Mastering Windows Network Forensics and Investigation,9780470097625

Mastering Windows Network Forensics and Investigation

by ;
ISBN13: 9780470097625
ISBN10: 0470097620
Format: Paperback
Pub. Date: 2007-04-02
Publisher(s): Sybex
List Price: $64.82

Buy New

Usually Ships in 8 - 10 Business Days.
$61.73
Add to Cart

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $4.92

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

This comprehensive guide provides you with the training you need to arm yourself against phishing, bank fraud, unlawful hacking, and other computer crimes. Two seasoned law enforcement professionals discuss everything from recognizing high-tech criminal activity and collecting evidence to presenting it in a way that judges and juries can understand. They cover the range of skwills, standards, and step-by-step procedures you'll need to conduct a criminal investigation in a Windows environment and make your evidence stand up in court.

Author Biography

Steve Anson , CISSP, MCSE, is a special agent with the Pentagon’s Defense Criminal Investigative Service. He has a master’s degree in computer science as well as numerous industry certifications. As a former contract instructor for the FBI, he has taught hundreds of veteran federal agents, state and local police officers, and intelligence agency employees techniques for conducting computerintrusion investigations. He also founded and supervised a local police department computer crime and information services unit and served as a task force agent for the FBI. He has conducted investigations involving large-scale computer intrusions, counterterrorism, crimes against children, and many other offenses involving the substantive use of computers.

Steve Bunting is a captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers. He has more than thirty years experience in law enforcement, and his background in computer forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence. He has a bachelor’s degree in applied professions/business management from Wilmington College and a computer applications certificate in network environments from the University of Delaware. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a lead instructor at all course levels. He has been a presenter at several seminars and workshops, is the author of numerous white papers, and is the primary author of the book EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide , which was published by Sybex in early 2006. You can reach him at sbunting@udel.edu.

Table of Contents

Introductionp. xix
Network Investigation Overviewp. 3
Performing the Initial Vettingp. 3
Meeting with the Victim Organizationp. 5
Understanding the Victim Network Informationp. 6
Understanding the Incident Informationp. 7
Identifying and Preserving Evidencep. 8
Establishing Expectations and Responsibilitiesp. 10
Collecting the Evidencep. 11
Analyzing the Evidencep. 13
Analyzing the Suspect's Computersp. 15
Recognizing the Investigative Challenges of Microsoft Networksp. 18
The Bottom Linep. 19
The Microsoft Network Structurep. 21
Connecting Computersp. 21
Windows Domainsp. 23
Interconnecting Domainsp. 25
Organizational Unitsp. 29
Users and Groupsp. 31
Types of Accountsp. 31
Groupsp. 34
Permissionsp. 37
File Permissionsp. 39
Share Permissionsp. 42
Reconciling Share and File Permissionsp. 43
Example Hackp. 45
The Bottom Linep. 52
Beyond the Windows GUIp. 55
Understanding Programs, Processes, and Threadsp. 56
Redirecting Process Flowp. 59
DLL Injectionp. 62
Hookingp. 66
Maintaining Order Using Privilege Modesp. 70
Using Rootkitsp. 72
The Bottom Linep. 75
Windows Password Issuesp. 77
Understanding Windows Password Storagep. 77
Cracking Windows Passwords Stored on Running Systemsp. 79
Exploring Windows Authentication Mechanismsp. 87
LanMan Authenticationp. 88
NTLM and Kerberos Authenticationp. 91
Sniffing and Cracking Windows Authentication Exchangesp. 94
Cracking Offline Passwordsp. 102
The Bottom Linep. 106
Windows Ports and Servicesp. 107
Understanding Portsp. 107
Using Ports as Evidencep. 111
Understanding Windows Servicesp. 117
The Bottom Linep. 124
Live-Analysis Techniquesp. 129
Finding Evidence in Memoryp. 129
Creating Windows Live-Analysis CDsp. 131
Selecting Tools for Your Live-Response CDp. 133
Verifying Your CDp. 139
Using Your CDp. 142
Monitoring Communication with the Victim Boxp. 146
Scanning the Victim Systemp. 149
Using Stand-alone Tools for Live-analysisp. 150
Using Commercial Productsp. 150
Using EnCase FIMp. 150
Using Free Productsp. 157
The Bottom Linep. 158
Windows File Systemsp. 161
File Systems vs. Operating Systemsp. 161
Understanding FAT File Systemsp. 164
Understanding NTFS File Systemsp. 177
Using NTFS Data Structuresp. 178
Creating, Deleting, and Recovering Data in NTFSp. 184
Dealing with Alternate Data Streamsp. 187
The Bottom Linep. 191
The Registry Structurep. 193
Understanding Registry Conceptsp. 193
Registry Historyp. 195
Registry Organization and Terminologyp. 195
Performing Registry Researchp. 201
Viewing the Registry with Forensic Toolsp. 203
Using EnCase to View the Registryp. 204
Using AccessData's Registry Viewerp. 207
The Bottom Linep. 212
Registry Evidencep. 215
Finding Information in the Software Keyp. 216
Installed Softwarep. 216
Last Logonp. 218
Bannersp. 219
Exploring Windows Security Center and Firewall Settingsp. 220
Analyzing Restore Point Registry Settingsp. 225
Exploring Security Identifiersp. 231
Investigating User Activityp. 234
Extracting LSA Secretsp. 245
Discovering IP Addressesp. 246
Compensating for Time Zone Offsetsp. 251
Determining the Startup Locationsp. 253
The Bottom Linep. 260
Tool Analysisp. 263
Understanding the Purpose of Tool Analysisp. 263
Exploring Tools and Techniquesp. 267
Stringsp. 268
Dependency Walkerp. 271
Monitoring the Codep. 273
Monitoring the Tool's Network Trafficp. 282
External Port Scansp. 284
The Bottom Linep. 286
Text-Based Logsp. 289
Parsing IIS Logsp. 289
Parsing FTP Logsp. 300
Parsing DHCP Server Logsp. 306
Parsing Windows Firewall Logsp. 310
Using the Microsoft Log Parserp. 313
The Bottom Linep. 324
Windows Event Logsp. 327
Understanding the Event Logsp. 327
Exploring Auditing Settingsp. 329
Using Event Viewerp. 334
Searching with Event Viewerp. 347
The Bottom Linep. 351
Logon and Account Logon Eventsp. 353
Exploring Windows NT Logon Eventsp. 353
Analyzing Windows 2000 Event Logsp. 361
Comparing Logon and Account Logon Eventsp. 361
Examining Windows 2000 Logon Eventsp. 364
Examining Windows 2000 Account Logon Eventsp. 366
Contrasting Windows 2000 and XP Loggingp. 386
Examining Windows Server 2003 Account Logon and Logon Eventsp. 393
The Bottom Linep. 397
Other Audit Eventsp. 399
Evaluating Account Management Eventsp. 399
Interpreting File and Other Object Access Eventsp. 409
Examining Audit Policy Change Eventsp. 416
Examining System Log Entriesp. 417
Examining Application Log Entriesp. 422
The Bottom Linep. 423
Forensic Analysis of Event Logsp. 425
Using EnCase to Examine Windows Event Log Filesp. 425
Windows Event Log Files Internalsp. 433
Repairing Corrupted Event Log Databasesp. 444
Finding and Recovering Event Logs from Free Spacep. 446
The Bottom Linep. 453
Presenting the Resultsp. 455
Creating a Narrative Report with Hyperlinksp. 455
The Electronic Report Filesp. 462
Timelinesp. 463
Testifying About Technical Mattersp. 466
The Bottom Linep. 467
The Bottom Linep. 469
Network Investigation Overviewp. 469
The Microsoft Network Structurep. 471
Beyond the Windows GUIp. 472
Windows Password Issuesp. 474
Windows Ports and Servicesp. 475
Live Analysis Techniquesp. 477
Windows File Systemsp. 478
The Registry Structurep. 480
Registry Evidencep. 482
Tool Analysisp. 486
Text-Based Logsp. 488
Windows Event Logsp. 492
Logon and Account Logon Eventsp. 493
Other Audit Eventsp. 495
Forensic Analysis of Event Logsp. 496
Presenting The Resultsp. 498
Indexp. 501
Table of Contents provided by Ingram. All Rights Reserved.

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.