Details

Mastering Windows Network Forensics and Investigation


Mastering Windows Network Forensics and Investigation


2. Aufl.

von: Steve Anson, Steve Bunting, Ryan Johnson, Scott Pearson

38,99 €

Verlag: Wiley
Format: PDF
Veröffentl.: 30.05.2012
ISBN/EAN: 9781118226148
Sprache: englisch
Anzahl Seiten: 704

DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

<b>An authoritative guide to investigating high-technology crimes</b> <p>Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.</p> <ul> <li>Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network</li> <li>Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response</li> <li>Walks you through ways to present technically complicated material in simple terms that will hold up in court</li> <li>Features content fully updated for Windows Server 2008 R2 and Windows 7</li> <li>Covers the emerging field of Windows Mobile forensics</li> </ul> <p>Also included is a classroom support package to ensure academic adoption, <i>Mastering Windows Network Forensics and Investigation, 2nd Edition</i> offers help for investigating high-technology crimes.</p>
<p>Introduction xvii</p> <p><b>Part 1 Understanding and Exploiting Windows Networks 1</b></p> <p><b>Chapter 1 Network Investigation Overview 3</b></p> <p>Performing the Initial Vetting 3</p> <p>Meeting with the Victim Organization 5</p> <p>Understanding the Victim Network Information 6</p> <p>Understanding the Incident 8</p> <p>Identifying and Preserving Evidence 9</p> <p>Establishing Expectations and Responsibilities 11</p> <p>Collecting the Evidence 12</p> <p>Analyzing the Evidence 15</p> <p>Analyzing the Suspect’s Computers 18</p> <p>Recognizing the Investigative Challenges of Microsoft Networks 21</p> <p>The Bottom Line 22</p> <p><b>Chapter 2 The Microsoft Network Structure 25</b></p> <p>Connecting Computers 25</p> <p>Windows Domains 27</p> <p>Interconnecting Domains 29</p> <p>Organizational Units 34</p> <p>Users and Groups 35</p> <p>Types of Accounts 36</p> <p>Groups 40</p> <p>Permissions 44</p> <p>File Permissions 45</p> <p>Share Permissions 48</p> <p>Reconciling Share and File Permissions 50</p> <p>Example Hack 52</p> <p>The Bottom Line 61</p> <p><b>Chapter 3 Beyond the Windows GUI 63</b></p> <p>Understanding Programs, Processes, and Threads 64</p> <p>Redirecting Process Flow 67</p> <p>DLL Injection 70</p> <p>Hooking 74</p> <p>Maintaining Order Using Privilege Modes 78</p> <p>Using Rootkits 80</p> <p>The Bottom Line 83</p> <p><b>Chapter 4: Windows Password Issues 85</b></p> <p>Understanding Windows Password Storage 85</p> <p>Cracking Windows Passwords Stored on Running Systems 88</p> <p>Exploring Windows Authentication Mechanisms 98</p> <p>LanMan Authentication 99</p> <p>NTLM Authentication 103</p> <p>Kerberos Authentication 108</p> <p>Sniffing and Cracking Windows Authentication Exchanges 111</p> <p>Using ScoopLM and BeatLM to Crack Passwords 114</p> <p>Cracking Offline Passwords 121</p> <p>Using Cain & Abel to Extract Windows Password Hashes 122</p> <p>Accessing Passwords through the Windows Password Verifier 126</p> <p>Extracting Password Hashes from RAM 127</p> <p>Stealing Credentials from a Running System 128</p> <p>The Bottom Line 134</p> <p><b>Chapter 5 Windows Ports and Services 137</b></p> <p>Understanding Ports 137</p> <p>Using Ports as Evidence 142</p> <p>Understanding Windows Services 149</p> <p>The Bottom Line 155</p> <p><b>Part 2 Analyzing the Computer 157</b></p> <p><b>Chapter 6 Live-Analysis Techniques 159</b></p> <p>Finding Evidence in Memory 159</p> <p>Creating a Windows Live-Analysis Toolkit 161</p> <p>Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164</p> <p>Using WinEn to Acquire RAM from a Windows 7 Environment 166</p> <p>Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167</p> <p>Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169</p> <p>Monitoring Communication with the Victim Box 173</p> <p>Scanning the Victim System 176</p> <p>The Bottom Line 178</p> <p><b>Chapter 7 Windows Filesystems 179</b></p> <p>Filesystems vs. Operating Systems 179</p> <p>Understanding FAT Filesystems 183</p> <p>Understanding NTFS Filesystems 198</p> <p>Using NTFS Data Structures 198</p> <p>Creating, Deleting, and Recovering Data in NTFS 205</p> <p>Dealing with Alternate Data Streams 208</p> <p>The exFAT Filesystem 212</p> <p>The Bottom Line 213</p> <p><b>Chapter 8 The Registry Structure 215</b></p> <p>Understanding Registry Concepts 215</p> <p>Registry History 217</p> <p>Registry Organization and Terminology 217</p> <p>Performing Registry Research 228</p> <p>Viewing the Registry with Forensic Tools 232</p> <p>Using EnCase to View the Registry 234</p> <p>Examining Information Manually 234</p> <p>Using EnScripts to Extract Information 236</p> <p>Using AccessData’s Registry Viewer 246</p> <p>Other Tools 251</p> <p>The Bottom Line 254</p> <p><b>Chapter 9 Registry Evidence 257</b></p> <p>Finding Information in the Software Key 258</p> <p>Installed Software 258</p> <p>Last Logon 264</p> <p>Banners 265</p> <p>Exploring Windows Security, Action Center, and Firewall Settings 267</p> <p>Analyzing Restore Point Registry Settings 276</p> <p>Windows XP Restore Point Content 280</p> <p>Analyzing Volume Shadow Copies for Registry Settings 284</p> <p>Exploring Security Identifiers 290</p> <p>Examining the Recycle Bin 291</p> <p>Examining the ProfileList Registry Key 293</p> <p>Investigating User Activity 295</p> <p>Examining the PSSP and IntelliForms Keys 295</p> <p>Examining the MRU Key 296</p> <p>Examining the RecentDocs Key 298</p> <p>Examining the TypedURLs Key 298</p> <p>Examining the UserAssist Key 299</p> <p>Extracting LSA Secrets 305</p> <p>Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306</p> <p>Discovering IP Addresses 307</p> <p>Dynamic IP Addresses 307</p> <p>Getting More Information from the GUID-Named Interface 309</p> <p>Compensating for Time Zone Offsets 312</p> <p>Determining the Startup Locations 313</p> <p>Exploring the User Profile Areas 316</p> <p>Exploring Batch Files 318</p> <p>Exploring Scheduled Tasks 318</p> <p>Exploring the AppInit_DLL Key 320</p> <p>Using EnCase and Registry Viewer 320</p> <p>Using Autoruns to Determine Startups 320</p> <p>The Bottom Line 322</p> <p><b>Chapter 10 Introduction to Malware 325</b></p> <p>Understanding the Purpose of Malware Analysis 325</p> <p>Malware Analysis Tools and Techniques 329</p> <p>Constructing an Effective Malware Analysis Toolkit 329</p> <p>Analyzing Malicious Code 331</p> <p>Monitoring Malicious Code 338</p> <p>Monitoring Malware Network Traffic 346</p> <p>The Bottom Line 348</p> <p><b>Part 3 Analyzing the Logs 349</b></p> <p><b>Chapter 11 Text-Based Logs 351</b></p> <p>Parsing IIS Logs 351</p> <p>Parsing FTP Logs 362</p> <p>Parsing DHCP Server Logs 369</p> <p>Parsing Windows Firewall Logs 373</p> <p>Using Splunk 376</p> <p>The Bottom Line 379</p> <p><b>Chapter 12 Windows Event Logs 381</b></p> <p>Understanding the Event Logs 381</p> <p>Exploring Auditing Settings 384</p> <p>Using Event Viewer 391</p> <p>Opening and Saving Event Logs 403</p> <p>Viewing Event Log Data 407</p> <p>Searching with Event Viewer 411</p> <p>The Bottom Line 418</p> <p><b>Chapter 13 Logon and Account Logon Events 419</b></p> <p>Begin at the Beginning 419</p> <p>Comparing Logon and Account Logon Events 420</p> <p>Analyzing Windows 2003/2008 Logon Events 422</p> <p>Examining Windows 2003/2008 Account Logon Events 433</p> <p>The Bottom Line 462</p> <p><b>Chapter 14 Other Audit Events 463</b></p> <p>The Exploitation of a Network 463</p> <p>Examining System Log Entries 466</p> <p>Examining Application Log Entries 473</p> <p>Evaluating Account Management Events 473</p> <p>Interpreting File and Other Object Access Events 490</p> <p>Examining Audit Policy Change Events 500</p> <p>The Bottom Line 503</p> <p><b>Chapter 15 Forensic Analysis of Event Logs 505</b></p> <p>Windows Event Log Files Internals 505</p> <p>Windows Vista/7/2008 Event Logs 505</p> <p>Windows XP/2003 Event Logs 513</p> <p>Repairing Windows XP/2003 Corrupted Event Log Databases 524</p> <p>Finding and Recovering Event Logs from Free Space 527</p> <p>The Bottom Line 536</p> <p><b>Part 4 Results, the Cloud, and Virtualization 537</b></p> <p><b>Chapter 16 Presenting the Results 539</b></p> <p>Report Basics 539</p> <p>Creating a Narrative Report with Hyperlinks 542</p> <p>Creating Hyperlinks 543</p> <p>Creating and Linking Bookmarks 546</p> <p>The Electronic Report Files 550</p> <p>Creating Timelines 552</p> <p>CaseMap and TimeMap 552</p> <p>Splunk 555</p> <p>Testifying about Technical Matters 560</p> <p>The Bottom Line 562</p> <p><b>Chapter 17 The Challenges of Cloud Computing and Virtualization 565</b></p> <p>What Is Virtualization? 566</p> <p>The Hypervisor 569</p> <p>Preparing for Incident Response in Virtual Space 571</p> <p>Forensic Analysis Techniques 575</p> <p>Dead Host-Based Virtual Environment 576</p> <p>Live Virtual Environment 584</p> <p>Artifacts 586</p> <p>Cloud Computing 587</p> <p>What Is It? 587</p> <p>Services 588</p> <p>Forensic Challenges 589</p> <p>Forensic Techniques 589</p> <p>The Bottom Line 595</p> <p><b>Part 5 Appendices 597</b></p> <p><b>Appendix A The Bottom Line 599</b></p> <p>Chapter 1: Network Investigation Overview 599</p> <p>Chapter 2: The Microsoft Network Structure 601</p> <p>Chapter 3: Beyond the Windows GUI 602</p> <p>Chapter 4: Windows Password Issues 604</p> <p>Chapter 5: Windows Ports and Services 606</p> <p>Chapter 6: Live-Analysis Techniques 608</p> <p>Chapter 7: Windows Filesystems 609</p> <p>Chapter 8: The Registry Structure 611</p> <p>Chapter 9: Registry Evidence 613</p> <p>Chapter 10: Introduction to Malware 618</p> <p>Chapter 11: Text-based Logs 620</p> <p>Chapter 12: Windows Event Logs 622</p> <p>Chapter 13: Logon and Account Logon Events 623</p> <p>Chapter 14: Other Audit Events 624</p> <p>Chapter 15: Forensic Analysis of Event Logs 626</p> <p>Chapter 16: Presenting the Results 628</p> <p>Chapter 17: The Challenges of Cloud Computing and Virtualization 630</p> <p><b>Appendix B Test Environments 633</b></p> <p>Software 633</p> <p>Hardware 635</p> <p>Setting Up Test Environments in Training Laboratories 636</p> <p>Chapter 1: Network Investigation Overview 636</p> <p>Chapter 2: The Microsoft Network Structure 636</p> <p>Chapter 3: Beyond the Windows GUI 637</p> <p>Chapter 4: Windows Password Issues 637</p> <p>Chapter 5: Windows Ports and Services 639</p> <p>Chapter 6: Live-Analysis Techniques 639</p> <p>Chapter 7: Windows Filesystems 640</p> <p>Chapter 8: The Registry Structure 640</p> <p>Chapter 9: Registry Evidence 642</p> <p>Chapter 10: Introduction to Malware 643</p> <p>Chapter 11: Text-Based Logs 643</p> <p>Chapter 12: Windows Event Logs 644</p> <p>Chapter 13: Logon and Account Logon Events 644</p> <p>Chapter 14: Other Audit Events 644</p> <p>Chapter 15: Forensic Analysis of Event Logs 645</p> <p>Chapter 16: Presenting the Results 645</p> <p>Chapter 17: The Challenges of Cloud Computing and Virtualization 645</p> <p>Index 647</p>
<b>Steve Anson</b>, CISSP, EnCE, is the cofounder of Forward Discovery. He has previously served as a police officer, FBI High Tech Crimes Task Force agent, Special Agent with the U.S. DoD, and an instructor with the U.S. State Department Antiterrorism Assistance Program (ATA). He has trained hundreds of law enforcement officers around the world in techniques of digital forensics and investigation. Steve Bunting, EnCE, CCFT, has over 35 years of experience in law enforcement, and his background in computer forensics is extensive. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, as well as testified in court as a computer forensics expert. He has taught computer forensics courses for Guidance Software and is currently a Senior Forensic Consultant with Forward Discovery. Ryan Johnson, DFCP, CFCE, EnCE, SCERS, is a Senior Forensic Consultant with Forward Discovery. He was a digital forensics examiner for the Durham, NC, police and a Media Exploitation Analyst with the U.S. Army. He is an instructor and developer with the ATA. Scott Pearson has trained law enforcement entities, military personnel, and network/system administrators in more than 20 countries for the ATA. He is also a certifying Instructor on the Cellebrite UFED Logical and Physical Analyzer Mobile Device Forensics tool and has served as an instructor for the DoD Computer Investigations Training Academy.
<b>Learn How to Conduct a Complete Computer Forensic Investigation</b> <p>This professional guide teaches law enforcement personnel, prosecutors, and corporate investigators how to investigate crimes involving Windows computers and Windows networks. A top team of forensic experts details how and why Windows networks are targeted, shows you how to analyze computers and computer logs, explains chain of custody, and covers such tricky topics as how to gather accurate testimony from employees in politically charged corporate settings.</p> <p>From recognizing high-tech criminal activity to presenting evidence in a way that juries and judges understand, this book thoroughly covers the range of skills, standards, and step-by-step procedures you need to conduct a criminal investigation in a Windows environment and make your evidence stand up in court.</p> <p><b>Coverage includes:</b></p> <ul> <li>Responding to a reported computer intrusion</li> <li>Understanding how attackers exploit Windows networks</li> <li>Deciphering Windows ports, services, file systems, and the registry</li> <li>Examining suspects' computers and entire networks</li> <li>Analyzing event logs and data using live analysis techniques</li> <li>Exploring new complexities from cloud computing and virtualization</li> </ul> <p>Investigate Computer Crimes in Windows Environments</p> <p>Fully Updated for Windows Server 2008 and Windows 7</p> <p>Discover How to Locate and Analyze an Attacker's Tools</p> <p>Learn Detailed Windows Event Log Analysis</p>

Diese Produkte könnten Sie auch interessieren:

Symbian OS Explained
Symbian OS Explained
von: Jo Stichbury
PDF ebook
32,99 €
Symbian OS Internals
Symbian OS Internals
von: Jane Sales
PDF ebook
56,99 €
Parallel Combinatorial Optimization
Parallel Combinatorial Optimization
von: El-Ghazali Talbi
PDF ebook
120,99 €