Windows Forensics and Incident Recovery

Name: Windows Forensics and Incident Recovery
Price: 3.65 USD
Availability: InStock
ISBN: 9780321200983

ISBN-10: 0321200985

ISBN-13: 9780321200983

Edition: 2005

Authors: Harlan Carvey

List price: $64.99

30 day, 100% satisfaction guarantee!

Marketplace

3 new & used from $3.65

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

Description:

As long as networks of Microsoft Windows systems are managed,administered, and used by people, security incidents will occur. Windowssystems are highly pervasive throughout the entire computing infrastructure,from home and school systems, to high-end e-commerce sites. In contrast tothis pervasiveness, information regarding conducting effective incidentresponse and forensic audit activities on Windows systems is limited. Whilethere are many security books available, none focus specifically on Windowssecurity. There are also resources available online, but they are scattered andoften too general. This book is a compilation of all the information currentlyavailable on this subject. It is for…

Book details

List price: $64.99
Copyright year: 2005
Publisher: Addison Wesley Professional
Publication date: 7/21/2004
Binding: Mixed Media
Pages: 480
Size: 7.01" wide x 9.29" long x 1.26" tall
Weight: 2.090
Language: English

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and "cloud computing" services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan's primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a…



Preface



Introduction


Definitions


Intended Audience


Book Layout


Defining the Issue


The Pervasiveness and Complexity of Windows Systems


The Pervasiveness of High-Speed Connections


The Pervasiveness of Easy-to-Use Tools


Purpose


Real Incidents


Where To Go For More Information


Conclusion



How Incidents Occur


Definitions


Purpose


Incidents


Local vs. Remote


Manual vs. Automatic


Lowest Common Denominator


Attacks Are Easy


Summary



Data Hiding


File Attributes


The Hidden Attribute


File Signatures


File Times


File Segmentation


File Binding


NTFS Alternate Data Streams


Hiding Data in the Registry


Office Documents


OLE Structured Storage


Steganography


Summary



Incident Preparation


Perimeter Devices


Host Configuration


NTFS File System


Configuring the System with the SCM


Group Policies


Getting Under the Hood


User Rights


Restricting Services


Permissions


Audit Settings and the Event Log


Windows File Protection


WFP and ADSs


Patch Management


Anti-Virus


Monitoring


Summary



Incident Response Tools


Definitions


Tools for Collecting Volatile Information


Logged On User(s)


Process Information


Process Memory


Network Information and Connections


Clipboard Contents


Command History


Services and Drivers


Group Policy Information


Tools for Collecting Non-Volatile Information


Collecting Files


Contents for the Recycle Bin


Registry Key Contents and Information


Scheduled Tasks


User Information


Dumping the Event Logs


Tools for Analyzing Files


Executable files


Process Memory Dumps


Microsoft Word Documents


PDF Documents


Summary



Developing a Methodology


Introduction


Prologue


First Dream


Second Dream


Third Dream


Fourth Dream


Fifth Dream


Summary



Knowing What to Look For


Investigation Overview


Infection Vectors


Malware Footprints and Persistence


Files and Directories


Registry Keys


Processes


Open Ports


Services


Rootkits


AFX Windows Rootkit 2003


Detecting Rootkits


Preventing Rootkit Installations


Summary



Using the Forensic Server Project


The Forensic Server Project


Collecting Data Using FSP


Launching the Forensic Server


Running the First Responder Utility


File Client Component


Correlating and Analyzing Data Using FSP


Infected Windows 2003 System


A Rootkit on a Windows 2000 System


A Compromised Windows 2000 System


Future Directions of the Forensic Server Project


Summary



Scanners and Sniffers


Port Scanners


Netcat


Portqry


Nmap


Network Sniffers


NetMon


Netcap


Windump


Analyzer


Ethereal


Summary



Installing Perl on Windows


Installing Perl and Perl Modules


Perl Editors


Running Perl Scripts


Setting Up Perl for Use with this Book


Win32::Lanman


Win32::TaskScheduler


Win32::File::Ver


Win32::API::Prototype


Win32::Perms


Win32::GUI


Win32::FileOp


Win32::DriveInfo


Win32::IPConfig


Summary



Web Sites


Searching


Sites for Information about Windows


Anti-Virus Sites


Program Sites


Security Information Sites


Perl Programming and Code Sites


General Reading



Answers to Chapter 9 Questions


FTP Traffic Capture


Netcat Traffic Capture


Null Session Traffic Capture


IIS Traffic Capture


Nmap Traffic Capture



CD Contents


Index