"Windows Forensic Analysis DVD Toolkit 2E" by Harlan Carvey

Author has brought this book up-to-date to give you: the responder, examiner, or analyst the must-have tool kit for your job. This book covers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. The book is also accessible to system administrators, who are often the frontline when an incident occurs, but due to staffing and budget constraints do not have the necessary knowledge to respond effectively.






Windows is the largest operating system on desktops and servers worldwide, which mean more intrusions, malware infections, and cybercrime happen on these systems.

Brief
1 Live Response: Collecting Volatile Data
2 Live Response: Data Analysis
3 Windows Memory Analysis
4 Registry Analysis
5 File Analysis
6 Executable File Analysis
7 Rootkits and Rootkit Detection
8 Tying It All Together
Index

Contents
Preface
Author's Acknowledgments
Chapter 1 Live Response: Collecting Volatile Data
Introduction
Live Response
Locard’s Exchange Principle
Order of Volatility
When to Perform Live Response
What Data to Collect
System Time
Logged-on Users
PsLoggedOn.
Net Sessions
LogonSessions
Open Files
Network Information (Cached NetBIOS Name Table)
Network Connections
Netstat
Process Information
Tlist
Tasklist
PsList
ListDLLs
Handle
Process-to-Port Mapping
Netstat
Fport
Tcpvcon.
Process Memory
Network Status
Ipconfig
PromiscDetect and Promqry
Clipboard Contents
Service/Driver Information
Command History
Mapped Drives
Shares
Nonvolatile Information
Registry Settings
ClearPageFileAtShutdown
DisableLastAccess
Autoruns.
Event Logs.
Devices and Other Information
A Word about Picking Your Tools
Live-Response Methodologies
Local Response Methodology
Remote Response Methodology
The Hybrid Approach (a.k.a. Using the FSP)
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 2 Live Response: Data Analysis
Introduction
Data Analysis
Example 1-3
Agile Analysis
Expanding the Scope
Reaction
Prevention
Summary
Solutions Fast Track
Frequently Asked Questions.
Chapter 3 Windows Memory Analysis
Introduction
A Brief History
Collecting Process Memory
Dumping Physical Memory
DD.
Nigilant32.
ProDiscover
KnTDD
MDD
Win32dd
Memoryze
Winen
Fastdump
F-Response
Section Summary
Alternative Approaches for Dumping Physical Memory
Hardware Devices
FireWire
Crash Dumps
Virtualization
Hibernation File
Analyzing a Physical Memory Dump
Determining the Operating System of a Dump File
Process Basics
EProcess Structure
Process Creation Mechanism
Parsing Memory Dump Contents
Lsproc.pl
Lspd.pl
Volatility Framework
Memoryze
HBGary Responder
Parsing Process Memory
Extracting the Process Image
Memory Dump Analysis and the Page File
Pool Allocations
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4 Registry Analysis
Introduction
Inside the Registry.
Registry Structure within a Hive File
The Registry As a Log File
Monitoring Changes to the Registry
Registry Analysis
RegRipper
Rip
RipXP
System Information
ComputerName
TimeZoneInformation
Network Interfaces
MAC Address
Shares
Audit Policy and Event Logs
Wireless SSIDs
Autostart Locations
System Boot
User Login
User Activity
Enumerating Autostart Registry Locations
AutoRun Functionality
NtfsDisableLastAccessUpdate
NukeOnDelete
USB Removable Storage Devices
USB Device Issues
Mounted Devices
Portable Devices
Finding Users
Tracking User Activity
The UserAssist Keys
MUICache
MRU Lists
Search Assistant
Connecting to Other Systems
CD Burning
IM and P2P
Windows XP System Restore Points
Redirection
Virtualization
Deleted Registry Keys
Summary
DVD Contents
Solutions Fast Track
Frequently Asked Questions
Chapter 5 File Analysis
Introduction
Log Files
Event Logs
Understanding Events
Event Log File Format
Event Log Header
Event Record Structure
Vista Event Logs.
IIS Logs
Log Parser
Web Browser History
Other Log Files
Setuplog.txt
Setupact.log
Setupapi.log
Netsetup.log
Task Scheduler Log
XP Firewall Logs
Mrt.log
Dr. Watson Logs
Cbs.log
Crash Dump Files
Recycle Bin
Vista Recycle Bin
XP System Restore Points
Rp.log Files
Change.log.x Files
Vista Volume Shadow Copy Service
Prefetch Files
Vista SuperFetch
Shortcut Files
File Metadata
Word Documents
PDF Documents
Image Files
File Signature Analysis
NTFS Alternate Data Streams
Creating ADSes
Enumerating ADSes
Using ADSes
Removing ADSes
ADS Summary
Alternative Methods of Analysis
Mounting an Image
Discovering Malware
Timeline Analysis
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6 Executable File Analysis
Introduction
Static Analysis
Locating Files to Analyze
Documenting the File.
Analysis
The PE Header
IMPORT Tables
EXPORT Table
Resources
Obfuscation
Binders
Packers
Cryptors
Dynamic Analysis
Testing Environment
Virtualization
Throwaway Systems
Tools
Process
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7 Rootkits and Rootkit Detection
Introduction
Rootkits
Rootkit Detection
Live Detection
RootkitRevealer
GMER
Helios
MS Strider GhostBuster
ProDiscover
F-Secure BlackLight
Sophos Anti-Rootkit
AntiRootkit.com
Postmortem Detection
Prevention
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 8 Tying It All Together
Introduction
Case Studies.
Case Study 1: The Document Trail
Case Study 2: Intrusion.
Case Study 3: DFRWS 2008 Forensic Rodeo
Case Study 4: Copying Files
Case Study 5: Network Information
Case Study 6: SQL Injection
Case Study 7: The App Did It
Getting Started
Documentation
Goals
Checklists
Now What?
Extending Timeline Analysis
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 9 Performing Analysis on a Budget
Introduction
Documenting Your Analysis
Tools
Acquiring Images
dd
FTK Imager
Image Analysis
The SleuthKit
PyFlag
ProDiscover Basic
Mounting an Image File
File Analysis
Hashing Utilities
Hex Editors
Network Tools
Scanning
Packet Capture and Analysis
Search Utilities
Summary
Solutions Fast Track
Frequently Asked Questions
Index