Windows Forensics : The Field... | Buy

The evidence is in--to solve Windows crime, you need Windows tools An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime. Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals. * Identify evidence of fraud, electronic theft, and employee Internet abuse * Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r) * Learn what it takes to become a computer forensics analyst * Take advantage of sample forms and layouts as well as case studies * Protect the integrity of evidence * Compile a forensic response toolkit * Assess and analyze damage from computer crime and process the crime scene * Develop a structure for effectively conducting investigations * Discover how to locate evidence in the Windows Registry

Chad Steel has investigated more than 300 computer security incidents. As an adjunct faculty member, he developed and taught the Computer Forensics graduate course in Penn State's engineering program and has instructed federal and local law enforcement, commercial clients, and graduate students in forensic analysis. His experience includes serving as head of IT investigations for a Global 100 corporation and as managing director of the Systems Integration and Security practice at Qwest Communications.

Windows Forensics

1

(10)

The Corporate Computer Forensic Analyst

2

(1)

Windows Forensics

3

(3)

People, Processes, and Tools

6

(2)

Computer Forensics: Today and Tomorrow

8

(1)

Additional Resources

9

(2)

Processing the Digital Crime Scene

11

(20)

Identify the Scene

12

(3)

Perform Remote Research

15

(2)

Secure the Crime Scene

17

(1)

Document the Scene

18

(1)

Process the Scene for Physical Evidence

19

(3)

Process the Scene for Electronic Evidence

22

(3)

Chain of Custody

25

(1)

Best Evidence

26

(2)

Working with Law Enforcement

28

(1)

Additional Resources

29

(2)

Windows Forensic Basics

31

(28)

History and Versions

32

(6)

MS-DOS

32

(1)

Windows 1.x, 2.x, and 3.x

32

(1)

Windows NT and 2000

33

(1)

Windows 95, 98, and ME

34

(1)

Windows XP and 2003

35

(3)

Non-Volatile Storage

38

(20)

Floppy Disks

38

(5)

Tapes

43

(3)

CDs and DVDs

46

(2)

USB Flash Drives

48

(3)

Hard Disks

51

(7)

Additional Resources

58

(1)

Partitions and File Systems

59

(38)

Master Boot Record

59

(6)

Windows File Systems

65

(31)

FAT

66

(7)

VFAT

73

(2)

NTFS

75

(10)

Compression

85

(3)

Encryption

88

(8)

Additional Resources

96

(1)

Directory Structure and Special Files

97

(18)

Windows NT/2000/XP

97

(15)

Directories

98

(9)

Files

107

(5)

Windows 9x

112

(2)

Directories

112

(1)

Files

113

(1)

Additional Resources

114

(1)

The Registry

115

(22)

History

115

(1)

Registry Basics

116

(5)

Registry Analysis

121

(12)

General

122

(3)

Folder Locations

125

(3)

Startup Items

128

(4)

Intelliforms

132

(1)

Advanced Registry Analysis

133

(3)

Additional Resources

136

(1)

Forensic Analysis

137

(2)

Live System Analysis

139

(54)

Covert Analysis

144

(22)

System State Analysis

144

(2)

System Tools

146

(1)

Storage

147

(1)

Services and Applications

148

(2)

Remote Enumeration

150

(4)

Monitoring

154

(1)

Keystroke Recording

155

(2)

Network Monitoring

157

(9)

Overt Analysis

166

(23)

GUI-based Overt Analysis

166

(3)

Local Command Line Analysis

169

(1)

Remote Command Line Analysis

170

(3)

Basic Information Gathering

173

(4)

System State Information

177

(5)

Running Program Information

182

(4)

Main Memory Analysis

186

(3)

Additional Resources

189

(4)

Forensic Duplication

193

(18)

Hard Disk Duplication

194

(14)

In-Situ Duplication

197

(6)

Direct Duplication

203

(1)

Magnetic Tape

204

(1)

Hard Disks

205

(1)

Optical Disks

205

(1)

Multi-tiered Storage

206

(2)

Log File Duplication

208

(2)

Additional Resources

210

(1)

File System Analysis

211

(36)

Searching

211

(9)

Index-based Searching

212

(5)

Bitwise Searching

217

(2)

Search Methodology

219

(1)

Hash Analysis

220

(5)

Positive Hash Analysis

223

(1)

Negative Hash Analysis

224

(1)

File Recovery

225

(11)

Special Files

236

(8)

Print Spool Files

236

(3)

Windows Shortcuts

239

(2)

Paging File

241

(3)

Additional Resources

244

(3)

Log File Analysis

247

(24)

Event Logs

247

(10)

Application Log

250

(2)

System Log

252

(1)

Security Log

253

(1)

Successful Log-on/Log-off Events

254

(1)

Failed Log-on Event

255

(1)

Change of Policy

256

(1)

Successful or Failed Object Access

256

(1)

Account Change

256

(1)

Log Clearing

257

(1)

Internet Logs

257

(13)

HTTP Logs

260

(6)

FTP Logs

266

(2)

SMTP Logs

268

(2)

Additional Resources

270

(1)

Internet Usage Analysis

271

(40)

Web Activity

272

(22)

Internet Explorer

272

(2)

Favorites

274

(3)

History

277

(4)

Cache

281

(2)

Cookies

283

(2)

Firefox

285

(1)

Favorites

285

(3)

History

288

(1)

Cache

289

(2)

Cookies

291

(1)

Passwords

292

(1)

Downloads

293

(1)

Toolbar History

293

(1)

Network, Proxy, and DNS History

294

(1)

Peer-to-Peer Networking

294

(11)

Gnutella Clients

296

(1)

Bearshare

297

(1)

Downloading

297

(1)

Sharing

298

(1)

Other Information

298

(1)

Limewire

299

(1)

Downloading

300

(1)

Sharing

300

(1)

FastTrack Clients

301

(1)

Overnet, eMule, and eDonkey2000 Clients

302

(2)

Downloading

304

(1)

Sharing

305

(1)

Instant Messaging

305

(4)

AOL Instant Messenger

306

(1)

Microsoft Messenger

307

(2)

Additional Resources

309

(2)

Email Investigations

311

(28)

Outlook/Outlook Express

314

(12)

Outlook Express

314

(1)

Acquisition

315

(2)

Analysis

317

(4)

Outlook

321

(1)

Acquisition

321

(1)

Access Control

322

(1)

Analysis

322

(4)

Lotus Notes

326

(12)

Acquisition

329

(1)

Access Control and Logging

330

(1)

Analysis

331

(2)

Address Book

333

(5)

Additional Resources

338

(1)

Appendix A Sample Chain of Custody Form

339

(2)

Appendix B Master Boot Record Layout

341

(2)

Appendix C Partition Types

343

(6)

Appendix D FAT32 Boot Sector Layout

349

(4)

Appendix E NTFS Boot Sector Layout

353

(2)

Appendix F NTFS Metafiles

355

(2)

Appendix G Well-Known SIDs

357

(6)

Index

363

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.