Skip to main content

Mastering Windows Network Forensics and Investigation

Mastering Windows Network Forensics and Investigation

Steven Anson, Steve Bunting

ISBN: 978-0-470-09762-5

Apr 2007

552 pages

Select type: Paperback

Product not available for purchase


This comprehensive guide provides you with the training you need to arm yourself against phishing, bank fraud, unlawful hacking, and other computer crimes. Two seasoned law enforcement professionals discuss everything from recognizing high-tech criminal activity and collecting evidence to presenting it in a way that judges and juries can understand. They cover the range of skills, standards, and step-by-step procedures you’ll need to conduct a criminal investigation in a Windows environment and make your evidence stand up in court.

Related Resources


Part 1: Understanding and Exploiting Windows Networks.

Chapter 1: Network Investigation Overview.

Chapter 2: The Microsoft Network Structure.

Chapter 3: Beyond the Windows GUI.

Chapter 4: Windows Password Issues.

Chapter 5: Windows Ports and Services.

Part 2: Analyzing the Computer.

Chapter 6: Live-Analysis Techniques.

Chapter 7: Windows File Systems.

Chapter 8: The Registry Structure.

Chapter 9: Registry Evidence.

Chapter 10: Tool Analysis.

Part 3: Analyzing the Logs.

Chapter 11: Text-Based Logs.

Chapter 12: Windows Event Logs.

Chapter 13: Logon and Account Logon Events.

Chapter 14: Other Audit Events.

Chapter 15: Forensic Analysis of Event Logs.

Chapter 16: Presenting the Results.

Appendix A: The Bottom Line.


  • A focus on investigating criminal activity and not simply inappropriate use of company networks and systems
  • Guidance that enables students to present this technically complicated material in simple terms with language and analogies that prosecutors, judges, and juries can readily understand.
  • Coverage of the emerging field of "live forensics," where investigators examine a computer, server, or network while it is still running to obtain evidence. (The standard practice has been to perform investigations on unplugged machines or data files that have been seized and taken back to the lab. However, once the machine is unplugged, valuable evidence may be lost.)
Files to Support the Chapter 16 Electronic Reports