This comprehensive guide provides you with the training you need to arm yourself against phishing, bank fraud, unlawful hacking, and other computer crimes. Two seasoned law enforcement professionals discuss everything from recognizing high-tech criminal activity and collecting evidence to presenting it in a way that judges and juries can understand. They cover the range of skills, standards, and step-by-step procedures you’ll need to conduct a criminal investigation in a Windows environment and make your evidence stand up in court.
Introduction xixNetwork Investigation Overview 3Performing the Initial Vetting 3Meeting with the Victim Organization 5Understanding the Victim Network Information 6Understanding the Incident Information 7Identifying and Preserving Evidence 8Establishing Expectations and Responsibilities 10Collecting the Evidence 11Analyzing the Evidence 13Analyzing the Suspect's Computers 15Recognizing the Investigative Challenges of Microsoft Networks 18The Bottom Line 19The Microsoft Network Structure 21Connecting Computers 21Windows Domains 23Interconnecting Domains 25Organizational Units 29Users and Groups 31Types of Accounts 31Groups 34Permissions 37File Permissions 39Share Permissions 42Reconciling Share and File Permissions 43Example Hack 45The Bottom Line 52Beyond the Windows GUI 55Understanding Programs, Processes, and Threads 56Redirecting Process Flow 59DLL Injection 62Hooking 66Maintaining Order Using Privilege Modes 70Using Rootkits 72The Bottom Line 75Windows Password Issues 77Understanding Windows Password Storage 77Cracking Windows Passwords Stored on Running Systems 79Exploring Windows Authentication Mechanisms 87LanMan Authentication 88NTLM and Kerberos Authentication 91Sniffing and Cracking Windows Authentication Exchanges 94Cracking Offline Passwords 102The Bottom Line 106Windows Ports and Services 107Understanding Ports 107Using Ports as Evidence 111Understanding Windows Services 117The Bottom Line 124Live-Analysis Techniques 129Finding Evidence in Memory 129Creating Windows Live-Analysis CDs 131Selecting Tools for Your Live-Response CD 133Verifying Your CD 139Using Your CD 142Monitoring Communication with the Victim Box 146Scanning the Victim System 149Using Stand-alone Tools for Live-analysis 150Using Commercial Products 150Using EnCase FIM 150Using Free Products 157The Bottom Line 158Windows File Systems 161File Systems vs. Operating Systems 161Understanding FAT File Systems 164Understanding NTFS File Systems 177Using NTFS Data Structures 178Creating, Deleting, and Recovering Data in NTFS 184Dealing with Alternate Data Streams 187The Bottom Line 191The Registry Structure 193Understanding Registry Concepts 193Registry History 195Registry Organization and Terminology 195Performing Registry Research 201Viewing the Registry with Forensic Tools 203Using EnCase to View the Registry 204Using AccessData's Registry Viewer 207The Bottom Line 212Registry Evidence 215Finding Information in the Software Key 216Installed Software 216Last Logon 218Banners 219Exploring Windows Security Center and Firewall Settings 220Analyzing Restore Point Registry Settings 225Exploring Security Identifiers 231Investigating User Activity 234Extracting LSA Secrets 245Discovering IP Addresses 246Compensating for Time Zone Offsets 251Determining the Startup Locations 253The Bottom Line 260Tool Analysis 263Understanding the Purpose of Tool Analysis 263Exploring Tools and Techniques 267Strings 268Dependency Walker 271Monitoring the Code 273Monitoring the Tool's Network Traffic 282External Port Scans 284The Bottom Line 286Text-Based Logs 289Parsing IIS Logs 289Parsing FTP Logs 300Parsing DHCP Server Logs 306Parsing Windows Firewall Logs 310Using the Microsoft Log Parser 313The Bottom Line 324Windows Event Logs 327Understanding the Event Logs 327Exploring Auditing Settings 329Using Event Viewer 334Searching with Event Viewer 347The Bottom Line 351Logon and Account Logon Events 353Exploring Windows NT Logon Events 353Analyzing Windows 2000 Event Logs 361Comparing Logon and Account Logon Events 361Examining Windows 2000 Logon Events 364Examining Windows 2000 Account Logon Events 366Contrasting Windows 2000 and XP Logging 386Examining Windows Server 2003 Account Logon and Logon Events 393The Bottom Line 397Other Audit Events 399Evaluating Account Management Events 399Interpreting File and Other Object Access Events 409Examining Audit Policy Change Events 416Examining System Log Entries 417Examining Application Log Entries 422The Bottom Line 423Forensic Analysis of Event Logs 425Using EnCase to Examine Windows Event Log Files 425Windows Event Log Files Internals 433Repairing Corrupted Event Log Databases 444Finding and Recovering Event Logs from Free Space 446The Bottom Line 453Presenting the Results 455Creating a Narrative Report with Hyperlinks 455The Electronic Report Files 462Timelines 463Testifying About Technical Matters 466The Bottom Line 467The Bottom Line 469Network Investigation Overview 469The Microsoft Network Structure 471Beyond the Windows GUI 472Windows Password Issues 474Windows Ports and Services 475Live Analysis Techniques 477Windows File Systems 478The Registry Structure 480Registry Evidence 482Tool Analysis 486Text-Based Logs 488Windows Event Logs 492Logon and Account Logon Events 493Other Audit Events 495Forensic Analysis of Event Logs 496Presenting The Results 498Index 501