Mastering Windows Network Forensics and Investigation

Introduction xvii Part 1 Understanding and Exploiting Windows Networks 1 Chapter 1 Network Investigation Overview 3 Performing the Initial Vetting 3 Meeting with the Victim Organization 5 Understanding the Victim Network Information 6 Understanding the Incident 8 Identifying and Preserving Evidence 9 Establishing Expectations and Responsibilities 11 Collecting the Evidence 12 Analyzing the Evidence 15 Analyzing the Suspect’s Computers 18 Recognizing the Investigative Challenges of Microsoft Networks 21 The Bottom Line 22 Chapter 2 The Microsoft Network Structure 25 Connecting Computers 25 Windows Domains 27 Interconnecting Domains 29 Organizational Units 34 Users and Groups 35 Types of Accounts 36 Groups 40 Permissions 44 File Permissions 45 Share Permissions 48 Reconciling Share and File Permissions 50 Example Hack 52 The Bottom Line 61 Chapter 3 Beyond the Windows GUI 63 Understanding Programs, Processes, and Threads 64 Redirecting Process Flow 67 DLL Injection 70 Hooking 74 Maintaining Order Using Privilege Modes 78 Using Rootkits 80 The Bottom Line 83 Chapter 4: Windows Password Issues 85 Understanding Windows Password Storage 85 Cracking Windows Passwords Stored on Running Systems 88 Exploring Windows Authentication Mechanisms 98 LanMan Authentication 99 NTLM Authentication 103 Kerberos Authentication 108 Sniffing and Cracking Windows Authentication Exchanges 111 Using ScoopLM and BeatLM to Crack Passwords 114 Cracking Offline Passwords 121 Using Cain & Abel to Extract Windows Password Hashes 122 Accessing Passwords through the Windows Password Verifier 126 Extracting Password Hashes from RAM 127 Stealing Credentials from a Running System 128 The Bottom Line 134 Chapter 5 Windows Ports and Services 137 Understanding Ports 137 Using Ports as Evidence 142 Understanding Windows Services 149 The Bottom Line 155 Part 2 Analyzing the Computer 157 Chapter 6 Live-Analysis Techniques 159 Finding Evidence in Memory 159 Creating a Windows Live-Analysis Toolkit 161 Using DumpIt to Acquire RAM from a 64-Bit Windows 7 System 164 Using WinEn to Acquire RAM from a Windows 7 Environment 166 Using FTK Imager Lite to Acquire RAM from Windows Server 2008 167 Using Volatility 2.0 to Analyze a Windows 7 32-Bit RAM Image 169 Monitoring Communication with the Victim Box 173 Scanning the Victim System 176 The Bottom Line 178 Chapter 7 Windows Filesystems 179 Filesystems vs. Operating Systems 179 Understanding FAT Filesystems 183 Understanding NTFS Filesystems 198 Using NTFS Data Structures 198 Creating, Deleting, and Recovering Data in NTFS 205 Dealing with Alternate Data Streams 208 The exFAT Filesystem 212 The Bottom Line 213 Chapter 8 The Registry Structure 215 Understanding Registry Concepts 215 Registry History 217 Registry Organization and Terminology 217 Performing Registry Research 228 Viewing the Registry with Forensic Tools 232 Using EnCase to View the Registry 234 Examining Information Manually 234 Using EnScripts to Extract Information 236 Using AccessData’s Registry Viewer 246 Other Tools 251 The Bottom Line 254 Chapter 9 Registry Evidence 257 Finding Information in the Software Key 258 Installed Software 258 Last Logon 264 Banners 265 Exploring Windows Security, Action Center, and Firewall Settings 267 Analyzing Restore Point Registry Settings 276 Windows XP Restore Point Content 280 Analyzing Volume Shadow Copies for Registry Settings 284 Exploring Security Identifiers 290 Examining the Recycle Bin 291 Examining the ProfileList Registry Key 293 Investigating User Activity 295 Examining the PSSP and IntelliForms Keys 295 Examining the MRU Key 296 Examining the RecentDocs Key 298 Examining the TypedURLs Key 298 Examining the UserAssist Key 299 Extracting LSA Secrets 305 Using Cain & Abel to Extract LSA Secrets from Your Local Machine 306 Discovering IP Addresses 307 Dynamic IP Addresses 307 Getting More Information from the GUID-Named Interface 309 Compensating for Time Zone Offsets 312 Determining the Startup Locations 313 Exploring the User Profile Areas 316 Exploring Batch Files 318 Exploring Scheduled Tasks 318 Exploring the AppInit_DLL Key 320 Using EnCase and Registry Viewer 320 Using Autoruns to Determine Startups 320 The Bottom Line 322 Chapter 10 Introduction to Malware 325 Understanding the Purpose of Malware Analysis 325 Malware Analysis Tools and Techniques 329 Constructing an Effective Malware Analysis Toolkit 329 Analyzing Malicious Code 331 Monitoring Malicious Code 338 Monitoring Malware Network Traffic 346 The Bottom Line 348 Part 3 Analyzing the Logs 349 Chapter 11 Text-Based Logs 351 Parsing IIS Logs 351 Parsing FTP Logs 362 Parsing DHCP Server Logs 369 Parsing Windows Firewall Logs 373 Using Splunk 376 The Bottom Line 379 Chapter 12 Windows Event Logs 381 Understanding the Event Logs 381 Exploring Auditing Settings 384 Using Event Viewer 391 Opening and Saving Event Logs 403 Viewing Event Log Data 407 Searching with Event Viewer 411 The Bottom Line 418 Chapter 13 Logon and Account Logon Events 419 Begin at the Beginning 419 Comparing Logon and Account Logon Events 420 Analyzing Windows 2003/2008 Logon Events 422 Examining Windows 2003/2008 Account Logon Events 433 The Bottom Line 462 Chapter 14 Other Audit Events 463 The Exploitation of a Network 463 Examining System Log Entries 466 Examining Application Log Entries 473 Evaluating Account Management Events 473 Interpreting File and Other Object Access Events 490 Examining Audit Policy Change Events 500 The Bottom Line 503 Chapter 15 Forensic Analysis of Event Logs 505 Windows Event Log Files Internals 505 Windows Vista/7/2008 Event Logs 505 Windows XP/2003 Event Logs 513 Repairing Windows XP/2003 Corrupted Event Log Databases 524 Finding and Recovering Event Logs from Free Space 527 The Bottom Line 536 Part 4 Results, the Cloud, and Virtualization 537 Chapter 16 Presenting the Results 539 Report Basics 539 Creating a Narrative Report with Hyperlinks 542 Creating Hyperlinks 543 Creating and Linking Bookmarks 546 The Electronic Report Files 550 Creating Timelines 552 CaseMap and TimeMap 552 Splunk 555 Testifying about Technical Matters 560 The Bottom Line 562 Chapter 17 The Challenges of Cloud Computing and Virtualization 565 What Is Virtualization? 566 The Hypervisor 569 Preparing for Incident Response in Virtual Space 571 Forensic Analysis Techniques 575 Dead Host-Based Virtual Environment 576 Live Virtual Environment 584 Artifacts 586 Cloud Computing 587 What Is It? 587 Services 588 Forensic Challenges 589 Forensic Techniques 589 The Bottom Line 595 Part 5 Appendices 597 Appendix A The Bottom Line 599 Chapter 1: Network Investigation Overview 599 Chapter 2: The Microsoft Network Structure 601 Chapter 3: Beyond the Windows GUI 602 Chapter 4: Windows Password Issues 604 Chapter 5: Windows Ports and Services 606 Chapter 6: Live-Analysis Techniques 608 Chapter 7: Windows Filesystems 609 Chapter 8: The Registry Structure 611 Chapter 9: Registry Evidence 613 Chapter 10: Introduction to Malware 618 Chapter 11: Text-based Logs 620 Chapter 12: Windows Event Logs 622 Chapter 13: Logon and Account Logon Events 623 Chapter 14: Other Audit Events 624 Chapter 15: Forensic Analysis of Event Logs 626 Chapter 16: Presenting the Results 628 Chapter 17: The Challenges of Cloud Computing and Virtualization 630 Appendix B Test Environments 633 Software 633 Hardware 635 Setting Up Test Environments in Training Laboratories 636 Chapter 1: Network Investigation Overview 636 Chapter 2: The Microsoft Network Structure 636 Chapter 3: Beyond the Windows GUI 637 Chapter 4: Windows Password Issues 637 Chapter 5: Windows Ports and Services 639 Chapter 6: Live-Analysis Techniques 639 Chapter 7: Windows Filesystems 640 Chapter 8: The Registry Structure 640 Chapter 9: Registry Evidence 642 Chapter 10: Introduction to Malware 643 Chapter 11: Text-Based Logs 643 Chapter 12: Windows Event Logs 644 Chapter 13: Logon and Account Logon Events 644 Chapter 14: Other Audit Events 644 Chapter 15: Forensic Analysis of Event Logs 645 Chapter 16: Presenting the Results 645 Chapter 17: The Challenges of Cloud Computing and Virtualization 645 Index 647