| Description |
xxii, 674 pages : illustrations ; 24 cm |
| Series |
Sybex serious skills |
|
Serious skills.
|
| Contents |
Machine generated contents note: pt. 1 Understanding and Exploiting Windows Networks -- ch. 1 Network Investigation Overview -- Performing the Initial Vetting -- Meeting with the Victim Organization -- Understanding the Victim Network Information -- Understanding the Incident -- Identifying and Preserving Evidence -- Establishing Expectations and Responsibilities -- Collecting the Evidence -- Analyzing the Evidence -- Analyzing the Suspect's Computers -- Recognizing the Investigative Challenges of Microsoft Networks -- The Bottom Line -- ch. 2 The Microsoft Network Structure -- Connecting Computers -- Windows Domains -- Interconnecting Domains -- Organizational Units -- Users and Groups -- Types of Accounts -- Groups -- Permissions -- File Permissions -- Share Permissions -- Reconciling Share and File Permissions -- Example Hack -- The Bottom Line -- ch. 3 Beyond the Windows GUI -- Understanding Programs, Processes, and Threads -- Redirecting Process Flow -- DLL Injection -- |
|
Contents note continued: Hooking -- Maintaining Order Using Privilege Modes -- Using Rootkits -- The Bottom Line -- ch. 4 Windows Password Issues -- Understanding Windows Password Storage -- Cracking Windows Passwords Stored on Running Systems -- Exploring Windows Authentication Mechanisms -- LanMan Authentication -- NTLM Authentication -- Kerberos Authentication -- Sniffing and Cracking Windows Authentication Exchanges -- Using ScoopLM and BeatLM to Crack Passwords -- Cracking Offline Passwords -- Using Cain & Abel to Extract Windows Password Hashes -- Accessing Passwords through the Windows Password Verifier -- Extracting Password Hashes from RAM -- Stealing Credentials from a Running System -- The Bottom Line -- ch. 5 Windows Ports and Services -- Understanding Ports -- Using Ports as Evidence -- Understanding Windows Services -- The Bottom Line -- pt. 2 Analyzing the Computer -- ch. 6 Live-Analysis Techniques -- Finding Evidence in Memory -- |
|
Contents note continued: Creating a Windows Live-Analysis Toolkit -- Using Dumpit to Acquire RAM from a 64-Bit Windows 7 System -- Using WinEn to Acquire RAM from a Windows 7 Environment -- Using FTK Imager Lite to Acquire RAM from Windows Server 2008 -- Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image -- Monitoring Communication with the Victim Box -- Scanning the Victim System -- The Bottom Line -- ch. 7 Windows Filesystems -- Filesystems vs. Operating Systems -- Understanding FAT Filesystems -- Understanding NTFS Filesystems -- Using NTFS Data Structures -- Creating, Deleting, and Recovering Data in NTFS -- Dealing with Alternate Data Streams -- The exFAT Filesystem -- The Bottom Line -- ch. 8 The Registry Structure -- Understanding Registry Concepts -- Registry History -- Registry Organization and Terminology -- Performing Registry Research -- Viewing the Registry with Forensic Tools -- Using EnCase to View the Registry -- Examining Information Manually -- |
|
Contents note continued: Using EnScripts to Extract Information -- Using AccessData's Registry Viewer -- Other Tools -- The Bottom Line -- ch. 9 Registry Evidence -- Finding Information in the Software Key -- Installed Software -- Last Logon -- Banners -- Exploring Windows Security, Action Center, and Firewall Settings -- Analyzing Restore Point Registry Settings -- Windows XP Restore Point Content -- Analyzing Volume Shadow Copies for Registry Settings -- Exploring Security Identifiers -- Examining the Recycle Bin -- Examining the ProfileList Registry Key -- Investigating User Activity -- Examining the PSSP and IntelliForms Keys -- Examining the MRU Key -- Examining the RecentDocs Key -- Examining the TypedURLs Key -- Examining the UserAssist Key -- Extracting LSA Secrets -- Using Cain & Abel to Extract LSA Secrets from Your Local Machine -- Discovering IP Addresses -- Dynamic IP Addresses -- Getting More Information from the GUID-Named Interface -- |
|
Contents note continued: Compensating for Time Zone Offsets -- Determining the Startup Locations -- Exploring the User Profile Areas -- Exploring Batch Files -- Exploring Scheduled Tasks -- Exploring the AppInit_DLL Key -- Using EnCase and Registry Viewer -- Using Autoruns to Determine Startups -- The Bottom Line -- ch. 10 Introduction to Malware -- Understanding the Purpose of Malware Analysis -- Malware Analysis Tools and Techniques -- Constructing an Effective Malware Analysis Toolkit -- Analyzing Malicious Code -- Monitoring Malicious Code -- Monitoring Malware Network Traffic -- The Bottom Line -- pt. 3 Analyzing the Logs -- ch. 11 Text-Based Logs -- Parsing IIS Logs -- Parsing FTP Logs -- Parsing DHCP Server Logs -- Parsing Windows Firewall Logs -- Using Splunk -- The Bottom Line -- ch. 12 Windows Event Logs -- Understanding the Event Logs -- Exploring Auditing Settings -- Using Event Viewer -- Opening and Saving Event Logs -- Viewing Event Log Data -- |
|
Contents note continued: Searching with Event Viewer -- The Bottom Line -- ch. 13 Logon and Account Logon Events -- Begin at the Beginning -- Comparing Logon and Account Logon Events -- Analyzing Windows 2003/2008 Logon Events -- Examining Windows 2003/2008 Account Logon Events -- The Bottom Line -- ch. 14 Other Audit Events -- The Exploitation of a Network -- Examining System Log Entries -- Examining Application Log Entries -- Evaluating Account Management Events -- Interpreting File and Other Object Access Events -- Examining Audit Policy Change Events -- The Bottom Line -- ch. 15 Forensic Analysis of Event Logs -- Windows Event Log Files Internals -- Windows Vista/7/2008 Event Logs -- Windows XP/2003 Event Logs -- Repairing Windows XP/2003 Corrupted Event Log Databases -- Finding and Recovering Event Logs from Free Space -- The Bottom Line -- pt. 4 Results, the Cloud, and Virtualization -- ch. 16 Presenting the Results -- Report Basics -- |
|
Contents note continued: Creating a Narrative Report with Hyperlinks -- Creating Hyperlinks -- Creating and Linking Bookmarks -- The Electronic Report Files -- Creating Timelines -- CaseMap and TimeMap -- Splunk -- Testifying about Technical Matters -- The Bottom Line -- ch. 17 The Challenges of Cloud Computing and Virtualization -- What Is Virtualization? -- The Hypervisor -- Preparing for Incident Response in Virtual Space -- Forensic Analysis Techniques -- Dead Host-Based Virtual Environment -- Live Virtual Environment -- Artifacts -- Cloud Computing -- What Is It? -- Services -- Forensic Challenges -- Forensic Techniques -- The Bottom Line -- pt. 5 Appendices -- Appendix A The Bottom Line -- ch. 1 Network Investigation Overview -- ch. 2 The Microsoft Network Structure -- ch. 3 Beyond the Windows GUI -- ch. 4 Windows Password Issues -- ch. 5 Windows Ports and Services -- ch. 6 Live-Analysis Techniques -- ch. 7 Windows Filesystems -- ch. 8 The Registry Structure -- |
|
Contents note continued: ch. 9 Registry Evidence -- ch. 10 Introduction to Malware -- ch. 11 Text-based Logs -- ch. 12 Windows Event Logs -- ch. 13 Logon and Account Logon Events -- ch. 14 Other Audit Events -- ch. 15 Forensic Analysis of Event Logs -- ch. 16 Presenting the Results -- ch. 17 The Challenges of Cloud Computing and Virtualization -- Appendix B Test Environments -- Software -- Hardware -- Setting Up Test Environments in Training Laboratories -- ch. 1 Network Investigation Overview -- ch. 2 The Microsoft Network Structure -- ch. 3 Beyond the Windows GUI -- ch. 4 Windows Password Issues -- ch. 5 Windows Ports and Services -- ch. 6 Live-Analysis Techniques -- ch. 7 Windows Filesystems -- ch. 8 The Registry Structure -- ch. 9 Registry Evidence -- ch. 10 Introduction to Malware -- ch. 11 Text-Based Logs -- ch. 12 Windows Event Logs -- ch. 13 Logon and Account Logon Events -- ch. 14 Other Audit Events -- ch. 15 Forensic Analysis of Event Logs -- |
|
Contents note continued: ch. 16 Presenting the Results -- ch. 17 The Challenges of Cloud Computing and Virtualization |
| Summary |
An authoritative guide to investigating high-technology crimes. Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book-- aimed at law enforcement personnel, prosecutors, and corporate investigators --provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals. Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network |
| Notes |
Includes index |
| SUBJECT |
Microsoft Windows (Computer file) http://id.loc.gov/authorities/names/n88027331
|
| Subject |
Computer crimes -- Investigation.
|
|
Computer networks -- Security measures.
|
| Author |
Bunting, Steve, author
|
|
Johnson, Ryan, author
|
|
Pearson, Scott, author
|
| LC no. |
2011945567 |
| ISBN |
9781118163825 |
|
