Table of Contents for
System Forensics, Investigation, and Response, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition System Forensics, Investigation, and Response, 3rd Edition by Easttom Published by Jones & Bartlett Learning, 2017
  1. Cover Page
  2. Contents
  3. System Forensics, Investigation, and Response
  4. Title Page
  5. Copyright Page
  6. Content
  7. Preface
  8. About the Author
  9. PART I Introduction to Forensics
  10. CHAPTER 1 Introduction to Forensics
  11. What Is Computer Forensics?
  12. Understanding the Field of Digital Forensics
  13. Knowledge Needed for Computer Forensics Analysis
  14. The Daubert Standard
  15. U.S. Laws Affecting Digital Forensics
  16. Federal Guidelines
  17. CHAPTER SUMMARY
  18. KEY CONCEPTS AND TERMS
  19. CHAPTER 1 ASSESSMENT
  20. CHAPTER 2 Overview of Computer Crime
  21. How Computer Crime Affects Forensics
  22. Identity Theft
  23. Hacking
  24. Cyberstalking and Harassment
  25. Fraud
  26. Non-Access Computer Crimes
  27. Cyberterrorism
  28. CHAPTER SUMMARY
  29. KEY CONCEPTS AND TERMS
  30. CHAPTER 2 ASSESSMENT
  31. CHAPTER 3 Forensic Methods and Labs
  32. Forensic Methodologies
  33. Formal Forensic Approaches
  34. Documentation of Methodologies and Findings
  35. Evidence-Handling Tasks
  36. How to Set Up a Forensic Lab
  37. Common Forensic Software Programs
  38. Forensic Certifications
  39. CHAPTER SUMMARY
  40. KEY CONCEPTS AND TERMS
  41. CHAPTER 3 ASSESSMENT
  42. PART II Technical Overview: SystemForensics Tools, Techniques, and Methods
  43. CHAPTER 4 Collecting, Seizing, and Protecting Evidence
  44. Proper Procedure
  45. Handling Evidence
  46. Storage Formats
  47. Forensic Imaging
  48. RAID Acquisitions
  49. CHAPTER SUMMARY
  50. KEY CONCEPTS AND TERMS
  51. CHAPTER 4 ASSESSMENT
  52. CHAPTER LAB
  53. CHAPTER 5 Understanding Techniques for Hiding and Scrambling Information
  54. Steganography
  55. Encryption
  56. CHAPTER SUMMARY
  57. KEY CONCEPTS AND TERMS
  58. CHAPTER 5 ASSESSMENT
  59. CHAPTER 6 Recovering Data
  60. Undeleting Data
  61. Recovering Information from Damaged Media
  62. File Carving
  63. CHAPTER SUMMARY
  64. KEY CONCEPTS AND TERMS
  65. CHAPTER 6 ASSESSMENT
  66. CHAPTER 7 Email Forensics
  67. How Email Works
  68. Email Protocols
  69. Email Headers
  70. Tracing Email
  71. Email Server Forensics
  72. Email and the Law
  73. CHAPTER SUMMARY
  74. KEY CONCEPTS AND TERMS
  75. CHAPTER 7 ASSESSMENT
  76. CHAPTER 8 Windows Forensics
  77. Windows Details
  78. Volatile Data
  79. Windows Swap File
  80. Windows Logs
  81. Windows Directories
  82. Index.dat
  83. Windows Files and Permissions
  84. The Registry
  85. Volume Shadow Copy
  86. Memory Forensics
  87. CHAPTER SUMMARY
  88. KEY CONCEPTS AND TERMS
  89. CHAPTER 8 ASSESSMENT
  90. CHAPTER 9 Linux Forensics
  91. Linux and Forensics
  92. Linux Basics
  93. Linux File Systems
  94. Linux Logs
  95. Linux Directories
  96. Shell Commands for Forensics
  97. Kali Linux Forensics
  98. Forensics Tools for Linux
  99. CHAPTER SUMMARY
  100. KEY CONCEPTS AND TERMS
  101. CHAPTER 9 ASSESSMENT
  102. CHAPTER 10 Macintosh Forensics
  103. Mac Basics
  104. Macintosh Logs
  105. Directories
  106. Macintosh Forensic Techniques
  107. How to Examine a Mac
  108. Can You Undelete in Mac?
  109. CHAPTER SUMMARY
  110. KEY CONCEPTS AND TERMS
  111. CHAPTER 10 ASSESSMENT
  112. CHAPTER 11 Mobile Forensics
  113. Cellular Device Concepts
  114. What Evidence You Can Get from a Cell Phone
  115. Seizing Evidence from a Mobile Device
  116. JTAG
  117. CHAPTER SUMMARY
  118. KEY CONCEPTS AND TERMS
  119. CHAPTER 11 ASSESSMENT
  120. CHAPTER 12 Performing Network Analysis
  121. Network Packet Analysis
  122. Network Traffic Analysis
  123. Router Forensics
  124. Firewall Forensics
  125. CHAPTER SUMMARY
  126. KEY CONCEPTS AND TERMS
  127. CHAPTER 12 ASSESSMENT
  128. PART III Incident Response and Resources
  129. CHAPTER 13 Incident and Intrusion Response
  130. Disaster Recovery
  131. Preserving Evidence
  132. Adding Forensics to Incident Response
  133. CHAPTER SUMMARY
  134. KEY CONCEPTS AND TERMS
  135. CHAPTER 13 ASSESSMENT
  136. CHAPTER 14 Trends and Future Directions
  137. Technical Trends
  138. Legal and Procedural Trends
  139. CHAPTER SUMMARY
  140. KEY CONCEPTS AND TERMS
  141. CHAPTER 14 ASSESSMENT
  142. CHAPTER 15 System Forensics Resources
  143. Tools to Use
  144. Resources
  145. Laws
  146. CHAPTER SUMMARY
  147. KEY CONCEPTS AND TERMS
  148. CHAPTER 15 ASSESSMENT
  149. APPENDIX A Answer Key
  150. APPENDIX B Standard Acronyms
  151. Glossary of Key Terms
  152. References
  153. Index

Windows Details

Before delving deeply into Windows forensics, it is a good idea to get a better idea of the operating system itself. In this section, you learn about the history of Windows and its structure. This gives you a context within which to learn Windows forensics. For deeper coverage of Windows internals, refer to the book Windows Sysinternals Administrator’s Reference by Mark E. Russinovich and Aaron Margosis.

Windows History

Windows became mainstream with the release of version 3.1 in 1992. At that time, Windows was a graphical user interface, and not really an operating system. The operating system was Disk Operating System (DOS). Windows provided a visual interface for interacting with the operating system by means of mouse clicks, rather than typing in DOS commands.

During the early 1990s, you could use other, non-Microsoft user interfaces to work with DOS. You could also install Windows on systems running some non-Microsoft operating systems, such as Dr. DOS (an alternative to DOS). There were also several competing operating systems for PCs, including OS2 and OS2 Warp from IBM.

For servers and serious professionals, Microsoft had Windows NT Versions 3.1, 3.51, and 4.0, which were widely used. Each version had both workstation and server editions. The NT version of Windows was widely considered more stable and more secure than Windows 3.1.

The release of Windows 95 in 1995 marked a change in Windows. At this point, the underlying operating system and the graphical user interface (GUI)—a point-and-click user interface—were fused into one single, coherent product. This meant that you could not choose some non-Windows GUI. Shortly after the release of Windows 95, Windows NT 4.0 was released. Many consider Windows 98 just an intermediate step, an improvement on Windows 95. The interface looked very much the same as Windows 95, but the performance was vastly improved. Windows 95 and 98 used the FAT32 file system.

Windows 2000 was widely considered a major improvement in the Windows line. Essentially, the days of separate NT and Windows lines were over. Now there would simply be different editions of Windows 2000. There were editions for home users, for professional users, and for servers. The differences among the editions were primarily in the features available and the capacity, such as how much random access memory (RAM) could be addressed. Windows 2000 was also the version of Windows wherein Microsoft began to recommend NTFS over FAT32 as a file system.

Windows XP was the next milestone for Microsoft, and Windows Server 2003 was released the same year. This marked a return to the approach of having a separate server and desktop system (unlike Windows 2000). The interface was not very different, but there were structural improvements.

Windows Vista and Windows 7 did not have significantly different user interfaces from XP. There were feature changes and additional capabilities, but essentially the interface was moderately tweaked with each version. The same can be said of the relationship between Windows Server 2008 and Windows Server 2003. Someone comfortable with Windows Server 2003 would have no problem working with Windows Server 2008.

Windows 8 was a radical change. The operating system is meant to be more like that of a tablet. You can get to a desktop that looks much like Windows 7, but the default behavior of Windows 8 is tablet-like.

Windows 10 was another dramatic change for Windows. New features like Cortana and the Edge browser changed the way users interacted with the Windows operating system, and in some cases changed forensics.

Not all the differences in Windows versions are pertinent to forensics; however, certain issues are, such as the following:

  • Does the Windows version in question support 64-bit processing?

  • Does it have a firewall—XP was the first Windows version to have one—and if so, is the firewall automatically on, as was the case only after Windows XP Service Pack 1?

  • Does the version of Windows support the Encrypted File System (EFS), which allows the user to encrypt specific files and folders? This was first introduced with Windows 2000, but starting with Vista, this feature is available only on professional/business or higher editions.

64 Bit

What exactly does 64 bit mean? Why is it so important? First of all, the term refers to how the central processing unit (CPU) and the operating system process information. Basically, 64-bit systems can use 64-bit addressing. That means that a 32-bit system can address up to 4,294,967,295 bytes, with each byte having its own address. That is why 32-bit systems were limited to 4 gigabytes (GB) of RAM. A 64-bit system can address up to 18,446,744,073,709,551,616 bytes—literally, millions of billions of bytes. This is a huge number! So, you can clearly see that a 64-bit processor and a 64-bit operating system have significant advantages over a 32-bit system.

Just as important to forensics is how Windows handles 32-bit programs. You can install 32-bit programs on a 64-bit system; however, they usually are installed into the Program Files (x86) directory. Windows uses x86 to refer to 32-bit versions of programs, files, and so on.

The Boot Process

A forensic examiner needs to understand the Windows boot process for many reasons. A virus might infect a suspect drive at a specific point in the boot process. It is also the case that hard drive encryption programs operate during the boot process of the system. The following is a summary of the basic process:

  1. The BIOS conducts the power-on self test (POST). This is when the system’s basic input/output system (BIOS) checks to see if the drives, keyboard, and other key items are present and working. This occurs before any operating system components are loaded.

  2. The computer reads the master boot record (MBR) and partition table.

  3. The MBR locates the boot partition. This is the partition that has the operating system on it.

  4. The MBR passes control to the boot sector on the boot partition.

  5. The boot sector loads NTLDR. NTLDR is the NT loader; it is the first part of the Windows operating system and is responsible for preparing and loading the rest of the operating system.

  6. Note that if instead of being shut down, Windows has been put in the hibernation state, the contents of hiberfil.sys are loaded into memory, and the system resumes at the previous state.

  7. NTLDR switches from real mode to 32-bit memory or 64-bit depending on the system. Real mode is the default for x86 systems. It provides no support for memory protection, multitasking, or code privilege levels.

  8. NTLDR starts minimal file system drivers (FAT, FAT32, NTFS).

  9. NTLDR reads boot.ini and displays the boot loader menu. If there are multiple operating systems, they will be displayed.

  10. NTLDR loads NTOSKRNL and passes hardware information. The NTOSKRNL is the actual kernel for the Windows operating system. This is the end of the boot phase and the beginning of the load phase.

  11. NTLDR loads hal.dll (hardware abstraction layer).

  12. NTLDR loads the system hive (i.e., the Registry) and reads in settings from it.

  13. Kernel initialization begins (the screen turns blue).

  14. The services load phase begins.

  15. The Win32 subsystem start phase begins.

  16. The user logs on.

Knowing the boot order can allow you to diagnose issues that might prevent booting the system, to understand when encryption is implemented, and more. Some viruses infect the boot sector and, thus, are loaded when the system loads and can affect how the system loads. These are all good reasons to understand the boot order, at least in a general way.

Important Files

Windows has a number of files. If you look at the Task Manager, you see many processes/ programs running. Clever virus and spyware writers give their malware a name that is similar to these system processes. This makes a casual observer think these are part of the operating system. A few of the more important Windows files are listed here:

  • Ntdetect.com—A program that queries the computer for basic device/config data like time/date from CMOS, system bus types, disk drives, ports, and so on

  • Ntbootdd.sys—A storage controller device driver

  • Ntoskrnl.exe—The core of the operating system

  • Hal.dll—An interface for hardware

  • Smss.exe—A program that handles services on your system

  • Winlogon.exe—The program that logs you on

  • Lsass.exe—The program that handles security and logon policies

  • Explorer.exe—The interface the user interacts with, such as the desktop, Windows Explorer, and so on

  • Crss.exe—The program that handles tasks like creating threads, console windows, and so forth

Of particular interest in forensics are those programs that are named similarly to the system processes. If you see a running process with a similar name (for example, Lsassx .exe), that could indicate the presence of malware.