- ISBN: 9780470097625 | 0470097620
- Cover: Paperback
- Copyright: 4/2/2007
This comprehensive guide provides you with the training you need to arm yourself against phishing, bank fraud, unlawful hacking, and other computer crimes. Two seasoned law enforcement professionals discuss everything from recognizing high-tech criminal activity and collecting evidence to presenting it in a way that judges and juries can understand. They cover the range of skwills, standards, and step-by-step procedures you'll need to conduct a criminal investigation in a Windows environment and make your evidence stand up in court.
Steve Anson , CISSP, MCSE, is a special agent with the Pentagon’s Defense Criminal Investigative Service. He has a master’s degree in computer science as well as numerous industry certifications. As a former contract instructor for the FBI, he has taught hundreds of veteran federal agents, state and local police officers, and intelligence agency employees techniques for conducting computerintrusion investigations. He also founded and supervised a local police department computer crime and information services unit and served as a task force agent for the FBI. He has conducted investigations involving large-scale computer intrusions, counterterrorism, crimes against children, and many other offenses involving the substantive use of computers.
Steve Bunting is a captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers. He has more than thirty years experience in law enforcement, and his background in computer forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence. He has a bachelor’s degree in applied professions/business management from Wilmington College and a computer applications certificate in network environments from the University of Delaware. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a lead instructor at all course levels. He has been a presenter at several seminars and workshops, is the author of numerous white papers, and is the primary author of the book EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide , which was published by Sybex in early 2006. You can reach him at sbunting@udel.edu.
| Introduction | p. xix |
| Network Investigation Overview | p. 3 |
| Performing the Initial Vetting | p. 3 |
| Meeting with the Victim Organization | p. 5 |
| Understanding the Victim Network Information | p. 6 |
| Understanding the Incident Information | p. 7 |
| Identifying and Preserving Evidence | p. 8 |
| Establishing Expectations and Responsibilities | p. 10 |
| Collecting the Evidence | p. 11 |
| Analyzing the Evidence | p. 13 |
| Analyzing the Suspect's Computers | p. 15 |
| Recognizing the Investigative Challenges of Microsoft Networks | p. 18 |
| The Bottom Line | p. 19 |
| The Microsoft Network Structure | p. 21 |
| Connecting Computers | p. 21 |
| Windows Domains | p. 23 |
| Interconnecting Domains | p. 25 |
| Organizational Units | p. 29 |
| Users and Groups | p. 31 |
| Types of Accounts | p. 31 |
| Groups | p. 34 |
| Permissions | p. 37 |
| File Permissions | p. 39 |
| Share Permissions | p. 42 |
| Reconciling Share and File Permissions | p. 43 |
| Example Hack | p. 45 |
| The Bottom Line | p. 52 |
| Beyond the Windows GUI | p. 55 |
| Understanding Programs, Processes, and Threads | p. 56 |
| Redirecting Process Flow | p. 59 |
| DLL Injection | p. 62 |
| Hooking | p. 66 |
| Maintaining Order Using Privilege Modes | p. 70 |
| Using Rootkits | p. 72 |
| The Bottom Line | p. 75 |
| Windows Password Issues | p. 77 |
| Understanding Windows Password Storage | p. 77 |
| Cracking Windows Passwords Stored on Running Systems | p. 79 |
| Exploring Windows Authentication Mechanisms | p. 87 |
| LanMan Authentication | p. 88 |
| NTLM and Kerberos Authentication | p. 91 |
| Sniffing and Cracking Windows Authentication Exchanges | p. 94 |
| Cracking Offline Passwords | p. 102 |
| The Bottom Line | p. 106 |
| Windows Ports and Services | p. 107 |
| Understanding Ports | p. 107 |
| Using Ports as Evidence | p. 111 |
| Understanding Windows Services | p. 117 |
| The Bottom Line | p. 124 |
| Live-Analysis Techniques | p. 129 |
| Finding Evidence in Memory | p. 129 |
| Creating Windows Live-Analysis CDs | p. 131 |
| Selecting Tools for Your Live-Response CD | p. 133 |
| Verifying Your CD | p. 139 |
| Using Your CD | p. 142 |
| Monitoring Communication with the Victim Box | p. 146 |
| Scanning the Victim System | p. 149 |
| Using Stand-alone Tools for Live-analysis | p. 150 |
| Using Commercial Products | p. 150 |
| Using EnCase FIM | p. 150 |
| Using Free Products | p. 157 |
| The Bottom Line | p. 158 |
| Windows File Systems | p. 161 |
| File Systems vs. Operating Systems | p. 161 |
| Understanding FAT File Systems | p. 164 |
| Understanding NTFS File Systems | p. 177 |
| Using NTFS Data Structures | p. 178 |
| Creating, Deleting, and Recovering Data in NTFS | p. 184 |
| Dealing with Alternate Data Streams | p. 187 |
| The Bottom Line | p. 191 |
| The Registry Structure | p. 193 |
| Understanding Registry Concepts | p. 193 |
| Registry History | p. 195 |
| Registry Organization and Terminology | p. 195 |
| Performing Registry Research | p. 201 |
| Viewing the Registry with Forensic Tools | p. 203 |
| Using EnCase to View the Registry | p. 204 |
| Using AccessData's Registry Viewer | p. 207 |
| The Bottom Line | p. 212 |
| Registry Evidence | p. 215 |
| Finding Information in the Software Key | p. 216 |
| Installed Software | p. 216 |
| Last Logon | p. 218 |
| Banners | p. 219 |
| Exploring Windows Security Center and Firewall Settings | p. 220 |
| Analyzing Restore Point Registry Settings | p. 225 |
| Exploring Security Identifiers | p. 231 |
| Investigating User Activity | p. 234 |
| Extracting LSA Secrets | p. 245 |
| Discovering IP Addresses | p. 246 |
| Compensating for Time Zone Offsets | p. 251 |
| Determining the Startup Locations | p. 253 |
| The Bottom Line | p. 260 |
| Tool Analysis | p. 263 |
| Understanding the Purpose of Tool Analysis | p. 263 |
| Exploring Tools and Techniques | p. 267 |
| Strings | p. 268 |
| Dependency Walker | p. 271 |
| Monitoring the Code | p. 273 |
| Monitoring the Tool's Network Traffic | p. 282 |
| External Port Scans | p. 284 |
| The Bottom Line | p. 286 |
| Text-Based Logs | p. 289 |
| Parsing IIS Logs | p. 289 |
| Parsing FTP Logs | p. 300 |
| Parsing DHCP Server Logs | p. 306 |
| Parsing Windows Firewall Logs | p. 310 |
| Using the Microsoft Log Parser | p. 313 |
| The Bottom Line | p. 324 |
| Windows Event Logs | p. 327 |
| Understanding the Event Logs | p. 327 |
| Exploring Auditing Settings | p. 329 |
| Using Event Viewer | p. 334 |
| Searching with Event Viewer | p. 347 |
| The Bottom Line | p. 351 |
| Logon and Account Logon Events | p. 353 |
| Exploring Windows NT Logon Events | p. 353 |
| Analyzing Windows 2000 Event Logs | p. 361 |
| Comparing Logon and Account Logon Events | p. 361 |
| Examining Windows 2000 Logon Events | p. 364 |
| Examining Windows 2000 Account Logon Events | p. 366 |
| Contrasting Windows 2000 and XP Logging | p. 386 |
| Examining Windows Server 2003 Account Logon and Logon Events | p. 393 |
| The Bottom Line | p. 397 |
| Other Audit Events | p. 399 |
| Evaluating Account Management Events | p. 399 |
| Interpreting File and Other Object Access Events | p. 409 |
| Examining Audit Policy Change Events | p. 416 |
| Examining System Log Entries | p. 417 |
| Examining Application Log Entries | p. 422 |
| The Bottom Line | p. 423 |
| Forensic Analysis of Event Logs | p. 425 |
| Using EnCase to Examine Windows Event Log Files | p. 425 |
| Windows Event Log Files Internals | p. 433 |
| Repairing Corrupted Event Log Databases | p. 444 |
| Finding and Recovering Event Logs from Free Space | p. 446 |
| The Bottom Line | p. 453 |
| Presenting the Results | p. 455 |
| Creating a Narrative Report with Hyperlinks | p. 455 |
| The Electronic Report Files | p. 462 |
| Timelines | p. 463 |
| Testifying About Technical Matters | p. 466 |
| The Bottom Line | p. 467 |
| The Bottom Line | p. 469 |
| Network Investigation Overview | p. 469 |
| The Microsoft Network Structure | p. 471 |
| Beyond the Windows GUI | p. 472 |
| Windows Password Issues | p. 474 |
| Windows Ports and Services | p. 475 |
| Live Analysis Techniques | p. 477 |
| Windows File Systems | p. 478 |
| The Registry Structure | p. 480 |
| Registry Evidence | p. 482 |
| Tool Analysis | p. 486 |
| Text-Based Logs | p. 488 |
| Windows Event Logs | p. 492 |
| Logon and Account Logon Events | p. 493 |
| Other Audit Events | p. 495 |
| Forensic Analysis of Event Logs | p. 496 |
| Presenting The Results | p. 498 |
| Index | p. 501 |
| Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Please wait while the item is added to your bag...
×
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.