Description

Book Synopsis
An authoritative guide to investigating high-technology crimes

Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.

  • Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
  • Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
  • Walks you through ways to present technically complicated material in simple terms that will hold up in court
  • Features content fully updated for Windows Server 2008 R2 and Windows 7
  • Covers the emerging field of Windows Mobile forensics<

    Table of Contents

    Introduction xvii

    Part 1 Understanding and Exploiting Windows Networks 1

    Chapter 1 Network Investigation Overview 3

    Performing the Initial Vetting 3

    Meeting with the Victim Organization 5

    Understanding the Victim Network Information 6

    Understanding the Incident 8

    Identifying and Preserving Evidence 9

    Establishing Expectations and Responsibilities 11

    Collecting the Evidence 12

    Analyzing the Evidence 15

    Analyzing the Suspect’s Computers 18

    Recognizing the Investigative Challenges of Microsoft Networks 21

    The Bottom Line 22

    Chapter 2 The Microsoft Network Structure 25

    Connecting Computers 25

    Windows Domains 27

    Interconnecting Domains 29

    Organizational Units 34

    Users and Groups 35

    Types of Accounts 36

    Groups 40

    Permissions 44

    File Permissions 45

    Share Permissions 48

    Reconciling Share and File Permissions 50

    Example Hack 52

    The Bottom Line 61

    Chapter 3 Beyond the Windows GUI 63

    Understanding Programs, Processes, and Threads 64

    Redirecting Process Flow 67

    DLL Injection 70

    Hooking 74

    Maintaining Order Using Privilege Modes 78

    Using Rootkits 80

    The Bottom Line 83

    Chapter 4: Windows Password Issues 85

    Understanding Windows Password Storage 85

    Cracking Windows Passwords Stored on Running Systems 88

    Exploring Windows Authentication Mechanisms 98

    LanMan Authentication 99

    NTLM Authentication 103

    Kerberos Authentication 108

    Sniffing and Cracking Windows Authentication Exchanges 111

    Using ScoopLM and BeatLM to Crack Passwords 114

    Cracking Offline Passwords 121

    Using Cain & Abel to Extract Windows Password Hashes 122

    Accessing Passwords through the Windows Password Verifier 126

    Extracting Password Hashes from RAM 127

    Stealing Credentials from a Running System 128

    The Bottom Line 134

    Chapter 5 Windows Ports and Services 137

    Understanding Ports 137

    Using Ports as Evidence 142

    Understanding Windows Services 149

    The Bottom Line 155

    Part 2 Analyzing the Computer 157

    Chapter 6 Live-Analysis Techniques 159

    Finding Evidence in Memory 159

    Creating a Windows Live-Analysis Toolkit 161

    Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164

    Using WinEn to Acquire RAM from a Windows 7 Environment 166

    Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167

    Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169

    Monitoring Communication with the Victim Box 173

    Scanning the Victim System 176

    The Bottom Line 178

    Chapter 7 Windows Filesystems 179

    Filesystems vs. Operating Systems 179

    Understanding FAT Filesystems 183

    Understanding NTFS Filesystems 198

    Using NTFS Data Structures 198

    Creating, Deleting, and Recovering Data in NTFS 205

    Dealing with Alternate Data Streams 208

    The exFAT Filesystem 212

    The Bottom Line 213

    Chapter 8 The Registry Structure 215

    Understanding Registry Concepts 215

    Registry History 217

    Registry Organization and Terminology 217

    Performing Registry Research 228

    Viewing the Registry with Forensic Tools 232

    Using EnCase to View the Registry 234

    Examining Information Manually 234

    Using EnScripts to Extract Information 236

    Using AccessData’s Registry Viewer 246

    Other Tools 251

    The Bottom Line 254

    Chapter 9 Registry Evidence 257

    Finding Information in the Software Key 258

    Installed Software 258

    Last Logon 264

    Banners 265

    Exploring Windows Security, Action Center, and Firewall Settings 267

    Analyzing Restore Point Registry Settings 276

    Windows XP Restore Point Content 280

    Analyzing Volume Shadow Copies for Registry Settings 284

    Exploring Security Identifiers 290

    Examining the Recycle Bin 291

    Examining the ProfileList Registry Key 293

    Investigating User Activity 295

    Examining the PSSP and IntelliForms Keys 295

    Examining the MRU Key 296

    Examining the RecentDocs Key 298

    Examining the TypedURLs Key 298

    Examining the UserAssist Key 299

    Extracting LSA Secrets 305

    Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306

    Discovering IP Addresses 307

    Dynamic IP Addresses 307

    Getting More Information from the GUID-Named Interface 309

    Compensating for Time Zone Offsets 312

    Determining the Startup Locations 313

    Exploring the User Profile Areas 316

    Exploring Batch Files 318

    Exploring Scheduled Tasks 318

    Exploring the AppInit_DLL Key 320

    Using EnCase and Registry Viewer 320

    Using Autoruns to Determine Startups 320

    The Bottom Line 322

    Chapter 10 Introduction to Malware 325

    Understanding the Purpose of Malware Analysis 325

    Malware Analysis Tools and Techniques 329

    Constructing an Effective Malware Analysis Toolkit 329

    Analyzing Malicious Code 331

    Monitoring Malicious Code 338

    Monitoring Malware Network Traffic 346

    The Bottom Line 348

    Part 3 Analyzing the Logs 349

    Chapter 11 Text-Based Logs 351

    Parsing IIS Logs 351

    Parsing FTP Logs 362

    Parsing DHCP Server Logs 369

    Parsing Windows Firewall Logs 373

    Using Splunk 376

    The Bottom Line 379

    Chapter 12 Windows Event Logs 381

    Understanding the Event Logs 381

    Exploring Auditing Settings 384

    Using Event Viewer 391

    Opening and Saving Event Logs 403

    Viewing Event Log Data 407

    Searching with Event Viewer 411

    The Bottom Line 418

    Chapter 13 Logon and Account Logon Events 419

    Begin at the Beginning 419

    Comparing Logon and Account Logon Events 420

    Analyzing Windows 2003/2008 Logon Events 422

    Examining Windows 2003/2008 Account Logon Events 433

    The Bottom Line 462

    Chapter 14 Other Audit Events 463

    The Exploitation of a Network 463

    Examining System Log Entries 466

    Examining Application Log Entries 473

    Evaluating Account Management Events 473

    Interpreting File and Other Object Access Events 490

    Examining Audit Policy Change Events 500

    The Bottom Line 503

    Chapter 15 Forensic Analysis of Event Logs 505

    Windows Event Log Files Internals 505

    Windows Vista/7/2008 Event Logs 505

    Windows XP/2003 Event Logs 513

    Repairing Windows XP/2003 Corrupted Event Log Databases 524

    Finding and Recovering Event Logs from Free Space 527

    The Bottom Line 536

    Part 4 Results, the Cloud, and Virtualization 537

    Chapter 16 Presenting the Results 539

    Report Basics 539

    Creating a Narrative Report with Hyperlinks 542

    Creating Hyperlinks 543

    Creating and Linking Bookmarks 546

    The Electronic Report Files 550

    Creating Timelines 552

    CaseMap and TimeMap 552

    Splunk 555

    Testifying about Technical Matters 560

    The Bottom Line 562

    Chapter 17 The Challenges of Cloud Computing and Virtualization 565

    What Is Virtualization? 566

    The Hypervisor 569

    Preparing for Incident Response in Virtual Space 571

    Forensic Analysis Techniques 575

    Dead Host-Based Virtual Environment 576

    Live Virtual Environment 584

    Artifacts 586

    Cloud Computing 587

    What Is It? 587

    Services 588

    Forensic Challenges 589

    Forensic Techniques 589

    The Bottom Line 595

    Part 5 Appendices 597

    Appendix A The Bottom Line 599

    Chapter 1: Network Investigation Overview 599

    Chapter 2: The Microsoft Network Structure 601

    Chapter 3: Beyond the Windows GUI 602

    Chapter 4: Windows Password Issues 604

    Chapter 5: Windows Ports and Services 606

    Chapter 6: Live-Analysis Techniques 608

    Chapter 7: Windows Filesystems 609

    Chapter 8: The Registry Structure 611

    Chapter 9: Registry Evidence 613

    Chapter 10: Introduction to Malware 618

    Chapter 11: Text-based Logs 620

    Chapter 12: Windows Event Logs 622

    Chapter 13: Logon and Account Logon Events 623

    Chapter 14: Other Audit Events 624

    Chapter 15: Forensic Analysis of Event Logs 626

    Chapter 16: Presenting the Results 628

    Chapter 17: The Challenges of Cloud Computing and Virtualization 630

    Appendix B Test Environments 633

    Software 633

    Hardware 635

    Setting Up Test Environments in Training Laboratories 636

    Chapter 1: Network Investigation Overview 636

    Chapter 2: The Microsoft Network Structure 636

    Chapter 3: Beyond the Windows GUI 637

    Chapter 4: Windows Password Issues 637

    Chapter 5: Windows Ports and Services 639

    Chapter 6: Live-Analysis Techniques 639

    Chapter 7: Windows Filesystems 640

    Chapter 8: The Registry Structure 640

    Chapter 9: Registry Evidence 642

    Chapter 10: Introduction to Malware 643

    Chapter 11: Text-Based Logs 643

    Chapter 12: Windows Event Logs 644

    Chapter 13: Logon and Account Logon Events 644

    Chapter 14: Other Audit Events 644

    Chapter 15: Forensic Analysis of Event Logs 645

    Chapter 16: Presenting the Results 645

    Chapter 17: The Challenges of Cloud Computing and Virtualization 645

    Index 647

Mastering Windows Network Forensics and

Product form

£38.00

Includes FREE delivery

RRP £47.50 – you save £9.50 (20%)

Order before 4pm tomorrow for delivery by Tue 23 Dec 2025.

A Paperback / softback by Steve Anson, Steve Bunting, Ryan Johnson

Out of stock


    View other formats and editions of Mastering Windows Network Forensics and by Steve Anson

    Publisher: John Wiley & Sons Inc
    Publication Date: 29/06/2012
    ISBN13: 9781118163825, 978-1118163825
    ISBN10: 1118163826
    Also in:
    Computer networking and communications Computer science Microsoft (Windows) operating systems

    Description

    Book Synopsis
    An authoritative guide to investigating high-technology crimes

    Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.

    • Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
    • Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
    • Walks you through ways to present technically complicated material in simple terms that will hold up in court
    • Features content fully updated for Windows Server 2008 R2 and Windows 7
    • Covers the emerging field of Windows Mobile forensics<

      Table of Contents

      Introduction xvii

      Part 1 Understanding and Exploiting Windows Networks 1

      Chapter 1 Network Investigation Overview 3

      Performing the Initial Vetting 3

      Meeting with the Victim Organization 5

      Understanding the Victim Network Information 6

      Understanding the Incident 8

      Identifying and Preserving Evidence 9

      Establishing Expectations and Responsibilities 11

      Collecting the Evidence 12

      Analyzing the Evidence 15

      Analyzing the Suspect’s Computers 18

      Recognizing the Investigative Challenges of Microsoft Networks 21

      The Bottom Line 22

      Chapter 2 The Microsoft Network Structure 25

      Connecting Computers 25

      Windows Domains 27

      Interconnecting Domains 29

      Organizational Units 34

      Users and Groups 35

      Types of Accounts 36

      Groups 40

      Permissions 44

      File Permissions 45

      Share Permissions 48

      Reconciling Share and File Permissions 50

      Example Hack 52

      The Bottom Line 61

      Chapter 3 Beyond the Windows GUI 63

      Understanding Programs, Processes, and Threads 64

      Redirecting Process Flow 67

      DLL Injection 70

      Hooking 74

      Maintaining Order Using Privilege Modes 78

      Using Rootkits 80

      The Bottom Line 83

      Chapter 4: Windows Password Issues 85

      Understanding Windows Password Storage 85

      Cracking Windows Passwords Stored on Running Systems 88

      Exploring Windows Authentication Mechanisms 98

      LanMan Authentication 99

      NTLM Authentication 103

      Kerberos Authentication 108

      Sniffing and Cracking Windows Authentication Exchanges 111

      Using ScoopLM and BeatLM to Crack Passwords 114

      Cracking Offline Passwords 121

      Using Cain & Abel to Extract Windows Password Hashes 122

      Accessing Passwords through the Windows Password Verifier 126

      Extracting Password Hashes from RAM 127

      Stealing Credentials from a Running System 128

      The Bottom Line 134

      Chapter 5 Windows Ports and Services 137

      Understanding Ports 137

      Using Ports as Evidence 142

      Understanding Windows Services 149

      The Bottom Line 155

      Part 2 Analyzing the Computer 157

      Chapter 6 Live-Analysis Techniques 159

      Finding Evidence in Memory 159

      Creating a Windows Live-Analysis Toolkit 161

      Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164

      Using WinEn to Acquire RAM from a Windows 7 Environment 166

      Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167

      Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169

      Monitoring Communication with the Victim Box 173

      Scanning the Victim System 176

      The Bottom Line 178

      Chapter 7 Windows Filesystems 179

      Filesystems vs. Operating Systems 179

      Understanding FAT Filesystems 183

      Understanding NTFS Filesystems 198

      Using NTFS Data Structures 198

      Creating, Deleting, and Recovering Data in NTFS 205

      Dealing with Alternate Data Streams 208

      The exFAT Filesystem 212

      The Bottom Line 213

      Chapter 8 The Registry Structure 215

      Understanding Registry Concepts 215

      Registry History 217

      Registry Organization and Terminology 217

      Performing Registry Research 228

      Viewing the Registry with Forensic Tools 232

      Using EnCase to View the Registry 234

      Examining Information Manually 234

      Using EnScripts to Extract Information 236

      Using AccessData’s Registry Viewer 246

      Other Tools 251

      The Bottom Line 254

      Chapter 9 Registry Evidence 257

      Finding Information in the Software Key 258

      Installed Software 258

      Last Logon 264

      Banners 265

      Exploring Windows Security, Action Center, and Firewall Settings 267

      Analyzing Restore Point Registry Settings 276

      Windows XP Restore Point Content 280

      Analyzing Volume Shadow Copies for Registry Settings 284

      Exploring Security Identifiers 290

      Examining the Recycle Bin 291

      Examining the ProfileList Registry Key 293

      Investigating User Activity 295

      Examining the PSSP and IntelliForms Keys 295

      Examining the MRU Key 296

      Examining the RecentDocs Key 298

      Examining the TypedURLs Key 298

      Examining the UserAssist Key 299

      Extracting LSA Secrets 305

      Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306

      Discovering IP Addresses 307

      Dynamic IP Addresses 307

      Getting More Information from the GUID-Named Interface 309

      Compensating for Time Zone Offsets 312

      Determining the Startup Locations 313

      Exploring the User Profile Areas 316

      Exploring Batch Files 318

      Exploring Scheduled Tasks 318

      Exploring the AppInit_DLL Key 320

      Using EnCase and Registry Viewer 320

      Using Autoruns to Determine Startups 320

      The Bottom Line 322

      Chapter 10 Introduction to Malware 325

      Understanding the Purpose of Malware Analysis 325

      Malware Analysis Tools and Techniques 329

      Constructing an Effective Malware Analysis Toolkit 329

      Analyzing Malicious Code 331

      Monitoring Malicious Code 338

      Monitoring Malware Network Traffic 346

      The Bottom Line 348

      Part 3 Analyzing the Logs 349

      Chapter 11 Text-Based Logs 351

      Parsing IIS Logs 351

      Parsing FTP Logs 362

      Parsing DHCP Server Logs 369

      Parsing Windows Firewall Logs 373

      Using Splunk 376

      The Bottom Line 379

      Chapter 12 Windows Event Logs 381

      Understanding the Event Logs 381

      Exploring Auditing Settings 384

      Using Event Viewer 391

      Opening and Saving Event Logs 403

      Viewing Event Log Data 407

      Searching with Event Viewer 411

      The Bottom Line 418

      Chapter 13 Logon and Account Logon Events 419

      Begin at the Beginning 419

      Comparing Logon and Account Logon Events 420

      Analyzing Windows 2003/2008 Logon Events 422

      Examining Windows 2003/2008 Account Logon Events 433

      The Bottom Line 462

      Chapter 14 Other Audit Events 463

      The Exploitation of a Network 463

      Examining System Log Entries 466

      Examining Application Log Entries 473

      Evaluating Account Management Events 473

      Interpreting File and Other Object Access Events 490

      Examining Audit Policy Change Events 500

      The Bottom Line 503

      Chapter 15 Forensic Analysis of Event Logs 505

      Windows Event Log Files Internals 505

      Windows Vista/7/2008 Event Logs 505

      Windows XP/2003 Event Logs 513

      Repairing Windows XP/2003 Corrupted Event Log Databases 524

      Finding and Recovering Event Logs from Free Space 527

      The Bottom Line 536

      Part 4 Results, the Cloud, and Virtualization 537

      Chapter 16 Presenting the Results 539

      Report Basics 539

      Creating a Narrative Report with Hyperlinks 542

      Creating Hyperlinks 543

      Creating and Linking Bookmarks 546

      The Electronic Report Files 550

      Creating Timelines 552

      CaseMap and TimeMap 552

      Splunk 555

      Testifying about Technical Matters 560

      The Bottom Line 562

      Chapter 17 The Challenges of Cloud Computing and Virtualization 565

      What Is Virtualization? 566

      The Hypervisor 569

      Preparing for Incident Response in Virtual Space 571

      Forensic Analysis Techniques 575

      Dead Host-Based Virtual Environment 576

      Live Virtual Environment 584

      Artifacts 586

      Cloud Computing 587

      What Is It? 587

      Services 588

      Forensic Challenges 589

      Forensic Techniques 589

      The Bottom Line 595

      Part 5 Appendices 597

      Appendix A The Bottom Line 599

      Chapter 1: Network Investigation Overview 599

      Chapter 2: The Microsoft Network Structure 601

      Chapter 3: Beyond the Windows GUI 602

      Chapter 4: Windows Password Issues 604

      Chapter 5: Windows Ports and Services 606

      Chapter 6: Live-Analysis Techniques 608

      Chapter 7: Windows Filesystems 609

      Chapter 8: The Registry Structure 611

      Chapter 9: Registry Evidence 613

      Chapter 10: Introduction to Malware 618

      Chapter 11: Text-based Logs 620

      Chapter 12: Windows Event Logs 622

      Chapter 13: Logon and Account Logon Events 623

      Chapter 14: Other Audit Events 624

      Chapter 15: Forensic Analysis of Event Logs 626

      Chapter 16: Presenting the Results 628

      Chapter 17: The Challenges of Cloud Computing and Virtualization 630

      Appendix B Test Environments 633

      Software 633

      Hardware 635

      Setting Up Test Environments in Training Laboratories 636

      Chapter 1: Network Investigation Overview 636

      Chapter 2: The Microsoft Network Structure 636

      Chapter 3: Beyond the Windows GUI 637

      Chapter 4: Windows Password Issues 637

      Chapter 5: Windows Ports and Services 639

      Chapter 6: Live-Analysis Techniques 639

      Chapter 7: Windows Filesystems 640

      Chapter 8: The Registry Structure 640

      Chapter 9: Registry Evidence 642

      Chapter 10: Introduction to Malware 643

      Chapter 11: Text-Based Logs 643

      Chapter 12: Windows Event Logs 644

      Chapter 13: Logon and Account Logon Events 644

      Chapter 14: Other Audit Events 644

      Chapter 15: Forensic Analysis of Event Logs 645

      Chapter 16: Presenting the Results 645

      Chapter 17: The Challenges of Cloud Computing and Virtualization 645

      Index 647

    Recently viewed products

    © 2025 Book Curl

      • American Express
      • Apple Pay
      • Diners Club
      • Discover
      • Google Pay
      • Maestro
      • Mastercard
      • PayPal
      • Shop Pay
      • Union Pay
      • Visa

      Login

      Forgot your password?

      Don't have an account yet?
      Create account