Investigating windows systems автор harlan carvey - Доктор Windows

Academic Press, 14 авг. 2018 г. — Всего страниц: 136

0 Отзывы

Google не подтверждает отзывы, однако проверяет данные и удаляет недостоверную информацию.

Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.

Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.

A must-have guide for those in the field of digital forensic analysis and incident response.

Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response

Источник

Содержание

Книжная полка компьютерного криминалиста: 11 лучших книг по Digital Forensics, Incident Response и Malware Analysis
1. File Systems Forensic Analysis
2. Incident Response & Computer Forensics (третье издание)
3. Investigating Windows Systems
4. Digital Forensics and Incident Response (второе издание)
5. Windows Forensics Cookbook
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
7. Network Forensics
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
Подборка книг по Digital Forensics, Incident Response, Malware Analysis
1. File Systems Forensic Analysis
2. Incident Response & Computer Forensics (третье издание)
3. Investigating Windows Systems
4. Digital Forensics and Incident Response (второе издание)
5. Windows Forensics Cookbook
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
7. Network Forensics
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
Investigating Windows Systems

Книжная полка компьютерного криминалиста: 11 лучших книг по Digital Forensics, Incident Response и Malware Analysis

Хотите разобраться в компьютерной или мобильной криминалистике? Научиться реагированию на инциденты? Реверсу вредоносных программ? Проактивному поиску угроз (Threat Hunting)? Киберразведке? Подготовиться к собеседованию? В этой статье Игорь Михайлов, специалист Лаборатории компьютерной криминалистики Group-IB, собрал топ-11 книг по компьютерной криминалистике, расследованию инцидентов и реверсу вредоносных программ, которые помогут изучить опыт профессионалов, прокачать свои скиллы, получить более высокую должность или новую высокооплачиваемую работу.

Когда я пришел в компьютерную экспертизу — а это был в 2000 год — из методической литературы у специалистов было только 71 страничное пособие: «Общие положения по назначению и производству компьютерно-технической экспертизы: Методические рекомендации», выпущенное МВД России и ряд публикаций в различных периодических изданиях. И даже эти немногие материалы были доступны лишь ограниченному кругу. Приходилось искать, ксерокопировать, переводить иностранные книги по форензике — литература достойного качества по этой теме на русском языке отсутствовала.

Сейчас ситуация немного другая. Литературы очень много, как и раньше она преимущественно на английском языке. И чтобы сориентироваться в этом море информации, чтобы в 101 раз не перечитывать книгу, содержащую материал начального уровня, я подготовил эту подборку, изучить которую будет полезно как начинающим, так и профессионалам.

1. File Systems Forensic Analysis

автор: Brian Carrier

С чего начинается практически любое исследование цифрового объекта? С определения операционной и файловой систем исследуемого устройства. Автор книги проделал огромную работу по обобщению сведений о различных файловых системах. Читатель узнает много подробностей о том, как хранится информация на жестких дисках и RAID-массивах. Его ждет глубокое погружение в архитектуру и тонкости файловых систем на компьютерах под управлением Linux/BSD и под управлением операционных систем семейства Windows.

В своей работе автор использовал такой известнейший криминалистический инструмент, как Sleuth Kit (TSK), разработанный им на основе The Coroner’s Toolkit. Любой желающий может повторить шаги, проделанные автором с помощью этого инструмента, или провести свои исследования. Графическая оболочка Sleuth Kit — программа Autopsy — широко применяется для криминалистического анализа цифровых доказательств и расследования инцидентов.

Эта книга переведена на русский язык под названием «Криминалистический анализ файловых систем». Но будьте аккуратны с изложенной в ней информацией, так как в переводе есть неточности, которые в некоторых случаях серьезно искажают смысл.

2. Incident Response & Computer Forensics (третье издание)

авторы: Jason T. Luttgens, Matthew Pepe, Kevin Mandia

Книга является практическим руководством по расследованию инцидентов. В ней подробно расписаны все этапы расследования: от подготовки к реагированию на инцидент, криминалистического копирования цифровых доказательств и поиска артефактов инцидента в различных операционных системах (Windows, Linux, MacOS) до составления отчета о произошедшем инциденте.

Книга получилась настолько хорошей, что ее включили в комплект учебных материалов по курсу SANS «FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics» — топовому учебному курсу по расследованию инцидентов.

Существует переводное издание этой книги: «Защита от вторжений. Расследование компьютерных преступлений». Перевод издан в России двумя тиражами. Но поскольку переводилась первая версия книги, информация в ней устарела.

3. Investigating Windows Systems

автор: Harlan Carvey

Особенная книга от автора множества бестселлеров по компьютерной криминалистике. В ней автор рассказывает не только о технических деталях исследования артефактов Windows и расследования инцидентов, но и о своих методологических подходах. Философия от Харлэна Карви, специалиста с огромным опытом реагирования на инциденты, — бесценна.

4. Digital Forensics and Incident Response (второе издание)

автор: Gerard Johansen

Расследование инцидентов, анализ оперативной памяти, сетевая криминалистика и чуть-чуть классической форенсики — все это собрано в одной книге и описано легким, доступным языком.

Дополнительно читатель получит базовое представление об исследовании системных журналов, узнает принципы реверса вредоносных программ, основы проактивного поиска угроз (Threat Hunting’а) и киберразведки (Threat Intelligence), а также ознакомится с правилами написания отчетов.

5. Windows Forensics Cookbook

авторы: Oleg Skulkin, Scar de Courcier

Эта книга, которую написал в соавторстве мой коллега по Group-IB Олег Скулкин, представляет собой сборник советов («рецептов») о том, как действовать в той или иной ситуации при исследовании артефактов операционной системы Windows 10. Материал построен по принципу: имеется проблема — авторы приводят пошаговое руководство по ее решению (от того, каким инструментом можно решить проблему и где его взять, до того, как настроить и правильно применить этот инструмент). Приоритет в книге отдан бесплатным утилитам. Поэтому у читателя не будет необходимости приобретать дорогие специализированные криминалистические программы. В книге 61 совет — это охватывает все типовые задачи, с решением которых обычно сталкивается исследователь при анализе Windows. Кроме классических криминалистических артефактов, в книге рассмотрены примеры анализа артефактов, характерных только для Windows 10.

6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

автор: Michael Hale Ligh

Огромный (более 900 страниц), прямо-таки академический труд, посвященный исследованию оперативной памяти компьютеров. Книга разделена на четыре основных части. Первая часть знакомит читателя с тем, как устроена оперативная память компьютера и как криминалистически правильно захватить данные, которые в ней находятся. В трех последующих частях подробно рассказывается о подходах к извлечению артефактов из дампов оперативной памяти компьютеров под управлением операционных систем Windows, MacOS и Linux.
Рекомендуется к прочтению тем, кто решил максимально подробно разобраться в том, какие криминалистические артефакты можно найти в оперативной памяти.

7. Network Forensics

Эта книга для тех, кто хочет погрузиться в изучение сетевой криминалистики. Читателю рассказывается об архитектуре сетевых протоколов. Затем описываются методы захвата и анализа сетевого трафика. Рассказывается, как детектировать атаки на основе данных из сетевого трафика и системных журналов операционных систем, роутеров и свитчей.

8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)

авторы: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

За последние десять лет мир сильно изменился. Все личные данные (фотографии, видео, переписка в мессенджерах и т.п.) перекочевали с персональных компьютеров и ноутбуков в смартфоны. Книга «Practical Mobile Forensics» — бестселлер издательства Packt Publishing, она издавалась уже четыре раза. В книге подробно рассказывается об извлечении данных из смартфонов под управлением операционных систем iOS, Android, Windows 10, о том, как проводить восстановление и анализ извлеченных данных, как анализировать данные приложений, установленных в смартфонах. Также эта книга знакомит читателя с принципами функционирования операционных систем на мобильных устройствах.

9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)

авторы: Oleg Skulkin, Donnie Tindall, Rohit Tamma

Исследование устройств под управлением операционной системы Android становится сложнее с каждым днем. Об этом мы писали в статье «Криминалистический анализ резервных копий HiSuite». Эта книга призвана помочь читателю глубоко погрузиться в анализ подобных мобильных устройств. Кроме традиционных практических советов по извлечению и анализу данных из Android-смартфонов, читатель узнает, как сделать копию оперативной памяти смартфона, произвести анализ данных приложений, сделать реверс вредоносной программы под Android и написать YARA-правило для детектирования подобных программ в памяти мобильных устройств.

10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

автор: Monnappa K. A.

Выпуск этой книги экспертное сообщество ожидало более года. И автор не подвел своих читателей. У него получилось очень хорошее пособие для тех, кто хочет начать свой путь в реверсе вредоносных программ. Информация изложена четко и доходчиво.

Читатель узнает, как настроить свою лабораторию для анализа вредоносных программ, ознакомится с методами статического и динамического анализа подобных программ, получит уроки работы с интерактивным дизассемблером IDA Pro, узнает, как обходить обфускацию — технологию, усложняющую изучение исходного кода программ.

Эта книга доступна в переводе на русском языке: «Анализ вредоносных программ».

11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

авторы: Alex Matrosov, Eugene Rodionov, Sergey Bratus

В данном издании рассматривается сложная тема: исследование руткитов и буткитов. Книга написана тремя профессионалами. В данной книге описываются как базовые принципы реверса вредоносных программ, так и сложные приемы, рассчитанные на профессиональных исследователей таких программ — вирусных аналитиков.

Читатель ознакомится с такими темами, как процесс загрузки 32- и 64-разрядных операционных систем Windows, на примерах вместе с авторами разберет методы анализа конкретных руткитов и буткитов, узнает о векторах атак на BIOS и UEFI и разработке методов детектирования подобных атак, узнает о применении виртуализации для анализа поведения буткитов.

Источник

Подборка книг по Digital Forensics, Incident Response, Malware Analysis

Хотите разобраться в компьютерной или мобильной криминалистике? Научиться реагированию на инциденты? Реверсу вредоносных программ? Проактивному поиску угроз (Threat Hunting)? Киберразведке? Подготовиться к собеседованию? В этой статье мы собрали топ-11 книг по компьютерной криминалистике, расследованию инцидентов и реверсу вредоносных программ, которые помогут изучить опыт профессионалов, прокачать свои скиллы, получить более высокую должность или новую высокооплачиваемую работу.

1. File Systems Forensic Analysis

автор: Brian Carrier

File Systems Forensic Analysis

2. Incident Response & Computer Forensics (третье издание)

авторы: Jason T. Luttgens, Matthew Pepe, Kevin Mandia

Incident Response & Computer Forensics (третье издание)

3. Investigating Windows Systems

автор: Harlan Carvey

Investigating Windows Systems

4. Digital Forensics and Incident Response (второе издание)

автор: Gerard Johansen

Digital Forensics and Incident Response (второе издание)

5. Windows Forensics Cookbook

авторы: Oleg Skulkin, Scar de Courcier

Windows Forensics Cookbook

6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

автор: Michael Hale Ligh

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

7. Network Forensics

Network Forensics

8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)

авторы: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)

9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)

авторы: Oleg Skulkin, Donnie Tindall, Rohit Tamma

Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)

Исследование устройств под управлением операционной системы Android становится сложнее с каждым днем. Эта книга призвана помочь читателю глубоко погрузиться в анализ подобных мобильных устройств. Кроме традиционных практических советов по извлечению и анализу данных из Android-смартфонов, читатель узнает, как сделать копию оперативной памяти смартфона, произвести анализ данных приложений, сделать реверс вредоносной программы под Android и написать YARA-правило для детектирования подобных программ в памяти мобильных устройств.

10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

автор: Monnappa K. A.

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Эта книга доступна в переводе на русском языке: «Анализ вредоносных программ».

11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

авторы: Alex Matrosov, Eugene Rodionov, Sergey Bratus

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Источник

Investigating Windows Systems

Название: Investigating Windows Systems
Автор: Harlan Carvey
Издательство: Academic Press
Год: 2018
Страниц: 136
Формат: True PDF
Размер: 10 Mb
Язык: English

Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.

A must-have guide for those in the field of digital forensic analysis and incident response.

Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response

Источник

Book description

A must-have guide for those in the field of digital forensic analysis and incident response.

Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response

Источник

About This Book

A must-have guide for those in the field of digital forensic analysis and incident response.

Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response

Access to over 1 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Chapter 1

The Analysis Process

Abstract

Forensic analysis is an iterative process; analysts do not take one walk through the data and are then done. Rather, an analyst will start by looking for something, and may find additional items or “pivot points” that take their analysis in a new direction. At the same time, analysts need to be careful to avoid “rabbit holes,” points of interest during analysis that take them off track. Finally, significant value has been demonstrated in developing intelligence from an investigation and “baking it back into” both tools and processes.

Keywords

Analysis; process; documentation; sharing

Information In This Chapter

• The Analysis Process
• The Rest of This Book

Introduction

There are a number of resources available that talk about the digital forensic analysis of Windows systems, including some books and blogs posts that I have written. There are courses available through community colleges, universities, and online resources that do the same sort of thing. However, most of these resources follow a similar format; that is, data sources or “artifacts” are presented and discussed, often independent of and isolated from the overall “system” itself. After all, a modern computer system is just that…a system of myriad, interacting components that include the hardware, operating system, applications, and user(s). Tools to parse these data sources are illustrated, demonstrated, and discussed. And then…that is it. What is missing from these resources is any discussion of the analyst’s thought processes and decisions; why is a particular data source of interest? What does the data mean, and based on that meaning, what decision path (or paths) does that lead the analyst down? Most (albeit not all) of the available resources put the pieces on the table, and expect the investigator to assemble the puzzle themselves. Few demonstrate to any great degree how those pieces are connected, and how the interpretation of that data answers the goals of the analysis.

I have spent most of my career (after leaving active duty service in the military) in information security as a consultant, and as such, I tend to approach the topic of analysis from that perspective. What that means is that I have had the opportunity in any given month or year to experience different incidents, from different environments, with different goals in mind. While I am not a member of law enforcement, I have assisted law enforcement officers in analyzing and understanding various artifacts. This also means that when I am involved in performing digital forensic analysis as part of an incident response, I have usually operated within a time limit (i.e., a contract specifying a specific number of hours, or a range), and under a specific set of goals (i.e., determine the initial infection vector (IIV), or “how did the malware get on the system”?). This requires a more structured and focused approach to analysis than other environments; a friend of mine was once bouncing some ideas around with me, and started off his description of the situation he was in with, “…I have been looking at this one system for three months.” I cannot say that I have ever operated in an environment or position where I had that kind of time available to look at one system.

My intention in writing this book is to lay out how I would go about analyzing a Windows image, from start (I have an image acquired from a Windows system) to finish (I have completed my analysis). More importantly, I want to share my thought processes along the way, how the data is interpreted, where that data and interpretation leads me, and ultimately how the analysis process provides answers.

The Analysis Process

What is “digital forensic analysis”? When we say, “I did digital forensic analysis,” what does that mean? To be honest, I think it is one of those terms that we use, often without really thinking about what it means. Does it mean that we opened our favorite (or available) commercial or open source application and found a data point? No, it does not. What it does mean is that as analyst, you have applied the wealth of your training, knowledge, and experience (and through a collaboration mechanism, the shared knowledge and experience of others…) to interpret a particular set of data so that someone else can understand what happened, and use that at the basis for making decisions.

The purpose of digital forensic analysis, and hence, an analyst’s job, is to paint a narrative that informs those who need to make critical business (or legal) decisions. This means that you cannot put a bunch of facts or data points “on paper” and expect whoever is reading it (your client) to connect the dots. The analyst’s job is to build an outline and start filling in the picture, addressing the client’s questions and analysis goals. You do this by collecting the available and appropriate data, and then extracting and interpreting those elements or data points that are pertinent to answering the analysis goals or questions. The keys to this, although not the sum total, are to extract all of the relevant and pertinent data points, and to interpret them correctly. Not extracting all or most of the relevant data points will leave gaps in your interpretation, and not interpreting the data correctly will lead to incorrect findings, which in turn will incorrectly inform decision makers.

Does that make sense? If not, allow me to share an example I see quite often, and one that I have seen discussed publicly during conferences. An analyst is interested in answering questions of process execution on a Windows system, and finds a suspicious entry in the AppCompatCache data extracted from the System Registry hive. The analyst incorrectly interprets the time stamp associated with the entry as indicating the date and time that the suspiciously named application was executed; unfortunately, the time stamp is the last modification time extracted from the file system metadata (specifically, from the $STANDARD_INFORMATION attribute within the master file table, or MFT). Not realizing their misunderstanding and subsequent misinterpretation of the data, and also not realizing that the time stamp (within the MFT) is easily modified, the analyst then tells the client that their “window of exposure” or “window of compromise” incorrectly extends back to 2009.

So how is this important? Well, for one, if you have ever done analysis for a payment card industry breach, you know that many organizations that process credit cards have information about how many transactions that they process daily, weekly, or monthly. They maintain this information because it is important (the reasons why are beyond the scope of this book). If they were compromised 6 weeks ago, and you tell them (incorrectly) that they were compromised 3 years ago, that finding significantly impacts the number of potentially compromised credit card numbers, and will tremendously impact the fines that they receive. The same can be said when dealing with other breaches, as well. Incorrect interpretation of data will lead to incorrect findings communicated to the client, who will in turn make decisions based on those incorrect findings.

For me, analysis has always been a process; that is to say, it is not something you do one time, make one pass at the data, and then you are done. It is a series of steps that one follows to get from point A to point B, starting with why we are collecting data in the first place, moving on to the data that is provided and ultimately getting to your findings, or as far as you can get given the data. Some of the steps along the way will have you going back to the data again in an iterative fashion; something you find will lead you to look deeper at some of the data you have, or look for additional data, or move to another artifact all together.

Analyzing an image acquired from a Windows system is not a “one pass” thing. You do not usually start at byte 0, run all the way to the end, and you are done. Similarly, analysis is not a matter of running an automated tool or two, maybe an antivirus scan (or two), and you are done. More often, one finding will lead to another, which will lead to another data source from the image to examine (page file, hibernation file, etc.), and the outline you started with will begin to be filled in as the narrative is being developed.

Using some simple PowerPoint skills, I developed a graphical representation of what “the analysis process” looks like to me; that graphic is illustrated in Fig. 1.1.

Figure 1.1 The analysis process.

As illustrated in Fig. 1.1, the analysis process starts with the goals of the analysis, proceeds to the analysis plan (your plan to “approach” the data), through to the actual analysis (and maintenance of case notes) to reporting and finally, lessons learned. You will also notice that throughout the process there is “documentation.”

I know what you are thinking…documentation. That means I have to write stuff, and writing is hard. Yeah, I get that…in the time I have been part of the tech industry, one of the consistent things I have seen is that technical folks, for the most part, do not like to write.

The purpose of the analysis process, the reason we need to have an analysis process, is to inform further analysis, and to ultimately inform both the development and application of an overall security program. Digital forensic analysis is an often overlooked piece of the incident response (and by extension, threat intelligence) puzzle; however, examination of endpoint systems will often provide us a much more granular picture of the actions taken by an intruder, adversary, or malicious insider. With the appropriate instrumentation of endpoints (i.e., to say, with the right stuff installed on endpoints), we can get a wealth of information about a “bad guy’s” actions that are not available to us through network monitoring or log analysis.

Analysis is very often an iterative process. We will often start with some sort of finding or indicator, use that to develop new information, and “pivot” from there. Then we find something else, and “pivot” again, continuing to build toward the narrative of our findings, addressing the goals of the analysis itself.

The approach I have taken to analyze has always been iterative, adding overlays one (or more) at a time as the picture becomes more clear. The “give me everything” approach has never worked for me, in part because it simply provides too much information, a great deal of which I do not need. Further, the “give me everything” approach tends to not provide everything.

Goals

All examinations have to start somewhere. If you are a consultant (how I have spent the majority of my private sector career), that “somewhere” is most likely a call from a client. If you are in an “internal” position, working as a full-time employee within a company, that “somewhere” maybe the IT director telling you that a system may have been compromised, or perhaps the HR director asking for your assistance with a “violation of acceptable use policy” case. Regardless of your position, or the impetus for the call, all of us can probably agree that there is a discussion that takes place between the analyst and the principal (or client), as the analyst works to develop and determine some background for the examination, understanding what the principal is interested in understanding or demonstrating, with respect to the issue at hand. Very often, this involves the analyst asking questions of the principal and then doing an internal translation of the principal’s responses into the data that the analyst will need in order to best accomplish the task before them.

Most often, this discussion between the analyst and the principal not only informs the need to collect data and helps determine what data should be collected. Are there logs from network devices available? Which systems, and how many, need to be collected? Is it sufficient to collect volatile data from systems, or is a full memory capture and hard drive acquisition required? Is there any network flow data available, or should we consider placing a laptop on a span port on the switch in order to collect pcaps? Some of these questions may be answered directly by the principal, while others will be addressed through the analyst’s own internal dialog.

In most cases, the final phase of this discussion centers around the goals of the analysis to be conducted; what would the principal like the analyst to determine, illustrate, or show? What informs the work that the analyst will ultimately do is the question(s) that the principal would like answered. In some ways, there can be no analysis without some sort of goals; after all, without analysis goals, what will the analyst look at or examine?

Analysis must always start with goals. Goals are the key component of any analysis. Before starting on your analysis, you must have a detailed understanding of what it is you are attempting to show or demonstrate. Having those goals documented and in front of you during your analysis will also keep you focused on the task at hand, which is important to those who have a schedule to meet, or have a purchase order authorizing a specific number of hours for the analysis. Hey, I have been just as guilty of this as the next guy…you are going about your analysis and all of sudden, that little voice in your head goes, “oh, my, that is interesting…” …although in my case, it is been more like “LOOKASQUIRREL!!” At that point you are going down a rabbit hole that just seems to have no end, and it takes a call (or scream) of nature to bring you back to the real world.

When working with the principal (or client), it is a good idea to remember that very often, they are relying on your expertise as an analyst to help guide them with respect to goals that are achievable. They have their concerns and issues that they have to address, they have business decisions they need to make, and they have someone to whom they have to answer. As such, as analysts, it is our job to do more than simply take what they say and run with it; we need to set their expectations with respect to what can be achieved given the available data, as well as the time frame in which that can be achieved. We need to work with the principal to develop goals that make sense, are something …

Citation styles for Investigating Windows SystemsHow to cite Investigating Windows Systems for your reference list or bibliography: select your referencing style from the list below and hit ‘copy’ to generate a citation. If your style isn’t in the list, you can start a free trial to access over 20 additional styles from the Perlego eReader.

APA 6 Citation

Carvey, H. (2018). Investigating Windows Systems ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1829107/investigating-windows-systems-pdf (Original work published 2018)

Chicago Citation

Carvey, Harlan. (2018) 2018. Investigating Windows Systems. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1829107/investigating-windows-systems-pdf.

Harvard Citation

Carvey, H. (2018) Investigating Windows Systems. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1829107/investigating-windows-systems-pdf (Accessed: 15 October 2022).

MLA 7 Citation

Carvey, Harlan. Investigating Windows Systems. [edition unavailable]. Elsevier Science, 2018. Web. 15 Oct. 2022.

Источник

Investigating Windows Systems

Автор: bhaer от 9-09-2018, 22:53, Коментариев: 0

Категория: КНИГИ » ОС И БД

A must-have guide for those in the field of digital forensic analysis and incident response.

Нашел ошибку? Есть жалоба? Жми!
Пожаловаться администрации

Уважаемый посетитель, Вы зашли на сайт как незарегистрированный пользователь.
Мы рекомендуем Вам зарегистрироваться либо войти на сайт под своим именем.

Информация
Посетители, находящиеся в группе Гости, не могут оставлять комментарии к данной публикации.

Источник

Author 7 books358 followers

January 29, 2019

Right to the point, aka TL:DR

This is a good book. If the title fits with what you are currently doing or want to do, then this book is for you and worth it. I recommend that this be one of your books on your DFIR book shelf.

About the book (not the content, but the book):

I’ll get to the one thing about Investigating Windows Systems (IWS) right off the bat. The book is physically small. I am only coming right out about the size because I have read comments online about the size, and personally, when I first saw the book, my thought was “Wow. It’s small.”

Print quality is very good, better in fact than many similar books. The layout, callouts, and information boxes are all well done. Graphics are in black & white and could only be better if they were in color. Color is more expensive, so black & white works to keep book prices under control.

The text is easy on the eyes, and the separated sections with bold section headers are helpful when flipping back to previous pages to review content.

The important part: Contents!

I have to address the size again, only because of comments that I have read and a conversation that I had about the size where some were judging the contents by the size of the book. This is my take on the size of a book:

If a book weighs 10 pounds, is 10 inches wide, cost 10 dollars, but the information value is only worth 10 cents, then that book is a rock.
Conversely, if a book is small, full of valuable content, then that book is a gold nugget regardless of cost or size.
IWS is a gold nugget. Small but packs a punch. This is not a book for anyone who judges a book by its cover or its weight or its price. This is a book judged by its content.

The most important aspect of this book that I like, is that of Harlan Carvey’s thoughts being in text. Thoughts, as in, what he thinks and what his objectives are in addressing an analysis. Coupled with using publicly available images and open source tools, you get a full picture of “What would Harlan do?” in the images he has chosen.

But do not misunderstand my point. I do not mean that Harlan is right, or that his plans and objectives are best, or that he is even on the right track. I mean that he lays out the methods and processes that he uses so that you can at least see and feel how someone else does what you will probably do differently. This is a good thing for more reasons that I can describe, because every examiner is different, every case is different, and every day is different in how you will approach a problem. IWS gives you the perspective of someone else working cases and how they think.

This is one of the things that I find missing in many DFIR texts . The “how to” is always an easy thing to teach, to write, and to do. Click here. Click there. Copy here. Paste there. I am always on the lookout for the books that guide you in how to ‘think’, not ‘what to do’. The ‘what to do’ changes like the wind depending on the circumstance. Knowing how to think handles any changes you come across.

As one example, Harlan uses the CFReDS hacking case image (from NIST). He states the analysis goals, things to consider, an analysis plan, works through the exercises, and talks about lesson learned. Every case should be a lesson learned. There has not been a case that I have not reflected back on and learned something. This is a point to be made in any DFIR teachings. Reflect back and learn. You should know and accept, that if you re-worked any case that you worked before, you could do it better this time. That doesn’t mean you did a bad job, it just means that you learned and will do better on the next case, and the next case, and the next case.

I wrote about this concept in a blog post ( https://brettshavers.com/brett-s-blog… ) about figuring things out yourself. To clarify a little more, I don’t mean that we should flounder on the floor trying to figure out everything without help, but that when given guidance on “how to think”, we can figure out practically anything on our own. That is where IWS shines in the aspect of thought processes.

I must confess something about every DFIR book that I have ever read. Of all the books that contained exercises, I have not done every exercise. I have actually just read them and took for granted that the author was correct in showing how the exercises are done. I have done some exercises, but certainly not all. This was the first book that I did every exercise. Partly because all the evidence files and tools are readily available, partly because I could follow along in the book, but mostly because I wanted to see if my thought processes were the same, similar, or completely different. My result was that some of my thought process were the same, some were similar, and some were completely different.

Harlan mentions in the book that he set out to learn something, but ended up learning something that he had not planned on. That’s the way it works when you do it right.

If you have read anything that I have written, or been in a class or presentation that I have given, then you probably have heard me say that if you learn “one thing” that makes a world of difference in your life or work, then the time you spent learning that “one thing” was worth it. Whether you learned it in a classroom, book, video, conference, or working a case doesn’t matter. As long as you learned that “one thing”. This book certainly has that one thing for you.

Источник