Windows forensic analysis DVD toolkit
?If your job requires investigating compromised Windows hosts, you must read Windows Forensic Analysis.??Richard Bejtlich, Coauthor of Real Digital Forensics and Amazon.com Top 500 Book Reviewer?The Registry Analysis chapter alone is worth the price of the book.??Troy Larson, Senior Forensic Investi...
| Autor principal: | |
|---|---|
| Otros Autores: | |
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Burlington, MA :
Syngress
c2009.
|
| Edición: | 2nd ed |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009627554006719 |
Tabla de Contenidos:
- Front Cover; Windows Forensic Analysis DVD Toolkit 2E; Copyright Page; Dedication Page; Technical Editor; Author; Technical Reviewers; Contents; Preface; Intended Audience; Organization of this Book; Live Response: Data Collection; Live Response: Data Analysis; Windows Memory Analysis; Registry Analysis; File Analysis; Executable File Analysis; Rootkits and Rootkit Detection; Tying It All Together; Performing Analysis on a Budget; DVD Contents; Author's Acknowledgments; Chapter 1: Live Response: Collecting Volatile Data; Introduction; Live Response; Locard's Exchange Principle
- Order of VolatilityWhen to Perform Live Response; What Data to Collect; System Time; Logged-on Users; PsLoggedOn; Net Sessions; LogonSessions; Open Files; Network Information (Cached NetBIOS Name Table); Network Connections; Netstat; Process Information; Tlist; Tasklist; PsList; ListDLLs; Handle; Process-to-Port Mapping; Netstat; Fport; Tcpvcon; Process Memory; Network Status; Ipconfig; PromiscDetect and Promqry; Clipboard Contents; Service/Driver Information; Command History; Mapped Drives; Shares; Nonvolatile Information; Registry Settings; ClearPageFileAtShutdown; DisableLastAccess
- AutorunsEvent Logs; Devices and Other Information; A Word about Picking Your Tools; Live-Response Methodologies; Local Response Methodology; Remote Response Methodology; The Hybrid Approach (a.k.a. Using the FSP); Summary; Solutions Fast Track; Live Response; What Data to Collect; Nonvolatile Information; Live-Response Methodologies; Frequently Asked Questions; Chapter 2: Live Response: Data Analysis; Introduction; Data Analysis; Example 1; Example 2; Example 3; Agile Analysis; Expanding the Scope; Reaction; Prevention; Summary; Solutions Fast Track; Data Analysis; Frequently Asked Questions
- Chapter 3: Windows Memory AnalysisIntroduction; A Brief History; Collecting Process Memory; Dumping Physical Memory; DD; Nigilant32; ProDiscover; KnTDD; MDD; Win32dd; Memoryze; Winen; Fastdump; F-Response; Section Summary; Alternative Approaches for Dumping Physical Memory; Hardware Devices; FireWire; Crash Dumps; Virtualization; Hibernation File; Analyzing a Physical Memory Dump; Determining the Operating System of a Dump File; Process Basics; EProcess Structure; Process Creation Mechanism; Parsing Memory Dump Contents; Lsproc.pl; Lspd.pl; Volatility Framework; Memoryze; HBGary Responder
- Parsing Process MemoryExtracting the Process Image; Memory Dump Analysis and the Page File; Pool Allocations; Summary; Solutions Fast Track; Collecting Process Memory; Dumping Physical Memory; Analyzing a Physical Memory Dump; Frequently Asked Questions; Chapter 4: Registry Analysis; Introduction; Inside the Registry; Registry Structure within a Hive File; The Registry As a Log File; Monitoring Changes to the Registry; Registry Analysis; RegRipper; Rip; RipXP; System Information; ComputerName; TimeZoneInformation; Network Interfaces; MAC Address; Shares; Audit Policy and Event Logs
- Wireless SSIDs
