Windows Forensic Analysis Toolkit
by Carvey, Harlan A.Edition: 3rd
Format: Paperback
Pub. Date: 2012-01-27
Publisher(s): Syngress Media Inc
Other versions by this Author
-
This Item Qualifies for Free Shipping!*
*Excludes marketplace orders.
List Price: $73.45
Rent Textbook
Select for Price
Rent Digital
$83.94
New Textbook
We're Sorry
Sold Out
Used Textbook
We're Sorry
Sold Out
How Marketplace Works:
- This item is offered by an independent seller and not shipped from our warehouse
- Item details like edition and cover design may differ from our description; see seller's comments before ordering.
- Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
- Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
- Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.
Summary
Author Harlan Carvey has brought his best-selling book up-to-date to give you: the responder, examiner, or analyst the must-have tool kit for your job. Windows is the largest operating system on desktops and servers worldwide, which mean more intrusions, malware infections, and cybercrime happen on these systems. Windows Forensic Analysis DVD Toolkit, 2E covers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. The book is also accessible to system administrators, who are often the frontline when an incident occurs, but due to staffing and budget constraints do not have the necessary knowledge to respond effectively. The book's companion DVD contains significant new and updated materials (movies, spreadsheet, code, etc.) not available any place else, because they are created and maintained by the author. Best-Selling Windows Digital Forensic book completely updated in this 2nd Edition Learn how to Analyze Data During Live and Post-Mortem Investigations DVD Includes Custom Tools, Updated Code, Movies, and Spreadsheets! A brand-new chapter, "Forensic Analysis on a Budget," collects freely available tools that are essential for small labs, state (or below) law enforcement, and educational organizations New pedagogical elements, Lessons from the Field, Case Studies, and War Stories, present real-life experiences from the trenches by an expert in the trenches, making the material real and showing the why behind the how The companion DVD contains new, significant, and unique materials (movies, spreadsheet, code, etc.) not available anyplace else because they were created by the author
Author Biography
Harlan Carvey (CISSP) is Vice President of Advanced Security Projects with Terremark Worldwide, Inc., which is headquartered in Miami, FL. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan resides in Northern Virginia with his family.
Table of Contents
| Preface | p. xi |
| Acknowledgments | p. xvii |
| About the Author | p. xix |
| About the Technical Editor | p. xxi |
| Analysis Concepts | p. 1 |
| Introduction | p. 1 |
| Analysis Concepts | p. 3 |
| Windows Versions | p. 4 |
| Analysis Principles | p. 6 |
| Documentation | p. 15 |
| Convergence | p. 16 |
| Virtualization | p. 17 |
| Setting Up an Analysis System | p. 19 |
| Summary | p. 22 |
| Immediate Response | p. 23 |
| Introduction | p. 23 |
| Being Prepared to Respond | p. 24 |
| Questions | p. 25 |
| The Importance of Preparation | p. 28 |
| Logs | p. 31 |
| Data Collection | p. 36 |
| Training | p. 39 |
| Summary | p. 40 |
| Volume Shadow Copies | p. 43 |
| Introduction | p. 43 |
| What Are "Volume Shadow Copies"? | p. 44 |
| Registry Keys | p. 45 |
| Live Systems | p. 46 |
| ProDiscover | p. 49 |
| F-Response | p. 50 |
| Acquired Images | p. 52 |
| VHD Method | p. 54 |
| VMWare Method | p. 58 |
| Automating VSC Access | p. 62 |
| ProDiscover | p. 64 |
| Summary | p. 67 |
| Reference | p. 67 |
| File Analysis | p. 69 |
| Introduction | p. 70 |
| MFT | p. 70 |
| File System Tunneling | p. 76 |
| Event Logs | p. 78 |
| Windows Event Log | p. 82 |
| Recycle Bin | p. 85 |
| Prefetch Files | p. 88 |
| Scheduled Tasks | p. 92 |
| Jump Lists | p. 95 |
| Hibernation Files | p. 101 |
| Application Files | p. 102 |
| Antivirus Logs | p. 103 |
| Skype | p. 104 |
| Apple Products | p. 105 |
| Image Files | p. 106 |
| Summary | p. 108 |
| References | p. 109 |
| Registry Analysis | p. 111 |
| Introduction | p. 112 |
| Registry Analysis | p. 112 |
| Registry Nomenclature | p. 113 |
| The Registry as a Log File | p. 114 |
| USB Device Analysis | p. 115 |
| System Hive | p. 128 |
| Software Hive | p. 131 |
| User Hives | p. 139 |
| Additional Sources | p. 148 |
| Tools | p. 150 |
| Summary | p. 153 |
| References | p. 153 |
| MaIware Detection | p. 155 |
| Introduction | p. 156 |
| Malware Characteristics | p. 156 |
| Initial Infection Vector | p. 158 |
| Propagation Mechanism | p. 160 |
| Persistence Mechanism | p. 162 |
| Artifacts | p. 165 |
| Detecting Malware | p. 168 |
| Log Analysis | p. 169 |
| Antivirus Scans | p. 173 |
| Digging Deeper | p. 177 |
| Seeded Sites | p. 191 |
| Summary | p. 193 |
| References | p. 193 |
| Timeline Analysis | p. 195 |
| Introduction | p. 196 |
| Timelines | p. 196 |
| Data Sources | p. 198 |
| Time Formats | p. 199 |
| Concepts | p. 200 |
| Benefits | p. 202 |
| Format | p. 204 |
| Creating Timelines | p. 210 |
| File System Metadata | p. 211 |
| Event Logs | p. 217 |
| Prefetch Files | p. 221 |
| Registry Data | p. 222 |
| Additional Sources | p. 224 |
| Parsing Events into a Timeline | p. 225 |
| Thoughts on Visualization | p. 228 |
| Case Study | p. 229 |
| Summary | p. 232 |
| Application Analysis | p. 233 |
| Introduction | p. 233 |
| Log Files | p. 235 |
| Dynamic Analysis | p. 236 |
| Network Captures | p. 241 |
| Application Memory Analysis | p. 243 |
| Summary | p. 244 |
| References | p. 244 |
| Index | p. 245 |
| Table of Contents provided by Ingram. All Rights Reserved. |
An electronic version of this book is available through VitalSource.
This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.
By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.
A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.
Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.
Please view the compatibility matrix prior to purchase.