTK Registry Viewer

Getting ready

How to do it...

How it works...

See also

Main Windows Operating System Artifacts

Introduction

Recycle Bin content analysis with EnCase Forensic

Getting ready

How to do it...

How it works...

See also

Recycle bin content analysis with Rifiuti2

Getting ready

How to do it...

How it works...

See also

Recycle bin content analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Event log analysis with FullEventLogView

Getting ready

How to do it...

How it works...

See also

Event log analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Event log recovery with EVTXtract

Getting ready

How to do it...

How it works...

See also

LNK file analysis with EnCase forensic

Getting ready

How to do it...

How it works...

See also

LNK file analysis with LECmd

Getting ready

How to do it...

How it works...

See also

LNK file analysis with Link Parser

Getting ready

How to do it...

How it works...

See also

Prefetch file analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Prefetch file parsing with PECmd

Getting ready

How to do it...

How it works...

See also

Prefetch file recovery with Windows Prefetch Carver

Getting ready

How to do it...

How it works...

See also

Web Browser Forensics

Introduction

Mozilla Firefox analysis with BlackBag's BlackLight

Getting ready

How to do it...

How it works...

See also

Google Chrome analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Microsoft Internet Explorer and Microsoft Edge analysis with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Extracting web browser data from Pagefile.sys

Getting ready

How to do it...

How it works...

See also

Email and Instant Messaging Forensics

Introduction

Outlook mailbox parsing with Intella

Getting ready

How to do it...

How it works...

See also

Thunderbird mailbox parsing with Autopsy

Getting ready

How to do it...

How it works...

See also

Webmail analysis with Magnet AXIOM

Getting ready

How to do it...

How it works...

See also

Skype forensics with Belkasoft Evidence Center

Getting ready

How to do it...

How it works...

See also

Skype forensics with SkypeLogView

Getting ready

How to do it...

How it works...

See also

Windows 10 Forensics

Introduction

Parsing Windows 10 Notifications

Getting ready

How to do it...

How it works...

See also

Cortana forensics

Getting ready

How to do it...

How it works...

See also

OneDrive forensics

Getting ready

How to do it...

How it works...

See also

Dropbox forensics

Getting ready

How to do it...

How it works...

See also

Windows 10 mail app

Getting ready

How to do it...

How it works...

Windows 10 Xbox App

Getting ready

How to do it...

How it works...

Data Visualization

Introduction

Data visualization with FTK

Getting ready

How to do it...

How it works...

Making a timeline in Autopsy

Getting ready

How to do it...

How it works...

See also

Nuix Web Review & Analytics

Getting ready

How to do it...

How it works...

See also

Troubleshooting in Windows Forensic Analysis

Introduction

Troubleshooting in commercial tools

Troubleshooting in free and open source tools

Troubleshooting when processes fail

Soundness of evidence

It wasn't me

It was a virus / I was hacked

Your process is faulty

Legal and jurisdictional challenges

False positives during data processing with digital forensics software

Taking your first steps in digital forensics

Academia

Corporate

Law enforcement

How do I get started?

Advanced further reading

Books

Websites

Twitter Accounts