Skip to main content

Mastering Windows Network Forensics and Investigation, 2nd Edition



Mastering Windows Network Forensics and Investigation, 2nd Edition

Steve Anson, Steve Bunting, Ryan Johnson, Scott Pearson

ISBN: 978-1-118-16382-5 June 2012 696 Pages


An authoritative guide to investigating high-technology crimes

Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book--aimed at law enforcement personnel, prosecutors, and corporate investigators--provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.

  • Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
  • Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
  • Walks you through ways to present technically complicated material in simple terms that will hold up in court
  • Features content fully updated for Windows Server 2008 R2 and Windows 7
  • Covers the emerging field of Windows Mobile forensics

Also included is a classroom support package to ensure academic adoption, Mastering Windows Network Forensics and Investigation, 2nd Edition offers help for investigating high-technology crimes.

Related Resources

Introduction xvii

Part 1 Understanding and Exploiting Windows Networks 1

Chapter 1 Network Investigation Overview 3

Chapter 2 The Microsoft Network Structure 25

Chapter 3 Beyond the Windows GUI 63

Chapter 4 Windows Password Issues 85

Chapter 5 Windows Ports and Services 137

Part 2 Analyzing the Computer 157

Chapter 6 Live-Analysis Techniques 159

Chapter 7 Windows Filesystems 179

Chapter 8 The Registry Structure 215

Chapter 9 Registry Evidence 257

Chapter 10 Introduction to Malware 325

Part 3 Analyzing the Logs 349

Chapter 11 Text-Based Logs 351

Chapter 12 Windows Event Logs 381

Chapter 13 Logon and Account Logon Events 419

Chapter 14 Other Audit Events 463

Chapter 15 Forensic Analysis of Event Logs 505

Part 4 Results, the Cloud, and Virtualization 537

Chapter 16 Presenting the Results 539

Chapter 17 The Challenges of Cloud Computing and Virtualization 565

Part 5 Appendices 597

Appendix A The Bottom Line 599

Appendix B Test Environments 633

Index 647

Chapter 16 Files for Electronic Report
ChapterPageDetailsDatePrint Run
11360Text correction: Error in Table 11.3
Under Field Data, the third entry "" is incorrect.

The IP address of the server that generated the log entry is, as shown in Listing 11.2 on page 359

11361Text correction: Incorrect IP address
In the last sentence before the sidebar, "In this particular case, the hosting web server ( is an intranet web server..." the IP address is not the same one being used in the example illustrated by Listing 11.2 and Table 11.3. The address should be

11364Text correction
In the first sentence, "With this information as a backdrop, you now know that you can expect your FTP logs to read very much like your IIS 7.5 server logs, except there will be fewer fields, and the sc-status codes will be different."
, "IIS 7.5 server logs" should read "web logs".