Windows Forensics: The Field Guide for Corporate Computer Investigations
An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.
Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.
* Identify evidence of fraud, electronic theft, and employee Internet abuse
* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)
* Learn what it takes to become a computer forensics analyst
* Take advantage of sample forms and layouts as well as case studies
* Protect the integrity of evidence
* Compile a forensic response toolkit
* Assess and analyze damage from computer crime and process the crime scene
* Develop a structure for effectively conducting investigations
* Discover how to locate evidence in the Windows Registry
The Corporate Computer Forensic Analyst.
People, Processes, and Tools.
Computer Forensics: Today and Tomorrow.
Chapter 2. Processing the Digital Crime Scene.
Identify the Scene.
Perform Remote Research.
Secure the Crime Scene.
Document the Scene.
Process the Scene for Physical Evidence.
Process the Scene for Electronic Evidence.
Chain of Custody.
Working with Law Enforcement.
Chapter 3. Windows Forensic Basics.
History and Versions.
Windows 1.x, 2.x, and 3.x.
Windows NT and 2000.
Windows 95, 98, and ME.
Windows XP and 2003.
CDs and DVDs.
USB Flash Drives.
Chapter 4. Partitions and File Systems.
Master Boot Record.
Windows File Systems.
Chapter 5. Directory Structure and Special Files.
Chapter 6. The Registry.
Advanced Registry Analysis.
Chapter 7. Forensic Analysis.
Chapter 8. Live System Analysis.
System State Analysis.
Services and Applications.
GUI-based Overt Analysis.
Local Command Line Analysis.
Remote Command Line Analysis.
Basic Information Gathering.
System State Information.
Running Program Information.
Main Memory Analysis.
Chapter 9. Forensic Duplication.
Hard Disk Duplication.
Log File Duplication.
Chapter 10. File System Analysis.
Positive Hash Analysis.
Negative Hash Analysis.
Print Spool Files.
Chapter 11. Log File Analysis.
Successful Log-on/Log-off Events.
Failed Log-on Event.
Change of Policy.
Successful or Failed Object Access.
Chapter 12. Internet Usage Analysis.
Network, Proxy, and DNS History.
Overnet, eMule, and eDonkey2000 Clients.
AOL Instant Messenger.
Chapter 13. Email Investigations.
Access Control and Logging.
Appendix A. Sample Chain of Custody Form.
Appendix B. Master Boot Record Layout.
Appendix C. Partition Types.
Appendix D. FAT32 Boot Sector Layout.
Appendix E. NTFS Boot Sector Layout.
Appendix F. NTFS Metafiles.
Appendix G. Well-Known SIDs.