简介
"If your job requires investigating compromised Windows hosts, you must read Windows Forensic Analysis."
-Richard Bejtlich, Coauthor of Real Digital Forensics and Amazon.com Top 500 Book Reviewer
"The Registry Analysis chapter alone is worth the price of the book."
-Troy Larson, Senior Forensic Investigator of Microsoft's IT Security Group
"I also found that the entire book could have been written on just registry forensics. However, in order to create broad appeal, the registry section was probably shortened. You can tell Harlan has a lot more to tell."
-Rob Lee, Instructor and Fellow at the SANS Technology Institute, coauthor of Know Your Enemy: Learning About Security Threats, 2E
Author Harlan Carvey has brought his best-selling book up-to-date to give you: the responder, examiner, or analyst the must-have tool kit for your job. Windows is the largest operating system on desktops and servers worldwide, which mean more intrusions, malware infections, and cybercrime happen on these systems. Windows Forensic Analysis DVD Toolkit, 2Ecovers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. The book is also accessible to system administrators, who are often the frontline when an incident occurs, but due to staffing and budget constraints do not have the necessary knowledge to respond effectively. The book’s companion DVD contains significant new and updated materials (movies, spreadsheet, code, etc.) not available any place else, because they are created and maintained by the author.
目录
Front Cover 2
Windows Forensic Analysis DVD Toolkit 2E 2
Copyright Page 3
Dedication Page 4
Technical Editor 5
Author 5
Technical Reviewers 6
Contents 8
Preface 16
Intended Audience 17
Organization of this Book 19
Live Response: Data Collection 19
Live Response: Data Analysis 20
Windows Memory Analysis 20
Registry Analysis 20
File Analysis 21
Executable File Analysis 21
Rootkits and Rootkit Detection 21
Tying It All Together 22
Performing Analysis on a Budget 22
DVD Contents 22
Author\u2019s Acknowledgments 24
Chapter 1: Live Response: Collecting Volatile Data 26
Introduction 27
Live Response 28
Locard\u2019s Exchange Principle 29
Order of Volatility 32
When to Perform Live Response 33
What Data to Collect 37
System Time 39
Logged-on Users 41
PsLoggedOn 42
Net Sessions 42
LogonSessions 43
Open Files 44
Network Information (Cached NetBIOS Name Table) 44
Network Connections 46
Netstat 46
Process Information 48
Tlist 50
Tasklist 51
PsList 51
ListDLLs 51
Handle 52
Process-to-Port Mapping 55
Netstat 55
Fport 56
Tcpvcon 56
Process Memory 58
Network Status 59
Ipconfig 59
PromiscDetect and Promqry 60
Clipboard Contents 62
Service/Driver Information 63
Command History 65
Mapped Drives 66
Shares 66
Nonvolatile Information 67
Registry Settings 68
ClearPageFileAtShutdown 68
DisableLastAccess 68
Autoruns 69
Event Logs 72
Devices and Other Information 73
A Word about Picking Your Tools 73
Live-Response Methodologies 76
Local Response Methodology 76
Remote Response Methodology 78
The Hybrid Approach (a.k.a. Using the FSP) 80
Summary 85
Solutions Fast Track 85
Live Response 85
What Data to Collect 86
Nonvolatile Information 86
Live-Response Methodologies 86
Frequently Asked Questions 87
Chapter 2: Live Response: Data Analysis 88
Introduction 89
Data Analysis 89
Example 1 92
Example 2 96
Example 3 101
Agile Analysis 102
Expanding the Scope 106
Reaction 107
Prevention 109
Summary 111
Solutions Fast Track 111
Data Analysis 111
Frequently Asked Questions 112
Chapter 3: Windows Memory Analysis 114
Introduction 115
A Brief History 115
Collecting Process Memory 117
Dumping Physical Memory 120
DD 120
Nigilant32 121
ProDiscover 121
KnTDD 122
MDD 124
Win32dd 125
Memoryze 126
Winen 127
Fastdump 127
F-Response 129
Section Summary 136
Alternative Approaches for Dumping Physical Memory 138
Hardware Devices 138
FireWire 138
Crash Dumps 139
Virtualization 142
Hibernation File 144
Analyzing a Physical Memory Dump 145
Determining the Operating System of a Dump File 146
Process Basics 148
EProcess Structure 148
Process Creation Mechanism 150
Parsing Memory Dump Contents 151
Lsproc.pl 153
Lspd.pl 155
Volatility Framework 158
Memoryze 163
HBGary Responder 165
Parsing Process Memory 169
Extracting the Process Image 171
Memory Dump Analysis and the Page File 176
Pool Allocations 177
Summary 178
Solutions Fast Track 178
Collecting Process Memory 178
Dumping Physical Memory 178
Analyzing a Physical Memory Dump 179
Frequently Asked Questions 180
Chapter 4: Registry Analysis 182
Introduction 183
Inside the Registry 183
Registry Structure within a Hive File 187
The Registry As a Log File 193
Monitoring Changes to the Registry 195
Registry Analysis 197
RegRipper 198
Rip 201
RipXP 205
System Information 206
ComputerName 207
TimeZoneInformation 209
Network Interfaces 209
MAC Address 211
Shares 212
Audit Policy and Event Logs 213
Wireless SSIDs 217
Autostart Locations 218
System Boot 221
User Login 223
User Activity 223
Enumerating Autostart Registry Locations 227
AutoRun Functionality 229
NtfsDisableLastAccessUpdate 230
NukeOnDelete 231
USB Removable Storage Devices 231
USB Device Issues 236
Mounted Devices 238
Portable Devices 243
Finding Users 244
Tracking User Activity 248
The UserAssist Keys 248
MUICache 253
MRU Lists 254
Search Assistant 260
Connecting to Other Systems 261
CD Burning 262
IM and P2P 263
Windows XP System Restore Points 264
Redirection 271
Virtualization 272
Deleted Registry Keys 272
Summary 275
DVD Contents 275
Solutions Fast Track 276
Inside the Registry 276
Registry Analysis 276
Frequently Asked Questions 277
Chapter 5: File Analysis 278
Introduction 279
Log Files 279
Event Logs 279
Understanding Events 280
Event Log File Format 285
Event Log Header 286
Event Record Structure 287
Vista Event Logs 294
IIS Logs 296
Log Parser 302
Web Browser History 303
Other Log Files 304
Setuplog.txt 304
Setupact.log 306
Setupapi.log 306
Netsetup.log 307
Task Scheduler Log 307
XP Firewall Logs 309
Mrt.log 312
Dr. Watson Logs 313
Cbs.log 314
Crash Dump Files 315
Recycle Bin 315
Vista Recycle Bin 318
XP System Restore Points 318
Rp.log Files 318
Change.log.x Files 319
Vista Volume Shadow Copy Service 320
Prefetch Files 321
Vista SuperFetch 323
Shortcut Files 324
File Metadata 324
Word Documents 326
PDF Documents 332
Image Files 335
File Signature Analysis 336
NTFS Alternate Data Streams 337
Creating ADSes 338
Enumerating ADSes 339
Using ADSes 342
Removing ADSes 344
ADS Summary 345
Alternative Methods of Analysis 345
Mounting an Image 348
Discovering Malware 351
Timeline Analysis 355
Summary 358
Solutions Fast Track 358
Log Files 358
File Metadata 358
Alternative Methods of Analysis 359
Frequently Asked Questions 360
Chapter 6: Executable File Analysis 362
Introduction 363
Static Analysis 364
Locating Files to Analyze 364
Documenting the File 366
Analysis 369
The PE Header 371
IMPORT Tables 378
EXPORT Table 381
Resources 382
Obfuscation 383
Binders 384
Packers 384
Cryptors 386
Dynamic Analysis 391
Testing Environment 392
Virtualization 392
Throwaway Systems 394
Tools 395
Process 400
Summary 405
Solutions Fast Track 405
Static Analysis 405
Dynamic Analysis 406
Chapter 7: Rootkits and Rootkit Detection 410
Introduction 411
Rootkits 411
Rootkit Detection 417
Live Detection 417
RootkitRevealer 419
GMER 420
Helios 421
MS Strider GhostBuster 423
ProDiscover 423
F-Secure BlackLight 424
Sophos Anti-Rootkit 426
AntiRootkit.com 427
Postmortem Detection 427
Prevention 430
Summary 431
Solutions Fast Track 431
Rootkits 431
Rootkit Detection 431
Frequently Asked Questions 432
Chapter 8: Tying It All Together 434
Introduction 435
Case Studies 435
Case Study 1: The Document Trail 435
Case Study 2: Intrusion 437
Case Study 3: DFRWS 2008 Forensic Rodeo 440
Case Study 4: Copying Files 440
Case Study 5: Network Information 442
Case Study 6: SQL Injection 443
Case Study 7: The App Did It 446
Getting Started 448
Documentation 450
Goals 453
Checklists 453
Now What? 456
Extending Timeline Analysis 457
Summary 459
Solutions Fast Track 459
Case Studies 459
Getting Started 459
Extending Timeline Analysis 459
Frequently Asked Questions 460
Chapter 9: Performing Analysis on a Budget 462
Introduction 463
Documenting Your Analysis 464
Tools 468
Acquiring Images 468
dd 468
FTK Imager 471
Image Analysis 472
The SleuthKit 472
PyFlag 476
ProDiscover Basic 477
Mounting an Image File 477
File Analysis 480
Hashing Utilities 480
Hex Editors 480
Network Tools 481
Scanning 481
Packet Capture and Analysis 483
Search Utilities 488
Summary 491
Solutions Fast Track 491
Documenting Your Analysis 491
Tools 491
Frequently Asked Questions 492
Index 494
Windows Forensic Analysis DVD Toolkit 2E 2
Copyright Page 3
Dedication Page 4
Technical Editor 5
Author 5
Technical Reviewers 6
Contents 8
Preface 16
Intended Audience 17
Organization of this Book 19
Live Response: Data Collection 19
Live Response: Data Analysis 20
Windows Memory Analysis 20
Registry Analysis 20
File Analysis 21
Executable File Analysis 21
Rootkits and Rootkit Detection 21
Tying It All Together 22
Performing Analysis on a Budget 22
DVD Contents 22
Author\u2019s Acknowledgments 24
Chapter 1: Live Response: Collecting Volatile Data 26
Introduction 27
Live Response 28
Locard\u2019s Exchange Principle 29
Order of Volatility 32
When to Perform Live Response 33
What Data to Collect 37
System Time 39
Logged-on Users 41
PsLoggedOn 42
Net Sessions 42
LogonSessions 43
Open Files 44
Network Information (Cached NetBIOS Name Table) 44
Network Connections 46
Netstat 46
Process Information 48
Tlist 50
Tasklist 51
PsList 51
ListDLLs 51
Handle 52
Process-to-Port Mapping 55
Netstat 55
Fport 56
Tcpvcon 56
Process Memory 58
Network Status 59
Ipconfig 59
PromiscDetect and Promqry 60
Clipboard Contents 62
Service/Driver Information 63
Command History 65
Mapped Drives 66
Shares 66
Nonvolatile Information 67
Registry Settings 68
ClearPageFileAtShutdown 68
DisableLastAccess 68
Autoruns 69
Event Logs 72
Devices and Other Information 73
A Word about Picking Your Tools 73
Live-Response Methodologies 76
Local Response Methodology 76
Remote Response Methodology 78
The Hybrid Approach (a.k.a. Using the FSP) 80
Summary 85
Solutions Fast Track 85
Live Response 85
What Data to Collect 86
Nonvolatile Information 86
Live-Response Methodologies 86
Frequently Asked Questions 87
Chapter 2: Live Response: Data Analysis 88
Introduction 89
Data Analysis 89
Example 1 92
Example 2 96
Example 3 101
Agile Analysis 102
Expanding the Scope 106
Reaction 107
Prevention 109
Summary 111
Solutions Fast Track 111
Data Analysis 111
Frequently Asked Questions 112
Chapter 3: Windows Memory Analysis 114
Introduction 115
A Brief History 115
Collecting Process Memory 117
Dumping Physical Memory 120
DD 120
Nigilant32 121
ProDiscover 121
KnTDD 122
MDD 124
Win32dd 125
Memoryze 126
Winen 127
Fastdump 127
F-Response 129
Section Summary 136
Alternative Approaches for Dumping Physical Memory 138
Hardware Devices 138
FireWire 138
Crash Dumps 139
Virtualization 142
Hibernation File 144
Analyzing a Physical Memory Dump 145
Determining the Operating System of a Dump File 146
Process Basics 148
EProcess Structure 148
Process Creation Mechanism 150
Parsing Memory Dump Contents 151
Lsproc.pl 153
Lspd.pl 155
Volatility Framework 158
Memoryze 163
HBGary Responder 165
Parsing Process Memory 169
Extracting the Process Image 171
Memory Dump Analysis and the Page File 176
Pool Allocations 177
Summary 178
Solutions Fast Track 178
Collecting Process Memory 178
Dumping Physical Memory 178
Analyzing a Physical Memory Dump 179
Frequently Asked Questions 180
Chapter 4: Registry Analysis 182
Introduction 183
Inside the Registry 183
Registry Structure within a Hive File 187
The Registry As a Log File 193
Monitoring Changes to the Registry 195
Registry Analysis 197
RegRipper 198
Rip 201
RipXP 205
System Information 206
ComputerName 207
TimeZoneInformation 209
Network Interfaces 209
MAC Address 211
Shares 212
Audit Policy and Event Logs 213
Wireless SSIDs 217
Autostart Locations 218
System Boot 221
User Login 223
User Activity 223
Enumerating Autostart Registry Locations 227
AutoRun Functionality 229
NtfsDisableLastAccessUpdate 230
NukeOnDelete 231
USB Removable Storage Devices 231
USB Device Issues 236
Mounted Devices 238
Portable Devices 243
Finding Users 244
Tracking User Activity 248
The UserAssist Keys 248
MUICache 253
MRU Lists 254
Search Assistant 260
Connecting to Other Systems 261
CD Burning 262
IM and P2P 263
Windows XP System Restore Points 264
Redirection 271
Virtualization 272
Deleted Registry Keys 272
Summary 275
DVD Contents 275
Solutions Fast Track 276
Inside the Registry 276
Registry Analysis 276
Frequently Asked Questions 277
Chapter 5: File Analysis 278
Introduction 279
Log Files 279
Event Logs 279
Understanding Events 280
Event Log File Format 285
Event Log Header 286
Event Record Structure 287
Vista Event Logs 294
IIS Logs 296
Log Parser 302
Web Browser History 303
Other Log Files 304
Setuplog.txt 304
Setupact.log 306
Setupapi.log 306
Netsetup.log 307
Task Scheduler Log 307
XP Firewall Logs 309
Mrt.log 312
Dr. Watson Logs 313
Cbs.log 314
Crash Dump Files 315
Recycle Bin 315
Vista Recycle Bin 318
XP System Restore Points 318
Rp.log Files 318
Change.log.x Files 319
Vista Volume Shadow Copy Service 320
Prefetch Files 321
Vista SuperFetch 323
Shortcut Files 324
File Metadata 324
Word Documents 326
PDF Documents 332
Image Files 335
File Signature Analysis 336
NTFS Alternate Data Streams 337
Creating ADSes 338
Enumerating ADSes 339
Using ADSes 342
Removing ADSes 344
ADS Summary 345
Alternative Methods of Analysis 345
Mounting an Image 348
Discovering Malware 351
Timeline Analysis 355
Summary 358
Solutions Fast Track 358
Log Files 358
File Metadata 358
Alternative Methods of Analysis 359
Frequently Asked Questions 360
Chapter 6: Executable File Analysis 362
Introduction 363
Static Analysis 364
Locating Files to Analyze 364
Documenting the File 366
Analysis 369
The PE Header 371
IMPORT Tables 378
EXPORT Table 381
Resources 382
Obfuscation 383
Binders 384
Packers 384
Cryptors 386
Dynamic Analysis 391
Testing Environment 392
Virtualization 392
Throwaway Systems 394
Tools 395
Process 400
Summary 405
Solutions Fast Track 405
Static Analysis 405
Dynamic Analysis 406
Chapter 7: Rootkits and Rootkit Detection 410
Introduction 411
Rootkits 411
Rootkit Detection 417
Live Detection 417
RootkitRevealer 419
GMER 420
Helios 421
MS Strider GhostBuster 423
ProDiscover 423
F-Secure BlackLight 424
Sophos Anti-Rootkit 426
AntiRootkit.com 427
Postmortem Detection 427
Prevention 430
Summary 431
Solutions Fast Track 431
Rootkits 431
Rootkit Detection 431
Frequently Asked Questions 432
Chapter 8: Tying It All Together 434
Introduction 435
Case Studies 435
Case Study 1: The Document Trail 435
Case Study 2: Intrusion 437
Case Study 3: DFRWS 2008 Forensic Rodeo 440
Case Study 4: Copying Files 440
Case Study 5: Network Information 442
Case Study 6: SQL Injection 443
Case Study 7: The App Did It 446
Getting Started 448
Documentation 450
Goals 453
Checklists 453
Now What? 456
Extending Timeline Analysis 457
Summary 459
Solutions Fast Track 459
Case Studies 459
Getting Started 459
Extending Timeline Analysis 459
Frequently Asked Questions 460
Chapter 9: Performing Analysis on a Budget 462
Introduction 463
Documenting Your Analysis 464
Tools 468
Acquiring Images 468
dd 468
FTK Imager 471
Image Analysis 472
The SleuthKit 472
PyFlag 476
ProDiscover Basic 477
Mounting an Image File 477
File Analysis 480
Hashing Utilities 480
Hex Editors 480
Network Tools 481
Scanning 481
Packet Capture and Analysis 483
Search Utilities 488
Summary 491
Solutions Fast Track 491
Documenting Your Analysis 491
Tools 491
Frequently Asked Questions 492
Index 494
- 名称
- 类型
- 大小
光盘服务联系方式: 020-38250260 客服QQ:4006604884
云图客服:
用户发送的提问,这种方式就需要有位在线客服来回答用户的问题,这种 就属于对话式的,问题是这种提问是否需要用户登录才能提问
Video Player
×
Audio Player
×
pdf Player
×
亲爱的云图用户,
光盘内的文件都可以直接点击浏览哦
无需下载,在线查阅资料!
