Practical Windows Forensics
By Ayman Shaaban and Konstantin Sapronov
()
About this ebook
- Build your own lab environment to analyze forensic data and practice techniques.
- This book offers meticulous coverage with an example-driven approach and helps you build the key skills of performing forensics on Windows-based systems using digital artifacts.
- It uses specific open source and Linux-based tools so you can become proficient at analyzing forensic data and upgrade your existing knowledge.
This book targets forensic analysts and professionals who would like to develop skills in digital forensic analysis for the Windows platform. You will acquire proficiency, knowledge, and core skills to undertake forensic analysis of digital data.
Prior experience of information security and forensic analysis would be helpful. You will gain knowledge and an understanding of performing forensic analysis with tools especially built for the Windows platform.
Related to Practical Windows Forensics
Related ebooks
Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsKali Linux Network Scanning Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsCuckoo Malware Analysis Rating: 0 out of 5 stars0 ratingsMastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks Rating: 0 out of 5 stars0 ratingsNmap Essentials Rating: 4 out of 5 stars4/5Penetration Testing with Raspberry Pi - Second Edition Rating: 5 out of 5 stars5/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Mastering Mobile Forensics Rating: 0 out of 5 stars0 ratingsHands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools Rating: 0 out of 5 stars0 ratingsLearning Android Forensics Rating: 4 out of 5 stars4/5Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides Rating: 4 out of 5 stars4/5Kali Linux – Assuring Security by Penetration Testing Rating: 3 out of 5 stars3/5Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition Rating: 0 out of 5 stars0 ratingsBuilding Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsWireshark Network Security Rating: 3 out of 5 stars3/5Mastering Python Forensics Rating: 4 out of 5 stars4/5Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8 Rating: 4 out of 5 stars4/5Learning Penetration Testing with Python Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsNmap in the Enterprise: Your Guide to Network Scanning Rating: 0 out of 5 stars0 ratingsKali Linux CTF Blueprints Rating: 0 out of 5 stars0 ratingsExecuting Windows Command Line Investigations: While Ensuring Evidentiary Integrity Rating: 0 out of 5 stars0 ratingsLearning Pentesting for Android Devices Rating: 5 out of 5 stars5/5Hack the Stack: Using Snort and Ethereal to Master The 8 Layers of An Insecure Network Rating: 0 out of 5 stars0 ratingsMastering Wireshark Rating: 2 out of 5 stars2/5Mastering Kali Linux for Advanced Penetration Testing Rating: 4 out of 5 stars4/5Penetration Testing Bootcamp Rating: 5 out of 5 stars5/5Kali Linux 2: Windows Penetration Testing Rating: 5 out of 5 stars5/5Building Virtual Pentesting Labs for Advanced Penetration Testing Rating: 0 out of 5 stars0 ratings
Operating Systems For You
Windows 11 All-in-One For Dummies Rating: 5 out of 5 stars5/5Tor Darknet Bundle: Master the Art of Invisibility Rating: 0 out of 5 stars0 ratingsAppleScript Rating: 5 out of 5 stars5/5Learn Windows PowerShell in a Month of Lunches Rating: 0 out of 5 stars0 ratingsHacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5iPhone Unlocked Rating: 0 out of 5 stars0 ratingsOperating Systems DeMYSTiFieD Rating: 0 out of 5 stars0 ratingsLinux Bible Rating: 0 out of 5 stars0 ratingsLinux Command-Line Tips & Tricks Rating: 0 out of 5 stars0 ratingsHacking Essentials - The Beginner's Guide To Ethical Hacking And Penetration Testing Rating: 3 out of 5 stars3/5The Linux Command Line Beginner's Guide Rating: 4 out of 5 stars4/5MacOS Ventura Essentials: Support, Troubleshooting & Maintenance Guide for Beginners and Seniors Rating: 0 out of 5 stars0 ratingsMastering Windows PowerShell Scripting Rating: 4 out of 5 stars4/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Exploring Windows 11: The Illustrated, Practical Guide to Using Microsoft Windows Rating: 0 out of 5 stars0 ratingsOneNote: The Ultimate Guide on How to Use Microsoft OneNote for Getting Things Done Rating: 1 out of 5 stars1/5Windows 11 For Dummies Rating: 0 out of 5 stars0 ratingsMake Your PC Stable and Fast: What Microsoft Forgot to Tell You Rating: 4 out of 5 stars4/5Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System Rating: 4 out of 5 stars4/5The Windows Command Line Beginner's Guide: Second Edition Rating: 4 out of 5 stars4/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5The Mac Terminal Reference and Scripting Primer Rating: 4 out of 5 stars4/5Linux All-In-One For Dummies Rating: 2 out of 5 stars2/5Learn SQL Server Administration in a Month of Lunches Rating: 3 out of 5 stars3/5CompTIA Linux+ Study Guide: Exam XK0-004 Rating: 0 out of 5 stars0 ratings
Reviews for Practical Windows Forensics
0 ratings0 reviews
Book preview
Practical Windows Forensics - Ayman Shaaban
Table of Contents
Practical Windows Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this book
Errata
Piracy
Questions
1. The Foundations and Principles of Digital Forensics
What is digital crime?
Digital forensics
Digital evidence
Digital forensic goals
Analysis approaches
Summary
2. Incident Response and Live Analysis
Personal skills
Written communication
Oral communication
Presentation skills
Diplomacy
The ability to follow policies and procedures
Team skills
Integrity
Knowing one's limits
Coping with stress
Problem solving
Time management
Technical skills
Security fundamentals
Security principles
Security vulnerabilities and weaknesses
The Internet
Risks
Network protocols
Network applications and services
Network security issues
Host or system security issues
Malicious code
Programming skills
Incident handling skills
The hardware for IR and Jump Bag
Software
Live versus mortem
Volatile data
Nonvolatile data
Registry data
Remote live response
Summary
3. Volatile Data Collection
Memory acquisition
Issues related to memory access
Choosing a tool
DumpIt
FTK Imager
Acquiring memory from a remote computer using iSCSI
Using the Sleuth Kit
Network-based data collection
Hubs
Switches
Tcpdump
Wireshark
Tshark
Dumpcap
Summary
4. Nonvolatile Data Acquisition
Forensic image
Incident Response CDs
DEFT
Helix
Live imaging of a hard drive
FTK imager in live hard drive acquisition
Imaging over the network with FTK imager
Incident response CDs in live acquisition
Linux for the imaging of a hard drive
The dd tool
dd over the network
Virtualization in data acquisition
Evidence integrity (the hash function)
Disk wiping in Linux
Summary
5. Timeline
Timeline introduction
The Sleuth Kit
Super timeline – Plaso
Plaso architecture
Preprocessing
Collection
Worker
Storage
Plaso in practice
Analyzing the results
Summary
6. Filesystem Analysis and Data Recovery
Hard drive structure
Master boot record
Partition boot sector
The filesystem area in partition
Data area
The FAT filesystem
FAT components
FAT limitations
The NTFS filesystem
NTFS components
Master File Table (MFT)
The Sleuth Kit (TSK)
Volume layer (media management)
Filesystem layer
The metadata layer
istat
icat
ifind
The filename layer
Data unit layer (Block)
blkcat
blkls
Blkcalc
Autopsy
Foremost
Summary
7. Registry Analysis
The registry structure
Root keys
HKEY_CLASSES_ROOT or HKCR
HKEY_LOCAL_MACHINE
HKEY_USERS or HKU
HKEY_CURRENT_USER or HKCU
Mapping a hive to the filesystem
Backing up the registry files
Extracting registry hives
Extracting registry files from a live system
Extracting registry files from a forensic image
Parsing registry files
The base block
Hbin and CELL
Auto-run keys
Registry analysis
RegistryRipper
Sysinternals
MiTeC Windows registry recovery
Summary
8. Event Log Analysis
Event Logs - an introduction
Event Logs system
Security Event Logs
Extracting Event Logs
Live systems
Offline system
Event Viewer
Event Log Explorer
Useful resources
Analyzing the event log – an example
Summary
9. Windows Files
Windows prefetch files
Prefetch file analysis
Windows tasks
Windows Thumbs DB
Thumbcache analysis
Corrupted Windows.edb files
Windows RecycleBin
RECYCLER
$Recycle.bin
Windows shortcut files
Shortcut analysis
Summary
10. Browser and E-mail Investigation
Browser investigation
Microsoft Internet Explorer
History files
History.IE5
IEHistoryView
BrowsingHistoryView
MiTeC Internet History browser
Cache
Content.IE5
IECacheView
Msiecf parser (Plaso framework)
Cookies
IECookiesView
Favorites
FavoritesView
Session restore
MiTeC SSV
Inprivate mode
WebCacheV#.dat
ESEDatabaseView
Firefox
Places.sqlite
MozillaHistoryView
Cookies.sqlite
MozillaCookiesView
Cache
MozillaCacheView
Other browsers
E-mail investigation
Outlook PST file
Outlook OST files
EML and MSG files
DBX (Outlook Express)
PFF Analysis (libpff)
Other tools
Summary
11. Memory Forensics
Memory structure
Memory acquisition
The sources of memory dump
Hibernation file
Crash dump
Page files
Processes in memory
Network connections in memory
The DLL injection
Remote DLL injection
Remote code injection
Reflective DLL injection
API hooking
Memory analysis
The volatility framework
Volatility plugins
imagecopy
raw2dmp
imageprofile
pslist
psscan
pstree
psxview
getsids
dlllist
handles
filescan
procexedump
memdump
svcscan
connections
connscan
sockets
sockscan
Netscan
hivelist and printkey
malfind
vaddump
apihooks
mftparser
Summary
12. Network Forensics
Network data collection
Exploring logs
Using tcpdump
Using tshark
Using WireShark
Fields with more information
Knowing Bro
Summary
appA. Building a Forensic Analysis Environment
Factors that need to be considered
Size
Environment control
Security
Software
Hardware
Virtualization
Virtualization benefits for forensics
The distributed forensic system
GRR
Server installation
Client installation
Browsing with the newly-connected client
Start a new flow
appB. Case Study
Introduction
Scenario
Acquisition
Live analysis
The running processes
Network activities
Autorun keys
Prefetch files
Browser analysis
Postmortem analysis
Memory analysis
Network analysis
Timeline analysis
Summary
Practical Windows Forensics
Practical Windows Forensics
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2016
Production reference: 2220616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78355-409-6
www.packtpub.com
Credits
About the Authors
Ayman Shaaban (@aymanshaaban) has been working as a security researcher for Kasperksy Lab since May 2014. He worked in the Egyptian national CERT as a digital forensics engineer for 5 years. During his career, Ayman has participated in building digital forensics labs, provided analysis for cases with national and international scopes, and delivered training courses on digital forensics analysis for different high-profile entities.
Ayman is a certified GSEC, GCIH, GCFA, and CFCE. He also has a BSc in communication and electronics, an information security diploma from ITI, and is working on his master's degree in information security. Ayman can be found on LinkedIn at http://eg.linkedin.com/in/aymanshaaban.
I would like to thank my family and my friends for their continuous support. Also, I want to thank all my current and past colleagues in Kaspersky Lab, EG-CERT, and Nile University for their support and dedication.
Konstantin Sapronov works as the deputy head of the Global Emergency Response Team at Kaspersky Lab. He joined Kaspersky Lab in 2000 and has been in his current position since August 2011. His previous position was group manager of the virus lab in China since 2007, and he has been responsible for establishing and developing the virus lab at Kaspersky Lab's office in China. Prior to this, he worked as a virus analyst and head of the Non-Intel Platform Group in the virus lab at Kaspersky Lab's HQ in Moscow, specializing in reverse engineering and the analysis of malware, exploits, and vulnerabilities. Konstantin is the author of several analytical articles on malware for Unix and other information security topics.
Konstantin holds degrees from the Moscow Power Engineering Institute (a technical university) and the Moscow State University of Economics, Statistics and Information Technology.
First of all, many thanks to all my family—my parents, my wife, and my daughter, who have always supported me. Also, I would like to thank all the people I have worked with all these years at our company for their support, professionalism, and willingness to help.
About the Reviewers
Jim Swauger has over 18 years of experience in the digital forensics field, starting as a computer forensics specialist with the Ohio Attorney General's Computer Crime Unit and then moving on to being the technical security investigator for a top financial institution before becoming an expert consultant with Binary Intelligence. At Binary Intelligence, a firm that specializes in complex cellphone forensic services, Jim manages advanced mobile device Chip-Off, JTAG, and ISP extractions and subsequent forensic data analyses. Jim is an avid Linux user and proponent of using open source resources in digital forensic investigations. His clients include law enforcement and government agencies, corporations, and law firms.
Dr. Stilianos Vidalis was born and raised in Mykonos, a Greek island in Cyclades. He moved to the UK in 1995 to study computer science. He holds a PhD in the threat assessment of micro-payment systems. He is currently the Director of Training for the Cyber Security Centre at the University of Hertfordshire. He lectures on the subjects of cyber security and digital forensics and undertakes consultancy for a number of private and public organizations.
His involvement in the information operations arena began in 2001. Since then, he has participated in high-profile, high-value projects for large international organizations and governments. He has collected and analyzed information for prestigious European financial institutions, applying international standards under the context of risk and threat assessment. He trained the British Armed Forces (Tri-Service) in penetration testing and digital forensics for a number of years.
During his career, Dr. Vidalis has developed and published in peer-reviewed scientific journals his own threat-assessment methodology and other aspects of his work on threat agent classification, vulnerability assessment, early warning systems, deception in CNO, identity theft, and computer criminal profiling.
Zhouyuan Yang has a master's degree in advanced security and digital forensics. His research areas include host- and network-based security, forensics, penetration testing, and IDP/S systems.
Currently, he is a researcher at Fortinet's Fortiguard Labs on the zero-day team, focusing on network security and vulnerability research.
I would like to thank my father, Qisheng Yang, who gives his full love supporting my career dreams.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Preface
Regardless of your level of experience in the field of information security in general, Practical Windows Forensics will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence properly, and walk you through the various stages of the analysis process.
We start by discussing the principles of the digital forensics process and move on to learning about the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and nonvolatile data. This will be followed by recovering data from hard drives and learning how to use multiple tools to perform registry and system log analyses.
Next, you will be taught how to analyze browsers and e-mails as they are crucial aspects of investigations. We will then go on to extract data from a computer's memory and investigate network traffic, which is another important checkpoint. Lastly, you will learn a few ways in which you can present data, because every investigator needs a work station where they can analyze forensic data.
What this book covers
Chapter 1, The Foundations and Principles of Digital Forensics, explains the importance of the principles of the digital forensics process and the approaches that are usually used to conduct an analysis.
Chapter 2, Incident Response and Live Analysis, discusses the hardware and software that the responder should have to perform incident response properly. Incident response is a very important process that needs to be conducted carefully to properly collect all the available evidence, which will be analyzed in the analysis phase.
Chapter 3, Volatile Data Collection, discusses how to collect the volatile data of the system. Volatile data, such as system memory, is very important and can tell what is happening in the system in the running time. So, to conduct post mortem analysis on this kind of evidence, we need to acquire the evidence first. Also, it changes very quickly, and collecting it in the right way is a very important issue.
Chapter 4, Nonvolatile Data Acquisition, talks about the acquisition of nonvolatile data, such as the hard drive, and how to collect such data forensically in order to not change the integrity of this evidence.
Chapter 5, Timeline, discusses Timeline, which shows all the system and user activities on the system in chronological order. It helps building the whole picture of the incident. And we will show you how to do it with the plaso framework.
Chapter 6, Filesytem Analysis and Data Recovery, gives you a good understanding of the most famous file systems. To perfectly understand how the tools work, either for analysis or recovery, the reader needs to understand how the files are stored in the file system in the partitioned hard drive.
Chapter 7, Registry Analysis, discusses the structure of the registry and some tools used to perform analyses. When MS Windows operates, almost all actions are mapped in the registry. The registry files are considered the Windows database. Registry forensics can help answer a lot of issues, from what kind of application has been installed on the system to user activities, and many more.
Chapter 8, Event Log Analysis, explains that the MS Windows system has good features out of the box, we just need to know how to use them. One of these features is logging. Logging can help to figure out what has happened on the system. It logs all the events on the system including security events or other events related to the applications within the system.
Chapter 9, Windows Files, tell us that MS Windows has a lot of artifacts, which are created in the currently running Windows. During analysis, these artifacts can be used to prove or refute hypotheses, or in some cases uncover new interesting information with evidential value.
Chapter 10, Browser and E-mail Investigation, talks about the Internet, and the World Wide Web of course, is the main channel of information that users use to exchange data. Browsers are the most common tools that are used to do that. So, the investigation of browsers is important when analysts try to investigate user’s activity. There are a lot of browsers and we will cover the most popular among them: IE, FF, and Chrome.
E-mail still remains a way to communicate with people in the computer world, especially in a corporate environment. This chapter will cover e-mail formats and explain how to read e-mails from PFF files for analysis and to trace senders.
Chapter 11, Memory Forensics, discusses how memory is the working space for the operating system. It the past, memory forensics was optional, but now there are a few very powerful tools that allow us to extract a lot of evidential information from the memory and take digital forensics to a new level.
Chapter 12, Network Forensics, discusses how network forensics provides another perspective to the incident. Network traffic can reveal a lot of information about the behavior of malicious activity. Together with other sources of information, networks will speed up the investigation process. You will also learn not only about the traditional tools, such as Wireshark, but also about the powerful Bro framework.
Appendix A, Building a Forensic Analysis Environment, discusses the creation of convenient work environment to conduct the digital forensics analysis in the digital forensics lab at an enterprise scale. After the previous chapters we should now have realized how important incident response is for digital forensics processes and how necessary it is to deal with both of them accurately.
Appendix B, Case Study, uses an infected machine to illustrate how to conduct primary analysis on different types of evidences and we will go through live analysis along with the post-mortem analysis.
What you need for this book
There are no special requirements for this book.
Who this book is for
If you have previous experience in information security or did some digital forensic analysis before and want to extend your skill set about digital forensics this is the perfect guide for you. This book will provide you with the knowledge and core skills necessary to use free and open source tools mostly under Linux operating system and undertake forensic analysis of digital evidence with them.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: In the destination machine, which is the handler machine, you need to run the network listener from the same receiver.exe folder.
Any command-line input or output is written as follows:
dd conv=sync, noerror bs=64K if=/dev/sda | pv | dd
of=/media/Elements/HD_image/image.dd
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Now from the source machine, run the FTK Lite program, and then open Create Disk image