Windows Forensics: The Field Guide for Corporate Computer Investigations (Paperback)

Description

The evidence is in—to solve Windows crime, you need Windows tools

An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.

Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.

• Identify evidence of fraud, electronic theft, and employee Internet abuse
• Investigate crime related to instant messaging, Lotus Notes®, and increasingly popular browsers such as Firefox®
• Learn what it takes to become a computer forensics analyst
• Take advantage of sample forms and layouts as well as case studies
• Protect the integrity of evidence
• Compile a forensic response toolkit
• Assess and analyze damage from computer crime and process the crime scene
• Develop a structure for effectively conducting investigations
• Discover how to locate evidence in the Windows Registry

 

Table of Contents

Chapter 1. Windows Forensics.

The Corporate Computer Forensic Analyst.

Windows Forensics.

People, Processes, and Tools.

Computer Forensics: Today and Tomorrow.

Additional Resources.

Chapter 2. Processing the Digital Crime Scene.

Identify the Scene.

Perform Remote Research.

Secure the Crime Scene.

Document the Scene.

Process the Scene for Physical Evidence.

Process the Scene for Electronic Evidence.

Chain of Custody.

Best Evidence.

Working with Law Enforcement.

Additional Resources.

Chapter 3. Windows Forensic Basics.

History and Versions.

MS-DOS.

Windows 1.x, 2.x, and 3.x.

Windows NT and 2000.

Windows 95, 98, and ME.

Windows XP and 2003.

Non-Volatile Storage.

Floppy Disks.

Tapes.

CDs and DVDs.

USB Flash Drives.

Hard Disks.

Additional Resources.

Chapter 4. Partitions and File Systems.

Master Boot Record.

Windows File Systems.

FAT.

VFAT.

NTFS.

Compression.

Encryption.

Additional Resources.

Chapter 5. Directory Structure and Special Files.

Windows NT/2000/XP.

Directories.

Files.

Windows 9x.

Directories.

Files.

Additional Resources.

Chapter 6. The Registry.

History.

Registry Basics.

Registry Analysis.

General.

Folder Locations.

Startup Items.

Intelliforms.

Advanced Registry Analysis.

Additional Resources.

Chapter 7. Forensic Analysis.

Chapter 8. Live System Analysis.

Covert Analysis.

System State Analysis.

System Tools.

Storage.

Services and Applications.

Remote Enumeration.

Monitoring.

Keystroke Recording.

Network Monitoring.

Overt Analysis.

GUI-based Overt Analysis.

Local Command Line Analysis.

Remote Command Line Analysis.

Basic Information Gathering.

System State Information.

Running Program Information.

Main Memory Analysis.

Additional Resources.

Chapter 9. Forensic Duplication.

Hard Disk Duplication.

In-Situ Duplication.

Direct Duplication.

Magnetic Tape.

Hard Disks.

Optical Disks.

Multi-tiered Storage.

Log File Duplication.

Additional Resources.

Chapter 10. File System Analysis.

Searching.

Index-based Searching.

Bitwise Searching.

Search Methodology.

Hash Analysis.

Positive Hash Analysis.

Negative Hash Analysis.

File Recovery.

Special Files.

Print Spool Files.

Windows Shortcuts.

Paging File.

Additional Resources.

Chapter 11. Log File Analysis.

Event Logs.

Application Log.

System Log.

Security Log.

Successful Log-on/Log-off Events.

Failed Log-on Event.

Change of Policy.

Successful or Failed Object Access.

Account Change.

Log Clearing.

Internet Logs.

HTTP Logs.

FTP Logs.

SMTP Logs.

Additional Resources.

Chapter 12. Internet Usage Analysis.

Web Activity.

Internet Explorer.

Favorites.

History.

Cache.

Cookies.

Firefox.

Favorites.

History.

Cache.

Cookies.

Passwords.

Downloads.

Toolbar History.

Network, Proxy, and DNS History.

Peer-to-Peer Networking.

Gnutella Clients.

Bearshare.

Downloading.

Sharing.

Other Information.

Limewire.

Downloading.

Sharing.

FastTrack Clients.

Overnet, eMule, and eDonkey2000 Clients.

Downloading.

Sharing.

Instant Messaging.

AOL Instant Messenger.

Microsoft Messenger.

Additional Resources.

Chapter 13. Email Investigations.

Outlook/Outlook Express.

Outlook Express.

Acquisition.

Analysis.

Outlook.

Acquisition.

Access Control.

Analysis.

Lotus Notes.

Acquisition.

Access Control and Logging.

Analysis.

Address Book.

Additional Resources.

Appendix A. Sample Chain of Custody Form.

Appendix B. Master Boot Record Layout.

Appendix C. Partition Types.

Appendix D. FAT32 Boot Sector Layout.

Appendix E. NTFS Boot Sector Layout.

Appendix F. NTFS Metafiles.

Appendix G. Well-Known SIDs.

Index.

描述

證據已經出現了 - 要解決Windows犯罪，您需要Windows工具。

十年前還是一個神秘的追求，現在法醫科學已經成為家喻戶曉的詞彙。雖然電腦法醫分析師的生活可能沒有電視上的CSI那麼刺激，但他們同樣依賴科學原則，確實解決犯罪。

無論您是考慮在這個不斷增長的領域中開展職業生涯，還是已經是Unix/Linux環境中的分析師，本書都將使您能夠在Windows世界中打擊電腦犯罪。這裡有幫助您恢復被破壞的文件，追踪威脅電子郵件來源，調查工業間諜活動以及揭露電腦犯罪分子的工具。

- 確定欺詐、電子盜竊和員工互聯網濫用的證據
- 調查與即時通訊、Lotus Notes®和越來越受歡迎的瀏覽器（如Firefox®）相關的犯罪
- 了解成為電腦法醫分析師所需的條件
- 利用樣本表格和佈局以及案例研究
- 保護證據的完整性
- 編制法醫反應工具包
- 評估和分析電腦犯罪的損害並處理現場
- 建立有效進行調查的結構
- 發現如何在Windows註冊表中找到證據

目錄

第1章 Windows法醫學
企業電腦法醫分析師
Windows法醫學
人員、流程和工具
電腦法醫學：今天和明天
其他資源

第2章 處理數字犯罪現場
識別現場
進行遠程研究
保護犯罪現場
記錄現場
處理物理證據
處理電子證據
證據鏈
最佳證據
與執法機構合作
其他資源

第3章 Windows法醫基礎知識
歷史和版本
MS-DOS
Windows 1.x、2.x和3.x