An authoritative guide to investigating high-technology crimes Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.
- Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
- Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
- Walks you through ways to present technically complicated material in simple terms that will hold up in court
- Features content fully updated for Windows Server 2008 R2 and Windows 7
- Covers the emerging field of Windows Mobile forensics
Also included is a classroom support package to ensure academic adoption, Mastering Windows Network Forensics and Investigation, 2nd Edition offers help for investigating high-technology crimes.
Table of Contents:
Introduction xvii
Part 1 Understanding and Exploiting Windows Networks 1
Chapter 1 Network Investigation Overview 3
Performing the Initial Vetting 3
Meeting with the Victim Organization 5
Understanding the Victim Network Information 6
Understanding the Incident 8
Identifying and Preserving Evidence 9
Establishing Expectations and Responsibilities 11
Collecting the Evidence 12
Analyzing the Evidence 15
Analyzing the Suspect’s Computers 18
Recognizing the Investigative Challenges of Microsoft Networks 21
The Bottom Line 22
Chapter 2 The Microsoft Network Structure 25
Connecting Computers 25
Windows Domains 27
Interconnecting Domains 29
Organizational Units 34
Users and Groups 35
Types of Accounts 36
Groups 40
Permissions 44
File Permissions 45
Share Permissions 48
Reconciling Share and File Permissions 50
Example Hack 52
The Bottom Line 61
Chapter 3 Beyond the Windows GUI 63
Understanding Programs, Processes, and Threads 64
Redirecting Process Flow 67
DLL Injection 70
Hooking 74
Maintaining Order Using Privilege Modes 78
Using Rootkits 80
The Bottom Line 83
Chapter 4: Windows Password Issues 85
Understanding Windows Password Storage 85
Cracking Windows Passwords Stored on Running Systems 88
Exploring Windows Authentication Mechanisms 98
LanMan Authentication 99
NTLM Authentication 103
Kerberos Authentication 108
Sniffing and Cracking Windows Authentication Exchanges 111
Using ScoopLM and BeatLM to Crack Passwords 114
Cracking Offline Passwords 121
Using Cain & Abel to Extract Windows Password Hashes 122
Accessing Passwords through the Windows Password Verifier 126
Extracting Password Hashes from RAM 127
Stealing Credentials from a Running System 128
The Bottom Line 134
Chapter 5 Windows Ports and Services 137
Understanding Ports 137
Using Ports as Evidence 142
Understanding Windows Services 149
The Bottom Line 155
Part 2 Analyzing the Computer 157
Chapter 6 Live-Analysis Techniques 159
Finding Evidence in Memory 159
Creating a Windows Live-Analysis Toolkit 161
Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164
Using WinEn to Acquire RAM from a Windows 7 Environment 166
Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167
Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169
Monitoring Communication with the Victim Box 173
Scanning the Victim System 176
The Bottom Line 178
Chapter 7 Windows Filesystems 179
Filesystems vs. Operating Systems 179
Understanding FAT Filesystems 183
Understanding NTFS Filesystems 198
Using NTFS Data Structures 198
Creating, Deleting, and Recovering Data in NTFS 205
Dealing with Alternate Data Streams 208
The exFAT Filesystem 212
The Bottom Line 213
Chapter 8 The Registry Structure 215
Understanding Registry Concepts 215
Registry History 217
Registry Organization and Terminology 217
Performing Registry Research 228
Viewing the Registry with Forensic Tools 232
Using EnCase to View the Registry 234
Examining Information Manually 234
Using EnScripts to Extract Information 236
Using AccessData’s Registry Viewer 246
Other Tools 251
The Bottom Line 254
Chapter 9 Registry Evidence 257
Finding Information in the Software Key 258
Installed Software 258
Last Logon 264
Banners 265
Exploring Windows Security, Action Center, and Firewall Settings 267
Analyzing Restore Point Registry Settings 276
Windows XP Restore Point Content 280
Analyzing Volume Shadow Copies for Registry Settings 284
Exploring Security Identifiers 290
Examining the Recycle Bin 291
Examining the ProfileList Registry Key 293
Investigating User Activity 295
Examining the PSSP and IntelliForms Keys 295
Examining the MRU Key 296
Examining the RecentDocs Key 298
Examining the TypedURLs Key 298
Examining the UserAssist Key 299
Extracting LSA Secrets 305
Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306
Discovering IP Addresses 307
Dynamic IP Addresses 307
Getting More Information from the GUID-Named Interface 309
Compensating for Time Zone Offsets 312
Determining the Startup Locations 313
Exploring the User Profile Areas 316
Exploring Batch Files 318
Exploring Scheduled Tasks 318
Exploring the AppInit_DLL Key 320
Using EnCase and Registry Viewer 320
Using Autoruns to Determine Startups 320
The Bottom Line 322
Chapter 10 Introduction to Malware 325
Understanding the Purpose of Malware Analysis 325
Malware Analysis Tools and Techniques 329
Constructing an Effective Malware Analysis Toolkit 329
Analyzing Malicious Code 331
Monitoring Malicious Code 338
Monitoring Malware Network Traffic 346
The Bottom Line 348
Part 3 Analyzing the Logs 349
Chapter 11 Text-Based Logs 351
Parsing IIS Logs 351
Parsing FTP Logs 362
Parsing DHCP Server Logs 369
Parsing Windows Firewall Logs 373
Using Splunk 376
The Bottom Line 379
Chapter 12 Windows Event Logs 381
Understanding the Event Logs 381
Exploring Auditing Settings 384
Using Event Viewer 391
Opening and Saving Event Logs 403
Viewing Event Log Data 407
Searching with Event Viewer 411
The Bottom Line 418
Chapter 13 Logon and Account Logon Events 419
Begin at the Beginning 419
Comparing Logon and Account Logon Events 420
Analyzing Windows 2003/2008 Logon Events 422
Examining Windows 2003/2008 Account Logon Events 433
The Bottom Line 462
Chapter 14 Other Audit Events 463
The Exploitation of a Network 463
Examining System Log Entries 466
Examining Application Log Entries 473
Evaluating Account Management Events 473
Interpreting File and Other Object Access Events 490
Examining Audit Policy Change Events 500
The Bottom Line 503
Chapter 15 Forensic Analysis of Event Logs 505
Windows Event Log Files Internals 505
Windows Vista/7/2008 Event Logs 505
Windows XP/2003 Event Logs 513
Repairing Windows XP/2003 Corrupted Event Log Databases 524
Finding and Recovering Event Logs from Free Space 527
The Bottom Line 536
Part 4 Results, the Cloud, and Virtualization 537
Chapter 16 Presenting the Results 539
Report Basics 539
Creating a Narrative Report with Hyperlinks 542
Creating Hyperlinks 543
Creating and Linking Bookmarks 546
The Electronic Report Files 550
Creating Timelines 552
CaseMap and TimeMap 552
Splunk 555
Testifying about Technical Matters 560
The Bottom Line 562
Chapter 17 The Challenges of Cloud Computing and Virtualization 565
What Is Virtualization? 566
The Hypervisor 569
Preparing for Incident Response in Virtual Space 571
Forensic Analysis Techniques 575
Dead Host-Based Virtual Environment 576
Live Virtual Environment 584
Artifacts 586
Cloud Computing 587
What Is It? 587
Services 588
Forensic Challenges 589
Forensic Techniques 589
The Bottom Line 595
Part 5 Appendices 597
Appendix A The Bottom Line 599
Chapter 1: Network Investigation Overview 599
Chapter 2: The Microsoft Network Structure 601
Chapter 3: Beyond the Windows GUI 602
Chapter 4: Windows Password Issues 604
Chapter 5: Windows Ports and Services 606
Chapter 6: Live-Analysis Techniques 608
Chapter 7: Windows Filesystems 609
Chapter 8: The Registry Structure 611
Chapter 9: Registry Evidence 613
Chapter 10: Introduction to Malware 618
Chapter 11: Text-based Logs 620
Chapter 12: Windows Event Logs 622
Chapter 13: Logon and Account Logon Events 623
Chapter 14: Other Audit Events 624
Chapter 15: Forensic Analysis of Event Logs 626
Chapter 16: Presenting the Results 628
Chapter 17: The Challenges of Cloud Computing and Virtualization 630
Appendix B Test Environments 633
Software 633
Hardware 635
Setting Up Test Environments in Training Laboratories 636
Chapter 1: Network Investigation Overview 636
Chapter 2: The Microsoft Network Structure 636
Chapter 3: Beyond the Windows GUI 637
Chapter 4: Windows Password Issues 637
Chapter 5: Windows Ports and Services 639
Chapter 6: Live-Analysis Techniques 639
Chapter 7: Windows Filesystems 640
Chapter 8: The Registry Structure 640
Chapter 9: Registry Evidence 642
Chapter 10: Introduction to Malware 643
Chapter 11: Text-Based Logs 643
Chapter 12: Windows Event Logs 644
Chapter 13: Logon and Account Logon Events 644
Chapter 14: Other Audit Events 644
Chapter 15: Forensic Analysis of Event Logs 645
Chapter 16: Presenting the Results 645
Chapter 17: The Challenges of Cloud Computing and Virtualization 645
Index 647
About the Author :
Steve Anson, CISSP, EnCE, is the cofounder of Forward Discovery. He has previously served as a police officer, FBI High Tech Crimes Task Force agent, Special Agent with the U.S. DoD, and an instructor with the U.S. State Department Antiterrorism Assistance Program (ATA). He has trained hundreds of law enforcement officers around the world in techniques of digital forensics and investigation. Steve Bunting, EnCE, CCFT, has over 35 years of experience in law enforcement, and his background in computer forensics is extensive. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, as well as testified in court as a computer forensics expert. He has taught computer forensics courses for Guidance Software and is currently a Senior Forensic Consultant with Forward Discovery. Ryan Johnson, DFCP, CFCE, EnCE, SCERS, is a Senior Forensic Consultant with Forward Discovery. He was a digital forensics examiner for the Durham, NC, police and a Media Exploitation Analyst with the U.S. Army. He is an instructor and developer with the ATA. Scott Pearson has trained law enforcement entities, military personnel, and network/system administrators in more than 20 countries for the ATA. He is also a certifying Instructor on the Cellebrite UFED Logical and Physical Analyzer Mobile Device Forensics tool and has served as an instructor for the DoD Computer Investigations Training Academy.
