Skip to content

Windows Forensics and Incident Recovery

Spend $50 to get a free DVD!

ISBN-10: 0321200985

ISBN-13: 9780321200983

Edition: 2005

Authors: Harlan Carvey

List price: $64.99
Shipping box This item qualifies for FREE shipping.
Blue ribbon 30 day, 100% satisfaction guarantee!
what's this?
Rush Rewards U
Members Receive:
Carrot Coin icon
XP icon
You have reached 400 XP and carrot coins. That is the daily max!

Description:

As long as networks of Microsoft Windows systems are managed,administered, and used by people, security incidents will occur. Windowssystems are highly pervasive throughout the entire computing infrastructure,from home and school systems, to high-end e-commerce sites. In contrast tothis pervasiveness, information regarding conducting effective incidentresponse and forensic audit activities on Windows systems is limited. Whilethere are many security books available, none focus specifically on Windowssecurity. There are also resources available online, but they are scattered andoften too general. This book is a compilation of all the information currentlyavailable on this subject. It is for…    
Customers also bought

Book details

List price: $64.99
Copyright year: 2005
Publisher: Addison Wesley Professional
Publication date: 7/21/2004
Binding: Mixed Media
Pages: 480
Size: 6.75" wide x 9.00" long x 1.25" tall
Weight: 2.046
Language: English

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and "cloud computing" services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan's primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a…    

Preface
Introduction
Definitions
Intended Audience
Book Layout
Defining the Issue
The Pervasiveness and Complexity of Windows Systems
The Pervasiveness of High-Speed Connections
The Pervasiveness of Easy-to-Use Tools
Purpose
Real Incidents
Where To Go For More Information
Conclusion
How Incidents Occur
Definitions
Purpose
Incidents
Local vs. Remote
Manual vs. Automatic
Lowest Common Denominator
Attacks Are Easy
Summary
Data Hiding
File Attributes
The Hidden Attribute
File Signatures
File Times
File Segmentation
File Binding
NTFS Alternate Data Streams
Hiding Data in the Registry
Office Documents
OLE Structured Storage
Steganography
Summary
Incident Preparation
Perimeter Devices
Host Configuration
NTFS File System
Configuring the System with the SCM
Group Policies
Getting Under the Hood
User Rights
Restricting Services
Permissions
Audit Settings and the Event Log
Windows File Protection
WFP and ADSs
Patch Management
Anti-Virus
Monitoring
Summary
Incident Response Tools
Definitions
Tools for Collecting Volatile Information
Logged On User(s)
Process Information
Process Memory
Network Information and Connections
Clipboard Contents
Command History
Services and Drivers
Group Policy Information
Tools for Collecting Non-Volatile Information
Collecting Files
Contents for the Recycle Bin
Registry Key Contents and Information
Scheduled Tasks
User Information
Dumping the Event Logs
Tools for Analyzing Files
Executable files
Process Memory Dumps
Microsoft Word Documents
PDF Documents
Summary
Developing a Methodology
Introduction
Prologue
First Dream
Second Dream
Third Dream
Fourth Dream
Fifth Dream
Summary
Knowing What to Look For
Investigation Overview
Infection Vectors
Malware Footprints and Persistence
Files and Directories
Registry Keys
Processes
Open Ports
Services
Rootkits
AFX Windows Rootkit 2003
Detecting Rootkits
Preventing Rootkit Installations
Summary
Using the Forensic Server Project
The Forensic Server Project
Collecting Data Using FSP
Launching the Forensic Server
Running the First Responder Utility
File Client Component
Correlating and Analyzing Data Using FSP
Infected Windows 2003 System
A Rootkit on a Windows 2000 System
A Compromised Windows 2000 System
Future Directions of the Forensic Server Project
Summary
Scanners and Sniffers
Port Scanners
Netcat
Portqry
Nmap
Network Sniffers
NetMon
Netcap
Windump
Analyzer
Ethereal
Summary
Installing Perl on Windows
Installing Perl and Perl Modules
Perl Editors
Running Perl Scripts
Setting Up Perl for Use with this Book
Win32::Lanman
Win32::TaskScheduler
Win32::File::Ver
Win32::API::Prototype
Win32::Perms
Win32::GUI
Win32::FileOp
Win32::DriveInfo
Win32::IPConfig
Summary
Web Sites
Searching
Sites for Information about Windows
Anti-Virus Sites
Program Sites
Security Information Sites
Perl Programming and Code Sites
General Reading
Answers to Chapter 9 Questions
FTP Traffic Capture
Netcat Traffic Capture
Null Session Traffic Capture
IIS Traffic Capture
Nmap Traffic Capture
CD Contents
Index