Rights Contact Login For More Details
More About This Title Windows Forensics: The Field Guide for ConductingCorporate Computer Investigations
English
An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.
Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.
* Identify evidence of fraud, electronic theft, and employee Internet abuse
* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)
* Learn what it takes to become a computer forensics analyst
* Take advantage of sample forms and layouts as well as case studies
* Protect the integrity of evidence
* Compile a forensic response toolkit
* Assess and analyze damage from computer crime and process the crime scene
* Develop a structure for effectively conducting investigations
* Discover how to locate evidence in the Windows Registry
English
English
Chapter 1 Windows Forensics 1
The Corporate Computer Forensic Analyst 2
Windows Forensics 3
People, Processes, and Tools 6
Computer Forensics: Today and Tomorrow 8
Additional Resources 9
Chapter 2 Processing the Digital Crime Scene 11
Identify the Scene 12
Perform Remote Research 15
Secure the Crime Scene 17
Document the Scene 18
Process the Scene for Physical Evidence 19
Process the Scene for Electronic Evidence 22
Chain of Custody 25
Best Evidence 26
Working with Law Enforcement 28
Additional Resources 29
Chapter 3 Windows Forensic Basics 31
History and Versions 32
MS-DOS 32
Windows 1.x, 2.x, and 3.x 32
Windows NT and 2000 33
Windows 95, 98, and ME 34
Windows XP and 2003 35
Non-Volatile Storage 38
Floppy Disks 38
Tapes 43
CDs and DVDs 46
USB Flash Drives 48
Hard Disks 51
Additional Resources 58
Chapter 4 Partitions and File Systems 59
Master Boot Record 59
Windows File Systems 65
FAT 66
VFAT 73
NTFS 75
Compression 85
Encryption 88
Additional Resources 96
Chapter 5 Directory Structure and Special Files 97
Windows NT/2000/XP 97
Directories 98
Files 107
Windows 9x 112
Directories 112
Files 113
Additional Resources 114
Chapter 6 The Registry 115
History 115
Registry Basics 116
Registry Analysis 121
General 122
Folder Locations 125
Startup Items 128
Intelliforms 132
Advanced Registry Analysis 133
Additional Resources 136
Chapter 7 Forensic Analysis 137
Chapter 8 Live System Analysis 139
Covert Analysis 144
System State Analysis 144
System Tools 146
Storage 147
Services and Applications 148
Remote Enumeration 150
Monitoring 154
Keystroke Recording 155
Network Monitoring 157
Overt Analysis 166
GUI-based Overt Analysis 166
Local Command Line Analysis 169
Remote Command Line Analysis 170
Basic Information Gathering 173
System State Information 177
Running Program Information 182
Main Memory Analysis 186
Additional Resources 189
Chapter 9 Forensic Duplication 193
Hard Disk Duplication 194
In-Situ Duplication 197
Direct Duplication 203
Magnetic Tape 204
Hard Disks 205
Optical Disks 205
Multi-tiered Storage 206
Log File Duplication 208
Additional Resources 210
Chapter 10 File System Analysis 211
Searching 211
Index-based Searching 212
Bitwise Searching 217
Search Methodology 219
Hash Analysis 220
Positive Hash Analysis 223
Negative Hash Analysis 224
File Recovery 225
Special Files 236
Print Spool Files 236
Windows Shortcuts 239
Paging File 241
Additional Resources 244
Chapter 11 Log File Analysis 247
Event Logs 247
Application Log 250
System Log 252
Security Log 253
Successful Log-on/Log-off Events 254
Failed Log-on Event 255
Change of Policy 256
Successful or Failed Object Access 256
Account Change 256
Log Clearing 257
Internet Logs 257
HTTP Logs 260
FTP Logs 266
SMTP Logs 268
Additional Resources 270
Chapter 12 Internet Usage Analysis 271
Web Activity 272
Internet Explorer 272
Favorites 274
History 277
Cache 281
Cookies 283
Firefox 285
Favorites 285
History 288
Cache 289
Cookies 291
Passwords 292
Downloads 293
Toolbar History 293
Network, Proxy, and DNS History 294
Peer-to-Peer Networking 294
Gnutella Clients 296
Bearshare 297
Downloading 297
Sharing 298
Other Information 298
Limewire 299
Downloading 300
Sharing 300
FastTrack Clients 301
Overnet, eMule, and eDonkey2000 Clients 302
Downloading 304
Sharing 305
Instant Messaging 305
AOL Instant Messenger 306
Microsoft Messenger 307
Additional Resources 309
Chapter 13 Email Investigations 311
Outlook/Outlook Express 314
Outlook Express 314
Acquisition 315
Analysis 317
Outlook 321
Acquisition 321
Access Control 322
Analysis 322
Lotus Notes 326
Acquisition 329
Access Control and Logging 330
Analysis 331
Address Book 333
Additional Resources 338
Appendix A Sample Chain of Custody Form 339
Appendix B Master Boot Record Layout 341
Appendix C Partition Types 343
Appendix D FAT32 Boot Sector Layout 349
Appendix E NTFS Boot Sector Layout 353
Appendix F NTFS Metafiles 355
Appendix G Well-Known SIDs 357
Index 363
