Windows Forensic Analysis | Proper Explanation

Organization of this Book

This book is organized into nine chapters following this preface. Those chapters are:

Chapter 1: Live Response: Data Collection
This chapter addresses the basic issues of collecting volatile data from live systems. Because of
several factors (an increase in sophistication of cybercrime, increases in storage capacity, etc.),
Preface xix live response has gained a great deal of interest, and responders are recognizing the need for
live response more and more every day. This increase in interest has not been restricted to consultants such as me, either—law enforcement is beginning to see the need for collecting volatile information from live systems in order to support an investigation. This chapter lists tools and methodologies you can use to collect volatile information and presents the most recent incarnation of the Forensic Server Project.

Chapter 2: Live Response: Data Analysis
I’ve separated data collection and data analysis, as I see them as two separate issues. In many
cases, the data that you want to collect doesn’t change, as you want to get a snapshot of the
activity on the system at a point in time. However, how you go about interpreting that data
is what may be important to your case. Also, it’s not unusual to approach a scene and find
that the initial incident report is only a symptom of what is really happening on the system
or that it has nothing to do with the real issue at all. During live response, how you analyze
the data you’ve collected, and what you look for, can depend on whether you’re investigating
a fraud case, an intrusion, or a malware infection. This chapter presents a framework for
correlating and analyzing the data collected during live response in order to develop a
cohesive picture of activity on the system and make analysis and identification of the root
cause a bit easier and more understandable.

Chapter 3: Windows Memory Analysis
Windows memory analysis is an area of study that has really taken off since its formal
introduction to the community during the summer of 2005, and it really grew by leaps and
bounds in 2008. In the past, if the contents of physical memory (i.e., RAM) were collected
from a live system, they were searched for strings (i.e., potential passwords), IP and e-mail
addresses, and then archived. Unfortunately, any information found in this manner had little
context. Thanks to research that has been done since the DFRWS 2005 Memory Challenge,
methods of obtaining RAM dumps have been investigated, and data within those RAM
dumps can be identified and extracted on a much more granular level, even to the point of
pulling an executable image out of the dump file. This chapter attempts to provide a snapshot
of what tools are available for performing memory collection and analysis, demonstrating what
data can be collected (e.g., Registry hives, encrypted passwords, etc.) from memory dumps.

Chapter 4: Registry Analysis
The Windows Registry maintains a veritable plethora of information regarding the state of
the system, and in many cases, the Registry itself can be treated like a log file, as the
information that it maintains has a time stamp associated with it in some manner. However,
because of the nature of how the data is stored, searches for ASCII or even Unicode strings
do not reveal some of the most important and useful pieces of information. This chapter…

Go To Base64 & Decode: