Practical Windows forensics : leverage the power of digital forensics for Windows systems /

Mostrar otras versiones (1)

About This BookBuild your own lab environment to analyze forensic data and practice techniques.This book offers meticulous coverage with an example-driven approach and helps you build the key skills of performing forensics on Windows-based systems using digital artifacts.It uses specific open source...

Descripción completa

Detalles Bibliográficos
Clasificación:Libro Electrónico
Autores principales: Shaaban, Ayman (Autor), Sapronov, Konstantin (Autor)
Formato: Electrónico eBook
Idioma:Inglés
Publicado: Birmingham, UK : Packt Publishing, 2016.
Colección:Community experience distilled.
Temas:
Microsoft Windows (Computer file)
Computer crimes > Investigation.
Computer networks > Security measures.
Computer security.
Computer Security
Criminalité informatique > Enquêtes.
Réseaux d'ordinateurs > Sécurité > Mesures.
Sécurité informatique.
COMPUTERS / Security / Networking.
Computer crimes > Investigation
Computer networks > Security measures
Computer security
Acceso en línea:Texto completo
Texto completo
Tabla de Contenidos:
  • Cover
  • Copyright
  • Credits
  • About the Authors
  • About the Reviewers
  • www.PacktPub.com
  • Table of Contents
  • Preface
  • Chapter 1: The Foundations and Principles of Digital Forensics
  • What is digital crime?
  • Digital forensics
  • Digital evidence
  • Digital forensic goals
  • Analysis approaches
  • Summary
  • Chapter 2: Incident Response and Live Analysis
  • Personal skills
  • Written communication
  • Oral communication
  • Presentation skills
  • Diplomacy
  • The ability to follow policies and procedures
  • Team skills
  • Integrity
  • Knowing one's limits
  • Coping with stress
  • Problem solving
  • Time management
  • Technical skills
  • Security fundamentals
  • Security principles
  • Security vulnerabilities and weaknesses
  • The Internet
  • Risks
  • Network protocols
  • Network applications and services
  • Network security issues
  • Host or system security issues
  • Malicious code
  • Programming skills
  • Incident handling skills
  • The hardware for IR and Jump Bag
  • Software
  • Live versus mortem
  • Volatile data
  • Nonvolatile data
  • Registry data
  • Remote live response
  • Summary
  • Chapter 3: Volatile Data Collection
  • Memory acquisition
  • Issues related to memory access
  • Choosing a tool
  • DumpIt
  • FTK Imager
  • Acquiring memory from a remote computer using iSCSI
  • Using the Sleuth Kit
  • Network-based data collection
  • Hubs
  • Switches
  • Tcpdump
  • Wireshark
  • Tshark
  • Dumpcap
  • Summary
  • Chapter 4: Nonvolatile Data Acquisition
  • Forensic image
  • Incident Response CDs
  • DEFT
  • Helix
  • Live imaging of a hard drive
  • FTK imager in live hard drive acquisition
  • Imaging over the network with FTK imager
  • Incident response CDs in live acquisition
  • Linux for the imaging of a hard drive
  • The dd tool
  • dd over the network
  • Virtualization in data acquisition
  • Evidence integrity (the hash function).
  • Disk wiping in Linux
  • Summary
  • Chapter 5: Timeline
  • Timeline introduction
  • The Sleuth Kit
  • Super timeline
  • Plaso
  • Plaso architecture
  • Preprocessing
  • Collection
  • Worker
  • Storage
  • Plaso in practice
  • Analyzing the results
  • Summary
  • Chapter 6: Filesystem Analysis and Data Recovery
  • Hard drive structure
  • Master boot record
  • Partition boot sector
  • The filesystem area in partition
  • Data area
  • The FAT filesystem
  • FAT components
  • FAT limitations
  • The NTFS filesystem
  • NTFS components
  • Master File Table (MFT)
  • The Sleuth Kit (TSK)
  • Volume layer (media management)
  • Filesystem layer
  • The metadata layer
  • istat
  • icat
  • ifind
  • The filename layer
  • Data unit layer (Block)
  • blkcat
  • blkls
  • Blkcalc
  • Autopsy
  • Foremost
  • Summary
  • Chapter 7: Registry Analysis
  • The registry structure
  • Root keys
  • HKEY_CLASSES_ROOT or HKCR
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS or HKU
  • HKEY_CURRENT_USER or HKCU
  • Mapping a hive to the filesystem
  • Backing up the registry files
  • Extracting registry hives
  • Extracting registry files from a live system
  • Extracting registry files from a forensic image
  • Parsing registry files
  • The base block
  • Hbin and CELL
  • Auto-run keys
  • Registry analysis
  • RegistryRipper
  • Sysinternals
  • MiTeC Windows registry recovery
  • Summary
  • Chapter 8: Event Log Analysis
  • Event Logs
  • an introduction
  • Event Logs system
  • Security Event Logs
  • Extracting Event Logs
  • Live systems
  • Offline system
  • Event Viewer
  • Event Log Explorer
  • Useful resources
  • Analyzing the event log
  • an example
  • Summary
  • Chapter 9: Windows Files
  • Windows prefetch files
  • Prefetch file analysis
  • Windows tasks
  • Windows Thumbs DB
  • Thumbcache analysis
  • Corrupted Windows.edb files
  • Windows RecycleBin
  • RECYCLER
  • Recycle.bin
  • Windows shortcut files.
  • Shortcut analysis
  • Summary
  • Chapter 10: Browser and E-mail Investigation
  • Browser investigation
  • Microsoft Internet Explorer
  • History files
  • History.IE5
  • IEHistoryView
  • BrowsingHistoryView
  • MiTeC Internet History browser
  • Cache
  • Content.IE5
  • IECacheView
  • Msiecf parser (Plaso framework)
  • Cookies
  • IECookiesView
  • Favorites
  • FavoritesView
  • Session restore
  • MiTeC SSV
  • Inprivate mode
  • WebCacheV#.dat
  • ESEDatabaseView
  • Firefox
  • Places.sqlite
  • MozillaHistoryView
  • Cookies.sqlite
  • MozillaCookiesView
  • Cache
  • MozillaCacheView
  • Other browsers
  • E-mail investigation
  • Outlook PST file
  • Outlook OST files
  • EML and MSG files
  • DBX (Outlook Express)
  • PFF Analysis (libpff)
  • Other tools
  • Summary
  • Chapter 11: Memory Forensics
  • Memory structure
  • Memory acquisition
  • The sources of memory dump
  • Hibernation file
  • Crash dump
  • Page files
  • Processes in memory
  • Network connections in memory
  • The DLL injection
  • Remote DLL injection
  • Remote code injection
  • Reflective DLL injection
  • API hooking
  • Memory analysis
  • The volatility framework
  • Volatility plugins
  • imagecopy
  • raw2dmp
  • imageprofile
  • pslist
  • psscan
  • pstree
  • psxview
  • getsids
  • dlllist
  • handles
  • filescan
  • procexedump
  • memdump
  • svcscan
  • connections
  • connscan
  • sockets
  • sockscan
  • Netscan
  • hivelist and printkey
  • malfind
  • vaddump
  • apihooks
  • mftparser
  • Summary
  • Chapter 12: Network Forensics
  • Network data collection
  • Exploring logs
  • Using tcpdump
  • Using tshark
  • Using WireShark
  • Fields with more information
  • Knowing Bro
  • Summary
  • Appendix A: Building a Forensic Analysis Environment
  • Factors that need to be considered
  • Size
  • Environment control
  • Security
  • Software
  • Hardware
  • Virtualization
  • Virtualization benefits for forensics.
  • The distributed forensic system
  • GRR
  • Server installation
  • Client installation
  • Browsing with the newly-connected client
  • Start a new flow
  • Appendix B: Case Study
  • Introduction
  • Scenario
  • Acquisition
  • Live analysis
  • The running processes
  • Network activities
  • Autorun keys
  • Prefetch files
  • Browser analysis
  • Postmortem analysis
  • Memory analysis
  • Network analysis
  • Timeline analysis
  • Summary
  • Index.

Ejemplares similares