Windows Forensics: Understand Analysis Techniques for Your Windows / Криминалистическая экспертиза Windows: поймите методы анализа для вашей Windows Год издания: 2024 Автор: Easttom Chuck and others / Исттом Чак и другие Издательство: Apress Media ISBN: 979-8-8688-0193-8 Язык: Английский Формат: PDF/EPUB Качество: Издательский макет или текст (eBook) Интерактивное оглавление: Да Количество страниц: 484 Описание: This book is your comprehensive guide to Windows forensics. It covers the process of conducting or performing a forensic investigation of systems that run on Windows operating systems. It also includes analysis of incident response, recovery, and auditing of equipment used in executing any criminal activity. The book covers Windows registry, architecture, and systems as well as forensic techniques, along with coverage of how to write reports, legal standards, and how to testify. It starts with an introduction to Windows followed by forensic concepts and methods of creating forensic images. You will learn Windows file artefacts along with Windows Registry and Windows Memory forensics. And you will learn to work with PowerShell scripting for forensic applications and Windows email forensics. Microsoft Azure and cloud forensics are discussed and you will learn how to extract from the cloud. By the end of the book you will know data-hiding techniques in Windows and learn about volatility and a Windows Registry cheat sheet. What Will You Learn Understand Windows architecture Recover deleted files from Windows and the recycle bin Use volatility and PassMark volatility workbench Utilize Windows PowerShell scripting for forensic applications Who This Book Is For Windows administrators, forensics practitioners, and those wanting to enter the field of digital forensics Эта книга - ваше полное руководство по криминалистике Windows. В ней описан процесс проведения криминалистического исследования систем, работающих под управлением операционных систем Windows. Она также включает анализ реагирования на инциденты, восстановление и аудит оборудования, используемого при осуществлении любой преступной деятельности. В книге рассматриваются реестр, архитектура и системы Windows, а также методы судебной экспертизы, рассказывается о том, как составлять отчеты, юридические стандарты и как давать показания. Книга начинается с введения в Windows, за которым следуют концепции судебной экспертизы и методы создания образов для судебной экспертизы. Вы изучите файловые артефакты Windows, а также методы судебной экспертизы реестра и памяти Windows. Вы научитесь работать со сценариями PowerShell для приложений судебной экспертизы и судебной экспертизы электронной почты Windows. Обсуждаются Microsoft Azure и облачная судебная экспертиза, и вы узнаете, как извлекать данные из облака. К концу книги вы познакомитесь с методами сокрытия данных в Windows, узнаете о volatility и шпаргалке по реестру Windows. Чему вы научитесь? Разберетесь в архитектуре Windows Восстановите удаленные файлы из Windows и корзины Используйте volatility и PassMark volatility workbench Используйте сценарии Windows PowerShell для криминалистических приложений Для кого предназначена эта книга Администраторы Windows, практикующие криминалисты и те, кто хочет освоить сферу цифровой криминалистики
Примеры страниц (скриншоты)
Оглавление
About the Authors .................................................................................................................xv About the Technical Reviewer ..................................................................................................xix Acknowledgments ..................................................................................................................xxi Introduction ..........................................................................................................................xxiii Chapter 1: Introduction to Windows ..........................................................................................1 Introduction ...........................................................................................................................1 What Is an Operating System? ..................................................................................................1 History of Windows ..................................................................................................................2 The File System .......................................................................................................................6 Windows Details ......................................................................................................................12 Windows Timestamps ............................................................................................................13 Windows Active Directory ......................................................................................................14 DLLs and Services .................................................................................................................15 Swap File and Hyberfil sys ....................................................................................................18 Windows Logs .......................................................................................................................18 Windows Command Line .......................................................................................................21 Windows Defender ................................................................................................................33 Windows Control Panel ..........................................................................................................34 Certmgr ..................................................................................................................................37 Windows Boot Sequence ............................................................................................................38 Warm and Cold Booting .........................................................................................................39 POST ......................................................................................................................................39 BitLocker .....................................................................................................................................40 Conclusions .................................................................................................................................42 Test Your Knowledge ...................................................................................................................42 Chapter 2: Forensics Concepts ......................................................................................................45 Why Windows Forensics? ...........................................................................................................45 Windows Forensics vs.. Computer Forensics .........................................................................47 Scope of Windows Forensics .................................................................................................49 Relevant Laws .............................................................................................................................50 Relevant Standards .....................................................................................................................51 European Union .....................................................................................................................52 FBI Forensics Guidelines .............................................................................................................53 Windows Forensics Process .......................................................................................................53 The Scientific Method .................................................................................................................55 Writing a Digital Forensics Report ..............................................................................................56 Important Criteria ..................................................................................................................56 General Structure ..................................................................................................................58 Testifying As an Expert Witness ..................................................................................................59 Forensic Quality ..........................................................................................................................61 Conclusions .................................................................................................................................62 References ..................................................................................................................................62 Test Your Knowledge ...................................................................................................................63 Chapter 3: Creating Forensic Images Using OSForensics, FTK Imager, and Autopsy ..............................65 Key Concepts ..............................................................................................................................67 Terminology: Distinguishing Between Disk Images and Forensic Images ..............................................68 Logical vs.. Physical Drives ....................................................................................................68 Hashing Algorithms: SHA-256 As Digital Fingerprints ...........................................................70 Best Practices for Admissibility in Court ...............................................................................70 NIST Standards ...........................................................................................................................71 Creating Forensic Images with OSForensics ..............................................................................71 Why OSForensics? .................................................................................................................72 Installing OSForensics ...........................................................................................................72 Step-by-Step Guide to Image a Drive Using OSForensics .....................................................72 Creating Forensic Images with FTK Imager ................................................................................80 Why FTK Imager? ..................................................................................................................80 Installing FTK Imager .............................................................................................................81 Step-by-Step Guide to Imaging a Drive Using FTK Imager ....................................................81 Mounting a Drive .........................................................................................................................88 Step-by-Step Guide to Mounting a Drive ...............................................................................89 Using Autopsy .............................................................................................................................97 Understanding the Contents of a Forensic Image Through Deeper Analysis ............................102 Recovering Deleted Files .....................................................................................................103 Autopsy and Deleted Files .........................................................................................................113 Uncovering User Activity ......................................................................................................115 Autopsy User Activity ................................................................................................................116 Conclusion ................................................................................................................................117 References ................................................................................................................................118 Test Your Knowledge .................................................................................................................119 Chapter 4: Windows File Artifacts ..............................................................................................121 Why Study Windows Artifacts? .................................................................................................122 What Are Windows Artifacts? ....................................................................................................122 Deleted Files .............................................................................................................................123 Individual Files ..........................................................................................................................127 LNK Files .............................................................................................................................127 Log Files ..............................................................................................................................131 Recycle Bin ..........................................................................................................................135 I30 File .................................................................................................................................137 USN Journal .........................................................................................................................140 $Standard_Information vs.. $File_Name ..............................................................................141 Autorun Commands .............................................................................................................142 Browser Artifacts ......................................................................................................................143 Stored Credentials ....................................................................................................................145 Cloud Storage ............................................................................................................................146 Less Common Artifacts .............................................................................................................146 Windows Error Reporting (WER) Forensics ..........................................................................146 RDP Cache Forensics ...........................................................................................................147 Windows Timeline ...............................................................................................................147 Browser Extensions .............................................................................................................151 Conclusions ...............................................................................................................................152 References ................................................................................................................................152 Test Your Knowledge .................................................................................................................153 Chapter 5: Windows Registry Forensics Part 1 ................................................................................155 Introduction ...............................................................................................................................155 Registry Overview .....................................................................................................................156 Specific Registry Keys ..............................................................................................................163 General Information .............................................................................................................164 USB Information ..................................................................................................................166 MRU .....................................................................................................................................167 ShellBags .............................................................................................................................168 User Assist ...........................................................................................................................170 Prefetch ...............................................................................................................................171 Mounted Devices .................................................................................................................173 AutoStart Programs .............................................................................................................173 Tools ..................................................................................................................................174 OSForensics .........................................................................................................................174 ShellBags Explorer ..............................................................................................................176 Registry Explorer .................................................................................................................177 Conclusions ...............................................................................................................................179 References ................................................................................................................................179 Test Your Knowledge .................................................................................................................179 Chapter 6: Windows Registry Forensics Part 2 ................................................................................181 Introduction ...............................................................................................................................181 Specific Keys ............................................................................................................................181 ComDlg32 ............................................................................................................................182 MUICache ............................................................................................................................182 Wireless Networks ...............................................................................................................183 Malware Analysis .................................................................................................................185 Recently Used ......................................................................................................................187 Registered Applications .......................................................................................................187 Other Software ....................................................................................................................188 Installed Applications ..........................................................................................................191 Mozilla .................................................................................................................................193 Uninstalled Programs ..........................................................................................................194 Page File Management ........................................................................................................195 BAM/DAM ............................................................................................................................196 AmCache .............................................................................................................................198 Shared Folders ....................................................................................................................200 Typed Path ...........................................................................................................................200 Using the Correct Tools .............................................................................................................201 More Details on the Registry .....................................................................................................202 Conclusions ...............................................................................................................................205 Test Your Knowledge .................................................................................................................205 Chapter 7: Windows Shadow Copy ................................................................................................207 Introduction ...............................................................................................................................207 How It Works .............................................................................................................................207 VSS Details ................................................................................................................................216 VSS Forensics ...........................................................................................................................222 Conclusions ...............................................................................................................................228 References ................................................................................................................................229 Test Your Knowledge .................................................................................................................229 Chapter 8: Windows Memory Forensics .........................................................................................231 Introduction ...............................................................................................................................231 What Is Computer Memory? ................................................................................................232 How Does Computer Memory Work? ........................................................................................233 Windows Memory Management ..........................................................................................234 What Is Memory Forensics? ......................................................................................................235 Understanding Malware ............................................................................................................236 Types of Malware ................................................................................................................237 Malware Hiding Techniques .................................................................................................241 Memory Analysis .......................................................................................................................242 Memory Artifacts .................................................................................................................243 Capturing Memory ...............................................................................................................244 Analyzing the Memory ..............................................................................................................250 Volatility ...............................................................................................................................250 PassMark OSForensics Volatility Workbench .................................................................................262 Process of Analyzing a Computer’s Memory Dump .........................................................................266 Conclusion ................................................................................................................................268 References ................................................................................................................................268 Test Your Knowledge .................................................................................................................269 Chapter 9: PowerShell Forensics ...................................................................................................271 Introduction ...............................................................................................................................271 What Is PowerShell? .................................................................................................................272 Frameworks ..............................................................................................................................275 PowerShell Desktop ............................................................................................................276 PowerShell Core ..................................................................................................................276 Open Source ..............................................................................................................................277 Getting Started with PowerShell ...............................................................................................278 Your First PowerShell Command! ........................................................................................285 PowerShell Basic Concepts .................................................................................................288 Important Commands ..........................................................................................................289 Logical Computing ...............................................................................................................292 PowerShell Gallery ....................................................................................................................304 Digital Forensics with PowerShell ............................................................................................306 Standard OS Commands ......................................................................................................306 Powerful Built-In Functions .................................................................................................307 PowerForensics Module ......................................................................................................312 Invoke-ForensicDD ..............................................................................................................315 Get-ForensicNetworkList .....................................................................................................318 Get-ForensicTimeline ..........................................................................................................318 Conclusions ...............................................................................................................................319 References ................................................................................................................................319 Test Your Knowledge .................................................................................................................321 Chapter 10: Web Browser Forensics .............................................................................................323 Introduction ...............................................................................................................................323 What Is Web Browser Forensics? ..............................................................................................324 Web Browser Terminology ........................................................................................................326 An Overview: Artifacts of Web Browsers in Forensic Cases .........................................................328 Specific Web Browsers and Forensics ......................................................................................329 Google Chrome ....................................................................................................................329 Microsoft Edge ....................................................................................................................333 Mozilla Firefox .....................................................................................................................337 Web Browser Forensic Tools .....................................................................................................341 OSForensics .........................................................................................................................341 Belkasoft Evidence Center ...................................................................................................342 ChromeAnalysis Plus ...........................................................................................................343 PasswordFox .......................................................................................................................343 Internet Evidence Finder (IEF) .............................................................................................344 The Web Browser Forensic Analyzer (WEFA) .......................................................................344 Wireshark ............................................................................................................................345 Challenges of Web Browser Forensics ......................................................................................345 Conclusions ...............................................................................................................................347 References ................................................................................................................................347 Test Your Knowledge .................................................................................................................348 Chapter 11: Windows Email Forensics ...........................................................................................351 Introduction ...............................................................................................................................351 Understanding Email .................................................................................................................352 Email Protocols ....................................................................................................................352 Email File Types ...................................................................................................................354 Email Standards ..................................................................................................................354 Viewing Headers ..................................................................................................................358 Email Forensics .........................................................................................................................361 Ediscovery .................................................................................................................................372 Conclusions ...............................................................................................................................373 References ................................................................................................................................373 Test Your Knowledge .................................................................................................................373 Chapter 12: Microsoft Azure and Cloud Forensics ...........................................................................375 Introduction ...............................................................................................................................375 Cloud Types .........................................................................................................................377 Cloud Connectivity and Security ..........................................................................................378 FedRAMP .............................................................................................................................379 Microsoft Azure .........................................................................................................................382 Cloud Forensics .........................................................................................................................385 NIST 800-201 .......................................................................................................................387 OSForensics .........................................................................................................................387 FTK ......................................................................................................................................390 Azure Forensics ...................................................................................................................393 Conclusions ...............................................................................................................................394 References ................................................................................................................................394 Test Your Knowledge .................................................................................................................394 Chapter 13: Data Hiding Techniques in Windows .........................................................................397 Why Study Data Hiding Techniques? .........................................................................................398 Windows Encryption .................................................................................................................398 What Is Windows Encryption? ...................................................................................................399 BitLocker Drive Encryption ........................................................................................................399 Activating BitLocker on Windows ........................................................................................400 Architecture and Components .............................................................................................401 Recovering BitLocker Data ..................................................................................................403 Encrypted File System ..............................................................................................................404 Encrypting a File or Directory ..............................................................................................404 Architecture and Components .............................................................................................405 EFS Artifact Examination .....................................................................................................408 Encryption Tools ........................................................................................................................410 Encryption Analysis Tools ..........................................................................................................411 Steganography ..........................................................................................................................411 What Is Steganography? ...........................................................................................................412 Steganographic Process ...........................................................................................................412 Steganography Domains ...........................................................................................................413 Spatial Domain ....................................................................................................................413 Transform Domain ...............................................................................................................414 Types of Steganography ............................................................................................................415 Image ...................................................................................................................................415 Audio ...................................................................................................................................418 Video ....................................................................................................................................420 Text ......................................................................................................................................421 Steganography Tools .................................................................................................................425 Steganalysis ..............................................................................................................................434 Detection Tools ....................................................................................................................435 Statistical Analysis ..............................................................................................................437 Deep Learning ...........................................................................................................................438 Slack Space ..............................................................................................................................439 What Is Slack Space? ..........................................................................................................439 Calculating Slack Space ...........................................................................................................440 Hard Disk Cluster and Sector Sizes .....................................................................................441 File Slack Calculation ..........................................................................................................442 Hiding Data in the Slack Space .................................................................................................443 Analyzing Slack Space for Hidden Data ....................................................................................446 Binary Tree Structure ...........................................................................................................446 Data Carving ........................................................................................................................446 Hexadecimal View ...............................................................................................................447 Analytic Tools .......................................................................................................................447 Conclusions ...............................................................................................................................448 References ................................................................................................................................449 Assessment ...............................................................................................................................451 Appendix A: Volatility Cheat Sheet ................................................................................................455 Appendix B: Registry Cheat Sheet .................................................................................................457 Index ........................................................................................................................................463
Easttom Chuck and others / Исттом Чак и другие - Windows Forensics / Криминалистическая экспертиза Windows [2024, PDF/EPUB, ENG] download torrent for free and without registration
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
![[Quote]](./templates/default/images/lang/en/icon_quote.gif "Reply with quote"){kind=icon}
![[Profile]](./templates/default/images/lang/en/icon_profile.gif "View user's profile"){kind=icon}
![[PM]](./templates/default/images/lang/en/icon_pm.gif "Send private message"){kind=icon}
