Mr. Carvey is a digital forensics and incident response analyst with past experience in vulnerability assessments, as well as some limited pen testing. He conducts research into digital forensic analysis of Window systems, identifying and parsing various digital artifacts from those systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. He is the developer of RegRipper, a widely-used tool for Windows Registry parsing and analysis. Mr. Carvey has developed and taught several courses, including Windows Forensics, Registry, and Timeline Analysis.
Harlan Carvey has updated Windows Forensic Analysis Toolkit, now in its fourth edition, to cover Windows 8 systems. The primary focus of this edition is on analyzing Windows 8 systems and processes using free and open-source tools. The book covers live response, file analysis, malware detection, timeline, and much more. Harlan Carvey presents real-life experiences from the trenches, making the material realistic and showing the why behind the how. The companion and toolkit materials are hosted online. This material consists of electronic printable checklists, cheat sheets, free custom tools, and walk-through demos. This edition complements Windows Forensic Analysis Toolkit, Second Edition, which focuses primarily on XP, and Windows Forensic Analysis Toolkit, Third Edition, which focuses primarily on Windows 7. This new fourth edition provides expanded coverage of many topics beyond Windows 8 as well, including new cradle-to-grave case examples, USB device analysis, hacking and intrusion cases, and "e;how would I do this"e; from Harlan's personal case files and questions he has received from readers. The fourth edition also includes an all-new chapter on reporting. - Complete coverage and examples of Windows 8 systems- Contains lessons from the field, case studies, and war stories- Companion online toolkit material, including electronic printable checklists, cheat sheets, custom tools, and walk-throughs
Front Cover 1
Windows Forensic Analysis Toolkit 4
Copyright Page 5
Contents 8
Preface 12
Intended Audience 13
Organization of This Book 13
DVD Contents 16
Acknowledgments 18
About the Author 20
About the Technical Editor 22
1 Analysis Concepts 24
Introduction 24
Analysis concepts 27
Windows versions 27
Analysis principles 29
Goals 30
Tools versus processes 32
The tool validation myth-odology 32
Locard’s exchange principle 34
Avoiding speculation 34
Direct and indirect artifacts 36
Least frequency of occurrence 39
Documentation 41
Convergence 42
Virtualization 43
Setting up an analysis system 45
Summary 48
2 Incident Preparation 50
Introduction 50
Being prepared to respond 52
Questions 53
The importance of preparation 56
Logs 59
Data collection 64
Training 68
Business models 69
Summary 71
3 Volume Shadow Copies 72
Introduction 72
What are “volume shadow copies”? 73
Registry keys 75
Live systems 76
ProDiscover 79
F-Response 80
Acquired images 82
VHD method 84
VMWare method 88
Automating VSC access 91
ProDiscover 94
Windows 8 96
Summary 97
Reference 97
4 File Analysis 98
Introduction 99
MFT 99
File system tunneling 107
TriForce 108
Event logs 109
Windows Event Log 113
Recycle bin 117
Prefetch files 120
Scheduled tasks 124
Jump lists 127
Hibernation files 133
Application files 134
Antivirus logs 135
Skype 136
Apple products 137
Image files 139
Summary 141
References 141
5 Registry Analysis 142
Introduction 143
Registry analysis 144
Registry nomenclature 145
The registry as a log file 147
USB device analysis 147
System hive 161
Services 162
Bluetooth 164
Software hive 165
Application analysis 165
NetworkList 168
NetworkCards 171
Scheduled tasks 171
User hives 173
WordWheelQuery 174
Shellbags 175
MenuOrder 179
MUICache 180
UserAssist 181
Photos 182
Virtual PC 183
TypedPaths 184
Additional sources 185
RegIdleBackup 185
Volume shadow copies 185
Virtualization 186
Memory 186
Tools 187
Summary 189
References 190
6 Malware Detection 192
Introduction 193
Malware Characteristics 193
Initial infection vector 195
Propagation mechanism 197
Persistence mechanism 198
Artifacts 202
Detecting Malware 206
Log analysis 207
Dr. Watson logs 211
AV scans 212
AV write ups 213
Digging deeper 215
Packed files 216
Digital signatures 218
Windows File Protection 219
Alternate data streams 219
PE file compile times 222
Master boot record infectors 223
Registry analysis 226
Internet activity 227
Additional detection mechanisms 229
Seeded sites 230
Summary 232
References 232
7 Timeline Analysis 234
Introduction 235
Timelines 235
Data sources 237
Time formats 238
Concepts 240
Benefits 242
Format 244
Time 245
Source 245
System 246
User 246
Description 247
TLN format 248
Creating Timelines 248
File system metadata 250
Event logs 256
Windows XP 256
Windows 7 258
Prefetch files 261
Registry data 262
Additional sources 265
Parsing events into a timeline 266
Thoughts on visualization 269
Case Study 270
Summary 273
8 Correlating Artifacts 276
Introduction 276
How-Tos 277
Correlating Windows shortcuts to USB devices 278
Demonstrate user access to files 280
IE browser analysis 283
Detecting system time change 287
Who ran defrag? 289
Determine data exfiltration 290
Finding something “new” 294
Summary 296
9 Reporting 298
Introduction 298
Goals 299
Incident triage 301
Case Notes 302
Documenting your analysis 304
Reporting 307
Format 307
Executive summary 308
Body 310
Background 310
Analysis 311
Conclusions 313
Writing tips 314
Peer review 316
Summary 317
Index 318
Analysis Concepts
This chapter provides a foundation for analysis discussed in the rest of the book. We discuss core analysis concepts so that they can be built upon in the following chapters of the book.
Keywords
Concepts; analysis; framework; set up
Chapter Outline
Goals 7
The tool validation myth-odology 9
Locard’s exchange principle 11
Direct and indirect artifacts 13
Least frequency of occurrence 16
Convergence 19
Setting up an analysis system 22
Summary 25
Information in This Chapter
Analysis Concepts
Setting Up An Analysis System
Introduction
If you’ve had your eye on the news media, or perhaps more appropriately the online lists and forums over the past couple of years, there are a couple of facts or “truths” that will be glaringly obvious to you. First, computers and computing devices are more ubiquitous in our lives. Not only do most of us have computer systems, such as desktops at work and school, laptops at home and on the go, but we also have “smart phones,” tablet computing devices, and even smart global positioning systems (GPSs) built into our cars. We’re inundated with marketing ploys every day, being told that we have to get the latest-and-greatest device, and be connected not just to WiFi, but also to the ever-present “4G” (whatever that means …) cellular networks. If we don’t have a phone-type device available, we can easily open up our laptop or turn on our tablet device and instantly reach to others using instant messaging, email, Twitter, or Skype applications.
The second truth is that as computers become more and more parts of our lives, so does crime involving those devices in some manner. Whether it’s “cyberbullying” or “cyberstalking,” identity theft, the “advanced persistent threat (APT),” or intrusions and data breaches that result in some form of data theft, a good number of real-world physical crimes are now being committed through the use of computers, and as such, get renamed by prepending “cyber” to the description of the crime. As we began to move a lot of the things that we did in the real world to the online world (i.e., banking, shopping, filing taxes), we became targets for cybercrime. Organizations become targets (and subsequently, victims) of online crime, simply because they have something someone wants, be it data or computing power. What makes this activity even more insidious and apparently “sophisticated” is that we don’t recognize it for what it is, because conceptually, the online world is simply so foreign to us. If someone shatters a storefront window to steal a television set, there’s a loud noise, possibly an alarm, broken glass, and someone fleeing with their stolen booty. Cybercrime doesn’t “look like” this; often, something isn’t stolen and then absent, so much as it’s copied, and then used for malicious purposes. The data (credit card numbers, personally identifiable information, etc.) still exists in its original location, but is now also in the possession of someone who intends to sell it to others. Other times, the crime does result in something that is stolen and is removed from our ownership, but we may not recognize that immediately, because we’re talking about 1s and 0s in the “ether” of cyberspace, not a car that should be sitting in your driveway, in plain view.
These malicious activities also appear to be increasing in sophistication. In many cases, the fact that a crime has occurred is not evident until someone notices a significant decrease in an account balance, which indicates that the perpetrator has already gained access to systems, gathered the data needed, accessed that bank account, and left with the funds. The actual incidents are not detected until days after (in some cases, weeks or even months) they’ve occurred. In other instances, the malicious activity continues and even escalates after we become aware of it, because we’re unable to transition our mindset from the real world (lock the doors and windows, post a guard at the door, etc.) to the online world, and effectively address the issue.
Clearly, no one person, and no organization, is immune. The early part of 2011 saw a number of high-visibility computer security incidents splashed across the pages (both web and print) of the media. The federal arm of the computer consulting firm HBGary suffered an embarrassing exposure of internal, sensitive data, and equally devastating was the manner in which it was retrieved. RSA, owned by EMC and the provider of secure authentication mechanisms, reported that they’d been compromised. On April 6, Kelly Jackson Higgins published a story (titled “Law Firms Under Siege”) at DarkReading.com that revealed that law firms were becoming a more prevalent target of APT actor groups. The examples continue on through 2012 and into 2013, but the point is that there’s no one specific type of attack, or victim that gets targeted. The end of 2012 saw some banks and other organizations falling victim to massive distributed denial of service attacks, and the spring of 2013 saw a specific group in China, and even specific individuals, identified as being responsible for long-term and long-standing data theft attacks on US companies. Shortly thereafter, a group in India was identified as being responsible for other attacks, predominantly against targets in Pakistan. Anyone can be a target.
In order to address this situation, we need to have responders and analysts who are at least as equally educated, knowledgeable, and collaborating as those committing these online crimes. Being able to develop suitable detection and deterrence mechanisms depends on understanding how these online criminals operate, how they get in, what they’re after, and how they exfiltrate what they’ve found from the infrastructure. As such, analysts need to understand how to go about determining which systems have been accessed, and which are used as primary jump points that the intruders use to return at will. They also need to understand how to do so without tipping their hand and revealing that they are actively monitoring the intruders, or inadvertently destroying data in the process. These goals are best achieved by having knowledgeable groups of responders working together, and sharing information across arbitrary boundaries.
In this book, we’re going to focus on the analysis of Windows computer systems, laptops, desktops, servers, because they are so pervasive. This is not to exclude other devices and operating systems; to the contrary, we’re narrowing our focus to fit the topic that we’re covering into a manageable volume. Our focus throughout this book will be primarily on the Windows 7 operating system, and much of the book, after Chapter 2, will be tailored specifically to the analysis of forensic images acquired from those systems. I will be including information regarding Windows 8 artifacts, where appropriate, throughout the book. While there are some notable differences between Windows 7 and Windows 8, the simple fact is that there are also some similarities, so I will attempt to highlight those in addition to pointing out some of what is different. However, at this writing, analysts should be more concerned with what is available in Windows 7, as understanding data structures and developing skills in addressing the available data will be very beneficial when analyzing a Windows 8 system.
In this chapter, we’re going to start our journey by discussing and understanding the core concepts that set the foundation for our analysis. It is vitally important that responders and analysts understand these concepts, as it is these core concepts that shape what we do and how we approach a problem or an incident. Developing an understanding of the fundamentals allows us to create a foundation upon which to build, allowing analysts to be able to address new issues effectively, rather than responding to these challenges by using the “that’s what we’ve always done” methodology, which may be unviable.
Analysis concepts
Very often when talking to analysts, especially those who are new to the field, I find that there are some concepts that shape not only your thought processes but also your investigative processes and how we look at and approach the various problems and issues that we encounter. For new analysts, without a great deal of actual experience to fall back on, these fundamental analysis concepts make up for that lack of experience and allow them to overcome the day-to-day challenges that they face.
Consider how you may have learned to acquire images of hard drives. Many of us started out our process of learning by first removing the hard drive from the computer system, and hooking it up to a write-blocker. We learned about write-blockers that allowed us to acquire an image of a hard drive to another hard drive, as well as those...
Erscheint lt. Verlag | 11.3.2014 |
---|---|
Sprache | englisch |
Themenwelt | Informatik ► Betriebssysteme / Server ► Windows |
Informatik ► Netzwerke ► Sicherheit / Firewall | |
Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management | |
ISBN-10 | 0-12-417174-5 / 0124171745 |
ISBN-13 | 978-0-12-417174-9 / 9780124171749 |
Haben Sie eine Frage zum Produkt? |
Größe: 12,7 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
Größe: 3,9 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich