Mastering Windows Network Forensics and Investigation (2nd Ed.)

Authors:

Language: English

58.56 €

In Print (Delivery period: 14 days).

Add to cartAdd to cart
Publication date:
704 p. · 18.8x23.6 cm · Paperback
An authoritative guide to investigating high-technology crimes

Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.

  • Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
  • Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
  • Walks you through ways to present technically complicated material in simple terms that will hold up in court
  • Features content fully updated for Windows Server 2008 R2 and Windows 7
  • Covers the emerging field of Windows Mobile forensics

Also included is a classroom support package to ensure academic adoption, Mastering Windows Network Forensics and Investigation, 2nd Edition offers help for investigating high-technology crimes.

Introduction xvii

Part 1 Understanding and Exploiting Windows Networks 1

Chapter 1 Network Investigation Overview 3

Performing the Initial Vetting 3

Meeting with the Victim Organization 5

Understanding the Victim Network Information 6

Understanding the Incident 8

Identifying and Preserving Evidence 9

Establishing Expectations and Responsibilities 11

Collecting the Evidence 12

Analyzing the Evidence 15

Analyzing the Suspect’s Computers 18

Recognizing the Investigative Challenges of Microsoft Networks 21

The Bottom Line 22

Chapter 2 The Microsoft Network Structure 25

Connecting Computers 25

Windows Domains 27

Interconnecting Domains 29

Organizational Units 34

Users and Groups 35

Types of Accounts 36

Groups 40

Permissions 44

File Permissions 45

Share Permissions 48

Reconciling Share and File Permissions 50

Example Hack 52

The Bottom Line 61

Chapter 3 Beyond the Windows GUI 63

Understanding Programs, Processes, and Threads 64

Redirecting Process Flow 67

DLL Injection 70

Hooking 74

Maintaining Order Using Privilege Modes 78

Using Rootkits 80

The Bottom Line 83

Chapter 4: Windows Password Issues 85

Understanding Windows Password Storage 85

Cracking Windows Passwords Stored on Running Systems 88

Exploring Windows Authentication Mechanisms 98

LanMan Authentication 99

NTLM Authentication 103

Kerberos Authentication 108

Sniffing and Cracking Windows Authentication Exchanges 111

Using ScoopLM and BeatLM to Crack Passwords 114

Cracking Offline Passwords 121

Using Cain & Abel to Extract Windows Password Hashes 122

Accessing Passwords through the Windows Password Verifier 126

Extracting Password Hashes from RAM 127

Stealing Credentials from a Running System 128

The Bottom Line 134

Chapter 5 Windows Ports and Services 137

Understanding Ports 137

Using Ports as Evidence 142

Understanding Windows Services 149

The Bottom Line 155

Part 2 Analyzing the Computer 157

Chapter 6 Live-Analysis Techniques 159

Finding Evidence in Memory 159

Creating a Windows Live-Analysis Toolkit 161

Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164

Using WinEn to Acquire RAM from a Windows 7 Environment 166

Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167

Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169

Monitoring Communication with the Victim Box 173

Scanning the Victim System 176

The Bottom Line 178

Chapter 7 Windows Filesystems 179

Filesystems vs. Operating Systems 179

Understanding FAT Filesystems 183

Understanding NTFS Filesystems 198

Using NTFS Data Structures 198

Creating, Deleting, and Recovering Data in NTFS 205

Dealing with Alternate Data Streams 208

The exFAT Filesystem 212

The Bottom Line 213

Chapter 8 The Registry Structure 215

Understanding Registry Concepts 215

Registry History 217

Registry Organization and Terminology 217

Performing Registry Research 228

Viewing the Registry with Forensic Tools 232

Using EnCase to View the Registry 234

Examining Information Manually 234

Using EnScripts to Extract Information 236

Using AccessData’s Registry Viewer 246

Other Tools 251

The Bottom Line 254

Chapter 9 Registry Evidence 257

Finding Information in the Software Key 258

Installed Software 258

Last Logon 264

Banners 265

Exploring Windows Security, Action Center, and Firewall Settings 267

Analyzing Restore Point Registry Settings 276

Windows XP Restore Point Content 280

Analyzing Volume Shadow Copies for Registry Settings 284

Exploring Security Identifiers 290

Examining the Recycle Bin 291

Examining the ProfileList Registry Key 293

Investigating User Activity 295

Examining the PSSP and IntelliForms Keys 295

Examining the MRU Key 296

Examining the RecentDocs Key 298

Examining the TypedURLs Key 298

Examining the UserAssist Key 299

Extracting LSA Secrets 305

Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306

Discovering IP Addresses 307

Dynamic IP Addresses 307

Getting More Information from the GUID-Named Interface 309

Compensating for Time Zone Offsets 312

Determining the Startup Locations 313

Exploring the User Profile Areas 316

Exploring Batch Files 318

Exploring Scheduled Tasks 318

Exploring the AppInit_DLL Key 320

Using EnCase and Registry Viewer 320

Using Autoruns to Determine Startups 320

The Bottom Line 322

Chapter 10 Introduction to Malware 325

Understanding the Purpose of Malware Analysis 325

Malware Analysis Tools and Techniques 329

Constructing an Effective Malware Analysis Toolkit 329

Analyzing Malicious Code 331

Monitoring Malicious Code 338

Monitoring Malware Network Traffic 346

The Bottom Line 348

Part 3 Analyzing the Logs 349

Chapter 11 Text-Based Logs 351

Parsing IIS Logs 351

Parsing FTP Logs 362

Parsing DHCP Server Logs 369

Parsing Windows Firewall Logs 373

Using Splunk 376

The Bottom Line 379

Chapter 12 Windows Event Logs 381

Understanding the Event Logs 381

Exploring Auditing Settings 384

Using Event Viewer 391

Opening and Saving Event Logs 403

Viewing Event Log Data 407

Searching with Event Viewer 411

The Bottom Line 418

Chapter 13 Logon and Account Logon Events 419

Begin at the Beginning 419

Comparing Logon and Account Logon Events 420

Analyzing Windows 2003/2008 Logon Events 422

Examining Windows 2003/2008 Account Logon Events 433

The Bottom Line 462

Chapter 14 Other Audit Events 463

The Exploitation of a Network 463

Examining System Log Entries 466

Examining Application Log Entries 473

Evaluating Account Management Events 473

Interpreting File and Other Object Access Events 490

Examining Audit Policy Change Events 500

The Bottom Line 503

Chapter 15 Forensic Analysis of Event Logs 505

Windows Event Log Files Internals 505

Windows Vista/7/2008 Event Logs 505

Windows XP/2003 Event Logs 513

Repairing Windows XP/2003 Corrupted Event Log Databases 524

Finding and Recovering Event Logs from Free Space 527

The Bottom Line 536

Part 4 Results, the Cloud, and Virtualization 537

Chapter 16 Presenting the Results 539

Report Basics 539

Creating a Narrative Report with Hyperlinks 542

Creating Hyperlinks 543

Creating and Linking Bookmarks 546

The Electronic Report Files 550

Creating Timelines 552

CaseMap and TimeMap 552

Splunk 555

Testifying about Technical Matters 560

The Bottom Line 562

Chapter 17 The Challenges of Cloud Computing and Virtualization 565

What Is Virtualization? 566

The Hypervisor 569

Preparing for Incident Response in Virtual Space 571

Forensic Analysis Techniques 575

Dead Host-Based Virtual Environment 576

Live Virtual Environment 584

Artifacts 586

Cloud Computing 587

What Is It? 587

Services 588

Forensic Challenges 589

Forensic Techniques 589

The Bottom Line 595

Part 5 Appendices 597

Appendix A The Bottom Line 599

Chapter 1: Network Investigation Overview 599

Chapter 2: The Microsoft Network Structure 601

Chapter 3: Beyond the Windows GUI 602

Chapter 4: Windows Password Issues 604

Chapter 5: Windows Ports and Services 606

Chapter 6: Live-Analysis Techniques 608

Chapter 7: Windows Filesystems 609

Chapter 8: The Registry Structure 611

Chapter 9: Registry Evidence 613

Chapter 10: Introduction to Malware 618

Chapter 11: Text-based Logs 620

Chapter 12: Windows Event Logs 622

Chapter 13: Logon and Account Logon Events 623

Chapter 14: Other Audit Events 624

Chapter 15: Forensic Analysis of Event Logs 626

Chapter 16: Presenting the Results 628

Chapter 17: The Challenges of Cloud Computing and Virtualization 630

Appendix B Test Environments 633

Software 633

Hardware 635

Setting Up Test Environments in Training Laboratories 636

Chapter 1: Network Investigation Overview 636

Chapter 2: The Microsoft Network Structure 636

Chapter 3: Beyond the Windows GUI 637

Chapter 4: Windows Password Issues 637

Chapter 5: Windows Ports and Services 639

Chapter 6: Live-Analysis Techniques 639

Chapter 7: Windows Filesystems 640

Chapter 8: The Registry Structure 640

Chapter 9: Registry Evidence 642

Chapter 10: Introduction to Malware 643

Chapter 11: Text-Based Logs 643

Chapter 12: Windows Event Logs 644

Chapter 13: Logon and Account Logon Events 644

Chapter 14: Other Audit Events 644

Chapter 15: Forensic Analysis of Event Logs 645

Chapter 16: Presenting the Results 645

Chapter 17: The Challenges of Cloud Computing and Virtualization 645

Index 647

Steve Anson, CISSP, EnCE, is the cofounder of Forward Discovery. He has previously served as a police officer, FBI High Tech Crimes Task Force agent, Special Agent with the U.S. DoD, and an instructor with the U.S. State Department Antiterrorism Assistance Program (ATA). He has trained hundreds of law enforcement officers around the world in techniques of digital forensics and investigation. Steve Bunting, EnCE, CCFT, has over 35 years of experience in law enforcement, and his background in computer forensics is extensive. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, as well as testified in court as a computer forensics expert. He has taught computer forensics courses for Guidance Software and is currently a Senior Forensic Consultant with Forward Discovery. Ryan Johnson, DFCP, CFCE, EnCE, SCERS, is a Senior Forensic Consultant with Forward Discovery. He was a digital forensics examiner for the Durham, NC, police and a Media Exploitation Analyst with the U.S. Army. He is an instructor and developer with the ATA. Scott Pearson has trained law enforcement entities, military personnel, and network/system administrators in more than 20 countries for the ATA. He is also a certifying Instructor on the Cellebrite UFED Logical and Physical Analyzer Mobile Device Forensics tool and has served as an instructor for the DoD Computer Investigations Training Academy.