Academic Press, 14 авг. 2018 г. — Всего страниц: 136
0 Отзывы
Google не подтверждает отзывы, однако проверяет данные и удаляет недостоверную информацию.
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.
Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.
A must-have guide for those in the field of digital forensic analysis and incident response.
- Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
- Coverage will include malware detection, user activity, and how to set up a testing environment
- Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
Содержание
- Книжная полка компьютерного криминалиста: 11 лучших книг по Digital Forensics, Incident Response и Malware Analysis
- 1. File Systems Forensic Analysis
- 2. Incident Response & Computer Forensics (третье издание)
- 3. Investigating Windows Systems
- 4. Digital Forensics and Incident Response (второе издание)
- 5. Windows Forensics Cookbook
- 6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- 7. Network Forensics
- 8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
- 9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
- 10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
- 11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
- Подборка книг по Digital Forensics, Incident Response, Malware Analysis
- 1. File Systems Forensic Analysis
- 2. Incident Response & Computer Forensics (третье издание)
- 3. Investigating Windows Systems
- 4. Digital Forensics and Incident Response (второе издание)
- 5. Windows Forensics Cookbook
- 6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- 7. Network Forensics
- 8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
- 9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
- 10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
- 11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
- Investigating Windows Systems
Книжная полка компьютерного криминалиста: 11 лучших книг по Digital Forensics, Incident Response и Malware Analysis
Хотите разобраться в компьютерной или мобильной криминалистике? Научиться реагированию на инциденты? Реверсу вредоносных программ? Проактивному поиску угроз (Threat Hunting)? Киберразведке? Подготовиться к собеседованию? В этой статье Игорь Михайлов, специалист Лаборатории компьютерной криминалистики Group-IB, собрал топ-11 книг по компьютерной криминалистике, расследованию инцидентов и реверсу вредоносных программ, которые помогут изучить опыт профессионалов, прокачать свои скиллы, получить более высокую должность или новую высокооплачиваемую работу.
Когда я пришел в компьютерную экспертизу — а это был в 2000 год — из методической литературы у специалистов было только 71 страничное пособие: «Общие положения по назначению и производству компьютерно-технической экспертизы: Методические рекомендации», выпущенное МВД России и ряд публикаций в различных периодических изданиях. И даже эти немногие материалы были доступны лишь ограниченному кругу. Приходилось искать, ксерокопировать, переводить иностранные книги по форензике — литература достойного качества по этой теме на русском языке отсутствовала.
Сейчас ситуация немного другая. Литературы очень много, как и раньше она преимущественно на английском языке. И чтобы сориентироваться в этом море информации, чтобы в 101 раз не перечитывать книгу, содержащую материал начального уровня, я подготовил эту подборку, изучить которую будет полезно как начинающим, так и профессионалам.
1. File Systems Forensic Analysis
автор: Brian Carrier
С чего начинается практически любое исследование цифрового объекта? С определения операционной и файловой систем исследуемого устройства. Автор книги проделал огромную работу по обобщению сведений о различных файловых системах. Читатель узнает много подробностей о том, как хранится информация на жестких дисках и RAID-массивах. Его ждет глубокое погружение в архитектуру и тонкости файловых систем на компьютерах под управлением Linux/BSD и под управлением операционных систем семейства Windows.
В своей работе автор использовал такой известнейший криминалистический инструмент, как Sleuth Kit (TSK), разработанный им на основе The Coroner’s Toolkit. Любой желающий может повторить шаги, проделанные автором с помощью этого инструмента, или провести свои исследования. Графическая оболочка Sleuth Kit — программа Autopsy — широко применяется для криминалистического анализа цифровых доказательств и расследования инцидентов.
Эта книга переведена на русский язык под названием «Криминалистический анализ файловых систем». Но будьте аккуратны с изложенной в ней информацией, так как в переводе есть неточности, которые в некоторых случаях серьезно искажают смысл.
2. Incident Response & Computer Forensics (третье издание)
авторы: Jason T. Luttgens, Matthew Pepe, Kevin Mandia
Книга является практическим руководством по расследованию инцидентов. В ней подробно расписаны все этапы расследования: от подготовки к реагированию на инцидент, криминалистического копирования цифровых доказательств и поиска артефактов инцидента в различных операционных системах (Windows, Linux, MacOS) до составления отчета о произошедшем инциденте.
Книга получилась настолько хорошей, что ее включили в комплект учебных материалов по курсу SANS «FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics» — топовому учебному курсу по расследованию инцидентов.
Существует переводное издание этой книги: «Защита от вторжений. Расследование компьютерных преступлений». Перевод издан в России двумя тиражами. Но поскольку переводилась первая версия книги, информация в ней устарела.
3. Investigating Windows Systems
автор: Harlan Carvey
Особенная книга от автора множества бестселлеров по компьютерной криминалистике. В ней автор рассказывает не только о технических деталях исследования артефактов Windows и расследования инцидентов, но и о своих методологических подходах. Философия от Харлэна Карви, специалиста с огромным опытом реагирования на инциденты, — бесценна.
4. Digital Forensics and Incident Response (второе издание)
автор: Gerard Johansen
Расследование инцидентов, анализ оперативной памяти, сетевая криминалистика и чуть-чуть классической форенсики — все это собрано в одной книге и описано легким, доступным языком.
Дополнительно читатель получит базовое представление об исследовании системных журналов, узнает принципы реверса вредоносных программ, основы проактивного поиска угроз (Threat Hunting’а) и киберразведки (Threat Intelligence), а также ознакомится с правилами написания отчетов.
5. Windows Forensics Cookbook
авторы: Oleg Skulkin, Scar de Courcier
Эта книга, которую написал в соавторстве мой коллега по Group-IB Олег Скулкин, представляет собой сборник советов («рецептов») о том, как действовать в той или иной ситуации при исследовании артефактов операционной системы Windows 10. Материал построен по принципу: имеется проблема — авторы приводят пошаговое руководство по ее решению (от того, каким инструментом можно решить проблему и где его взять, до того, как настроить и правильно применить этот инструмент). Приоритет в книге отдан бесплатным утилитам. Поэтому у читателя не будет необходимости приобретать дорогие специализированные криминалистические программы. В книге 61 совет — это охватывает все типовые задачи, с решением которых обычно сталкивается исследователь при анализе Windows. Кроме классических криминалистических артефактов, в книге рассмотрены примеры анализа артефактов, характерных только для Windows 10.
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
автор: Michael Hale Ligh
Огромный (более 900 страниц), прямо-таки академический труд, посвященный исследованию оперативной памяти компьютеров. Книга разделена на четыре основных части. Первая часть знакомит читателя с тем, как устроена оперативная память компьютера и как криминалистически правильно захватить данные, которые в ней находятся. В трех последующих частях подробно рассказывается о подходах к извлечению артефактов из дампов оперативной памяти компьютеров под управлением операционных систем Windows, MacOS и Linux.
Рекомендуется к прочтению тем, кто решил максимально подробно разобраться в том, какие криминалистические артефакты можно найти в оперативной памяти.
7. Network Forensics
Эта книга для тех, кто хочет погрузиться в изучение сетевой криминалистики. Читателю рассказывается об архитектуре сетевых протоколов. Затем описываются методы захвата и анализа сетевого трафика. Рассказывается, как детектировать атаки на основе данных из сетевого трафика и системных журналов операционных систем, роутеров и свитчей.
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
авторы: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
За последние десять лет мир сильно изменился. Все личные данные (фотографии, видео, переписка в мессенджерах и т.п.) перекочевали с персональных компьютеров и ноутбуков в смартфоны. Книга «Practical Mobile Forensics» — бестселлер издательства Packt Publishing, она издавалась уже четыре раза. В книге подробно рассказывается об извлечении данных из смартфонов под управлением операционных систем iOS, Android, Windows 10, о том, как проводить восстановление и анализ извлеченных данных, как анализировать данные приложений, установленных в смартфонах. Также эта книга знакомит читателя с принципами функционирования операционных систем на мобильных устройствах.
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
авторы: Oleg Skulkin, Donnie Tindall, Rohit Tamma
Исследование устройств под управлением операционной системы Android становится сложнее с каждым днем. Об этом мы писали в статье «Криминалистический анализ резервных копий HiSuite». Эта книга призвана помочь читателю глубоко погрузиться в анализ подобных мобильных устройств. Кроме традиционных практических советов по извлечению и анализу данных из Android-смартфонов, читатель узнает, как сделать копию оперативной памяти смартфона, произвести анализ данных приложений, сделать реверс вредоносной программы под Android и написать YARA-правило для детектирования подобных программ в памяти мобильных устройств.
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
автор: Monnappa K. A.
Выпуск этой книги экспертное сообщество ожидало более года. И автор не подвел своих читателей. У него получилось очень хорошее пособие для тех, кто хочет начать свой путь в реверсе вредоносных программ. Информация изложена четко и доходчиво.
Читатель узнает, как настроить свою лабораторию для анализа вредоносных программ, ознакомится с методами статического и динамического анализа подобных программ, получит уроки работы с интерактивным дизассемблером IDA Pro, узнает, как обходить обфускацию — технологию, усложняющую изучение исходного кода программ.
Эта книга доступна в переводе на русском языке: «Анализ вредоносных программ».
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
авторы: Alex Matrosov, Eugene Rodionov, Sergey Bratus
В данном издании рассматривается сложная тема: исследование руткитов и буткитов. Книга написана тремя профессионалами. В данной книге описываются как базовые принципы реверса вредоносных программ, так и сложные приемы, рассчитанные на профессиональных исследователей таких программ — вирусных аналитиков.
Читатель ознакомится с такими темами, как процесс загрузки 32- и 64-разрядных операционных систем Windows, на примерах вместе с авторами разберет методы анализа конкретных руткитов и буткитов, узнает о векторах атак на BIOS и UEFI и разработке методов детектирования подобных атак, узнает о применении виртуализации для анализа поведения буткитов.
Источник
Подборка книг по Digital Forensics, Incident Response, Malware Analysis
Хотите разобраться в компьютерной или мобильной криминалистике? Научиться реагированию на инциденты? Реверсу вредоносных программ? Проактивному поиску угроз (Threat Hunting)? Киберразведке? Подготовиться к собеседованию? В этой статье мы собрали топ-11 книг по компьютерной криминалистике, расследованию инцидентов и реверсу вредоносных программ, которые помогут изучить опыт профессионалов, прокачать свои скиллы, получить более высокую должность или новую высокооплачиваемую работу.
Когда я пришел в компьютерную экспертизу — а это был в 2000 год — из методической литературы у специалистов было только 71 страничное пособие: «Общие положения по назначению и производству компьютерно-технической экспертизы: Методические рекомендации», выпущенное МВД России и ряд публикаций в различных периодических изданиях. И даже эти немногие материалы были доступны лишь ограниченному кругу. Приходилось искать, ксерокопировать, переводить иностранные книги по форензике — литература достойного качества по этой теме на русском языке отсутствовала.
Сейчас ситуация немного другая. Литературы очень много, как и раньше она преимущественно на английском языке. И чтобы сориентироваться в этом море информации, чтобы в 101 раз не перечитывать книгу, содержащую материал начального уровня, я подготовил эту подборку, изучить которую будет полезно как начинающим, так и профессионалам. Также рекомендуем прочитать- Подборка книг по информационной безопасности.
1. File Systems Forensic Analysis
автор: Brian Carrier
File Systems Forensic Analysis
С чего начинается практически любое исследование цифрового объекта? С определения операционной и файловой систем исследуемого устройства. Автор книги проделал огромную работу по обобщению сведений о различных файловых системах. Читатель узнает много подробностей о том, как хранится информация на жестких дисках и RAID-массивах. Его ждет глубокое погружение в архитектуру и тонкости файловых систем на компьютерах под управлением Linux/BSD и под управлением операционных систем семейства Windows.
В своей работе автор использовал такой известнейший криминалистический инструмент, как Sleuth Kit (TSK), разработанный им на основе The Coroner’s Toolkit. Любой желающий может повторить шаги, проделанные автором с помощью этого инструмента, или провести свои исследования. Графическая оболочка Sleuth Kit — программа Autopsy — широко применяется для криминалистического анализа цифровых доказательств и расследования инцидентов.
Эта книга переведена на русский язык под названием «Криминалистический анализ файловых систем». Но будьте аккуратны с изложенной в ней информацией, так как в переводе есть неточности, которые в некоторых случаях серьезно искажают смысл.
2. Incident Response & Computer Forensics (третье издание)
авторы: Jason T. Luttgens, Matthew Pepe, Kevin Mandia
Incident Response & Computer Forensics (третье издание)
Книга является практическим руководством по расследованию инцидентов. В ней подробно расписаны все этапы расследования: от подготовки к реагированию на инцидент, криминалистического копирования цифровых доказательств и поиска артефактов инцидента в различных операционных системах (Windows, Linux, MacOS) до составления отчета о произошедшем инциденте.
Книга получилась настолько хорошей, что ее включили в комплект учебных материалов по курсу SANS «FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics» — топовому учебному курсу по расследованию инцидентов.
Существует переводное издание этой книги: «Защита от вторжений. Расследование компьютерных преступлений». Перевод издан в России двумя тиражами. Но поскольку переводилась первая версия книги, информация в ней устарела.
3. Investigating Windows Systems
автор: Harlan Carvey
Investigating Windows Systems
Особенная книга от автора множества бестселлеров по компьютерной криминалистике. В ней автор рассказывает не только о технических деталях исследования артефактов Windows и расследования инцидентов, но и о своих методологических подходах. Философия от Харлэна Карви, специалиста с огромным опытом реагирования на инциденты, — бесценна.
4. Digital Forensics and Incident Response (второе издание)
автор: Gerard Johansen
Digital Forensics and Incident Response (второе издание)
Расследование инцидентов, анализ оперативной памяти, сетевая криминалистика и чуть-чуть классической форенсики — все это собрано в одной книге и описано легким, доступным языком.
Дополнительно читатель получит базовое представление об исследовании системных журналов, узнает принципы реверса вредоносных программ, основы проактивного поиска угроз (Threat Hunting’а) и киберразведки (Threat Intelligence), а также ознакомится с правилами написания отчетов.
5. Windows Forensics Cookbook
авторы: Oleg Skulkin, Scar de Courcier
Windows Forensics Cookbook
Эта книга, которую написал в соавторстве мой коллега по Group-IB Олег Скулкин, представляет собой сборник советов («рецептов») о том, как действовать в той или иной ситуации при исследовании артефактов операционной системы Windows 10. Материал построен по принципу: имеется проблема — авторы приводят пошаговое руководство по ее решению (от того, каким инструментом можно решить проблему и где его взять, до того, как настроить и правильно применить этот инструмент). Приоритет в книге отдан бесплатным утилитам. Поэтому у читателя не будет необходимости приобретать дорогие специализированные криминалистические программы. В книге 61 совет — это охватывает все типовые задачи, с решением которых обычно сталкивается исследователь при анализе Windows. Кроме классических криминалистических артефактов, в книге рассмотрены примеры анализа артефактов, характерных только для Windows 10.
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
автор: Michael Hale Ligh
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Огромный (более 900 страниц), прямо-таки академический труд, посвященный исследованию оперативной памяти компьютеров. Книга разделена на четыре основных части. Первая часть знакомит читателя с тем, как устроена оперативная память компьютера и как криминалистически правильно захватить данные, которые в ней находятся. В трех последующих частях подробно рассказывается о подходах к извлечению артефактов из дампов оперативной памяти компьютеров под управлением операционных систем Windows, MacOS и Linux.
Рекомендуется к прочтению тем, кто решил максимально подробно разобраться в том, какие криминалистические артефакты можно найти в оперативной памяти.
7. Network Forensics
Network Forensics
Эта книга для тех, кто хочет погрузиться в изучение сетевой криминалистики. Читателю рассказывается об архитектуре сетевых протоколов. Затем описываются методы захвата и анализа сетевого трафика. Рассказывается, как детектировать атаки на основе данных из сетевого трафика и системных журналов операционных систем, роутеров и свитчей.
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
авторы: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
За последние десять лет мир сильно изменился. Все личные данные (фотографии, видео, переписка в мессенджерах и т.п.) перекочевали с персональных компьютеров и ноутбуков в смартфоны. Книга «Practical Mobile Forensics» — бестселлер издательства Packt Publishing, она издавалась уже четыре раза. В книге подробно рассказывается об извлечении данных из смартфонов под управлением операционных систем iOS, Android, Windows 10, о том, как проводить восстановление и анализ извлеченных данных, как анализировать данные приложений, установленных в смартфонах. Также эта книга знакомит читателя с принципами функционирования операционных систем на мобильных устройствах.
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
авторы: Oleg Skulkin, Donnie Tindall, Rohit Tamma
Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
Исследование устройств под управлением операционной системы Android становится сложнее с каждым днем. Эта книга призвана помочь читателю глубоко погрузиться в анализ подобных мобильных устройств. Кроме традиционных практических советов по извлечению и анализу данных из Android-смартфонов, читатель узнает, как сделать копию оперативной памяти смартфона, произвести анализ данных приложений, сделать реверс вредоносной программы под Android и написать YARA-правило для детектирования подобных программ в памяти мобильных устройств.
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
автор: Monnappa K. A.
Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
Выпуск этой книги экспертное сообщество ожидало более года. И автор не подвел своих читателей. У него получилось очень хорошее пособие для тех, кто хочет начать свой путь в реверсе вредоносных программ. Информация изложена четко и доходчиво.
Читатель узнает, как настроить свою лабораторию для анализа вредоносных программ, ознакомится с методами статического и динамического анализа подобных программ, получит уроки работы с интерактивным дизассемблером IDA Pro, узнает, как обходить обфускацию — технологию, усложняющую изучение исходного кода программ.
Эта книга доступна в переводе на русском языке: «Анализ вредоносных программ».
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
авторы: Alex Matrosov, Eugene Rodionov, Sergey Bratus
Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
В данном издании рассматривается сложная тема: исследование руткитов и буткитов. Книга написана тремя профессионалами. В данной книге описываются как базовые принципы реверса вредоносных программ, так и сложные приемы, рассчитанные на профессиональных исследователей таких программ — вирусных аналитиков.
Читатель ознакомится с такими темами, как процесс загрузки 32- и 64-разрядных операционных систем Windows, на примерах вместе с авторами разберет методы анализа конкретных руткитов и буткитов, узнает о векторах атак на BIOS и UEFI и разработке методов детектирования подобных атак, узнает о применении виртуализации для анализа поведения буткитов.
Источник
Investigating Windows Systems
Название: Investigating Windows Systems
Автор: Harlan Carvey
Издательство: Academic Press
Год: 2018
Страниц: 136
Формат: True PDF
Размер: 10 Mb
Язык: English
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.
Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.
A must-have guide for those in the field of digital forensic analysis and incident response.
Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
Источник
Book description
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.
Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.
A must-have guide for those in the field of digital forensic analysis and incident response.
- Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
- Coverage will include malware detection, user activity, and how to set up a testing environment
- Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
About This Book
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.
Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.
A must-have guide for those in the field of digital forensic analysis and incident response.
- Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
- Coverage will include malware detection, user activity, and how to set up a testing environment
- Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
Access to over 1 million titles for a fair monthly price.
Study more efficiently using our study tools.
Information
Chapter 1
The Analysis Process
Abstract
Forensic analysis is an iterative process; analysts do not take one walk through the data and are then done. Rather, an analyst will start by looking for something, and may find additional items or “pivot points” that take their analysis in a new direction. At the same time, analysts need to be careful to avoid “rabbit holes,” points of interest during analysis that take them off track. Finally, significant value has been demonstrated in developing intelligence from an investigation and “baking it back into” both tools and processes.
Keywords
Analysis; process; documentation; sharing
Information In This Chapter
- • The Analysis Process
- • The Rest of This Book
Introduction
There are a number of resources available that talk about the digital forensic analysis of Windows systems, including some books and blogs posts that I have written. There are courses available through community colleges, universities, and online resources that do the same sort of thing. However, most of these resources follow a similar format; that is, data sources or “artifacts” are presented and discussed, often independent of and isolated from the overall “system” itself. After all, a modern computer system is just that…a system of myriad, interacting components that include the hardware, operating system, applications, and user(s). Tools to parse these data sources are illustrated, demonstrated, and discussed. And then…that is it. What is missing from these resources is any discussion of the analyst’s thought processes and decisions; why is a particular data source of interest? What does the data mean, and based on that meaning, what decision path (or paths) does that lead the analyst down? Most (albeit not all) of the available resources put the pieces on the table, and expect the investigator to assemble the puzzle themselves. Few demonstrate to any great degree how those pieces are connected, and how the interpretation of that data answers the goals of the analysis.
I have spent most of my career (after leaving active duty service in the military) in information security as a consultant, and as such, I tend to approach the topic of analysis from that perspective. What that means is that I have had the opportunity in any given month or year to experience different incidents, from different environments, with different goals in mind. While I am not a member of law enforcement, I have assisted law enforcement officers in analyzing and understanding various artifacts. This also means that when I am involved in performing digital forensic analysis as part of an incident response, I have usually operated within a time limit (i.e., a contract specifying a specific number of hours, or a range), and under a specific set of goals (i.e., determine the initial infection vector (IIV), or “how did the malware get on the system”?). This requires a more structured and focused approach to analysis than other environments; a friend of mine was once bouncing some ideas around with me, and started off his description of the situation he was in with, “…I have been looking at this one system for three months.” I cannot say that I have ever operated in an environment or position where I had that kind of time available to look at one system.
My intention in writing this book is to lay out how I would go about analyzing a Windows image, from start (I have an image acquired from a Windows system) to finish (I have completed my analysis). More importantly, I want to share my thought processes along the way, how the data is interpreted, where that data and interpretation leads me, and ultimately how the analysis process provides answers.
The Analysis Process
What is “digital forensic analysis”? When we say, “I did digital forensic analysis,” what does that mean? To be honest, I think it is one of those terms that we use, often without really thinking about what it means. Does it mean that we opened our favorite (or available) commercial or open source application and found a data point? No, it does not. What it does mean is that as analyst, you have applied the wealth of your training, knowledge, and experience (and through a collaboration mechanism, the shared knowledge and experience of others…) to interpret a particular set of data so that someone else can understand what happened, and use that at the basis for making decisions.
The purpose of digital forensic analysis, and hence, an analyst’s job, is to paint a narrative that informs those who need to make critical business (or legal) decisions. This means that you cannot put a bunch of facts or data points “on paper” and expect whoever is reading it (your client) to connect the dots. The analyst’s job is to build an outline and start filling in the picture, addressing the client’s questions and analysis goals. You do this by collecting the available and appropriate data, and then extracting and interpreting those elements or data points that are pertinent to answering the analysis goals or questions. The keys to this, although not the sum total, are to extract all of the relevant and pertinent data points, and to interpret them correctly. Not extracting all or most of the relevant data points will leave gaps in your interpretation, and not interpreting the data correctly will lead to incorrect findings, which in turn will incorrectly inform decision makers.
Does that make sense? If not, allow me to share an example I see quite often, and one that I have seen discussed publicly during conferences. An analyst is interested in answering questions of process execution on a Windows system, and finds a suspicious entry in the AppCompatCache data extracted from the System Registry hive. The analyst incorrectly interprets the time stamp associated with the entry as indicating the date and time that the suspiciously named application was executed; unfortunately, the time stamp is the last modification time extracted from the file system metadata (specifically, from the $STANDARD_INFORMATION attribute within the master file table, or MFT). Not realizing their misunderstanding and subsequent misinterpretation of the data, and also not realizing that the time stamp (within the MFT) is easily modified, the analyst then tells the client that their “window of exposure” or “window of compromise” incorrectly extends back to 2009.
So how is this important? Well, for one, if you have ever done analysis for a payment card industry breach, you know that many organizations that process credit cards have information about how many transactions that they process daily, weekly, or monthly. They maintain this information because it is important (the reasons why are beyond the scope of this book). If they were compromised 6 weeks ago, and you tell them (incorrectly) that they were compromised 3 years ago, that finding significantly impacts the number of potentially compromised credit card numbers, and will tremendously impact the fines that they receive. The same can be said when dealing with other breaches, as well. Incorrect interpretation of data will lead to incorrect findings communicated to the client, who will in turn make decisions based on those incorrect findings.
For me, analysis has always been a process; that is to say, it is not something you do one time, make one pass at the data, and then you are done. It is a series of steps that one follows to get from point A to point B, starting with why we are collecting data in the first place, moving on to the data that is provided and ultimately getting to your findings, or as far as you can get given the data. Some of the steps along the way will have you going back to the data again in an iterative fashion; something you find will lead you to look deeper at some of the data you have, or look for additional data, or move to another artifact all together.
Analyzing an image acquired from a Windows system is not a “one pass” thing. You do not usually start at byte 0, run all the way to the end, and you are done. Similarly, analysis is not a matter of running an automated tool or two, maybe an antivirus scan (or two), and you are done. More often, one finding will lead to another, which will lead to another data source from the image to examine (page file, hibernation file, etc.), and the outline you started with will begin to be filled in as the narrative is being developed.
Using some simple PowerPoint skills, I developed a graphical representation of what “the analysis process” looks like to me; that graphic is illustrated in Fig. 1.1.
As illustrated in Fig. 1.1, the analysis process starts with the goals of the analysis, proceeds to the analysis plan (your plan to “approach” the data), through to the actual analysis (and maintenance of case notes) to reporting and finally, lessons learned. You will also notice that throughout the process there is “documentation.”
I know what you are thinking…documentation. That means I have to write stuff, and writing is hard. Yeah, I get that…in the time I have been part of the tech industry, one of the consistent things I have seen is that technical folks, for the most part, do not like to write.
The purpose of the analysis process, the reason we need to have an analysis process, is to inform further analysis, and to ultimately inform both the development and application of an overall security program. Digital forensic analysis is an often overlooked piece of the incident response (and by extension, threat intelligence) puzzle; however, examination of endpoint systems will often provide us a much more granular picture of the actions taken by an intruder, adversary, or malicious insider. With the appropriate instrumentation of endpoints (i.e., to say, with the right stuff installed on endpoints), we can get a wealth of information about a “bad guy’s” actions that are not available to us through network monitoring or log analysis.
Analysis is very often an iterative process. We will often start with some sort of finding or indicator, use that to develop new information, and “pivot” from there. Then we find something else, and “pivot” again, continuing to build toward the narrative of our findings, addressing the goals of the analysis itself.
The approach I have taken to analyze has always been iterative, adding overlays one (or more) at a time as the picture becomes more clear. The “give me everything” approach has never worked for me, in part because it simply provides too much information, a great deal of which I do not need. Further, the “give me everything” approach tends to not provide everything.
Goals
All examinations have to start somewhere. If you are a consultant (how I have spent the majority of my private sector career), that “somewhere” is most likely a call from a client. If you are in an “internal” position, working as a full-time employee within a company, that “somewhere” maybe the IT director telling you that a system may have been compromised, or perhaps the HR director asking for your assistance with a “violation of acceptable use policy” case. Regardless of your position, or the impetus for the call, all of us can probably agree that there is a discussion that takes place between the analyst and the principal (or client), as the analyst works to develop and determine some background for the examination, understanding what the principal is interested in understanding or demonstrating, with respect to the issue at hand. Very often, this involves the analyst asking questions of the principal and then doing an internal translation of the principal’s responses into the data that the analyst will need in order to best accomplish the task before them.
Most often, this discussion between the analyst and the principal not only informs the need to collect data and helps determine what data should be collected. Are there logs from network devices available? Which systems, and how many, need to be collected? Is it sufficient to collect volatile data from systems, or is a full memory capture and hard drive acquisition required? Is there any network flow data available, or should we consider placing a laptop on a span port on the switch in order to collect pcaps? Some of these questions may be answered directly by the principal, while others will be addressed through the analyst’s own internal dialog.
In most cases, the final phase of this discussion centers around the goals of the analysis to be conducted; what would the principal like the analyst to determine, illustrate, or show? What informs the work that the analyst will ultimately do is the question(s) that the principal would like answered. In some ways, there can be no analysis without some sort of goals; after all, without analysis goals, what will the analyst look at or examine?
Analysis must always start with goals. Goals are the key component of any analysis. Before starting on your analysis, you must have a detailed understanding of what it is you are attempting to show or demonstrate. Having those goals documented and in front of you during your analysis will also keep you focused on the task at hand, which is important to those who have a schedule to meet, or have a purchase order authorizing a specific number of hours for the analysis. Hey, I have been just as guilty of this as the next guy…you are going about your analysis and all of sudden, that little voice in your head goes, “oh, my, that is interesting…” …although in my case, it is been more like “LOOKASQUIRREL!!” At that point you are going down a rabbit hole that just seems to have no end, and it takes a call (or scream) of nature to bring you back to the real world.
When working with the principal (or client), it is a good idea to remember that very often, they are relying on your expertise as an analyst to help guide them with respect to goals that are achievable. They have their concerns and issues that they have to address, they have business decisions they need to make, and they have someone to whom they have to answer. As such, as analysts, it is our job to do more than simply take what they say and run with it; we need to set their expectations with respect to what can be achieved given the available data, as well as the time frame in which that can be achieved. We need to work with the principal to develop goals that make sense, are something …
Citation styles for Investigating Windows SystemsHow to cite Investigating Windows Systems for your reference list or bibliography: select your referencing style from the list below and hit ‘copy’ to generate a citation. If your style isn’t in the list, you can start a free trial to access over 20 additional styles from the Perlego eReader.
APA 6 Citation
Carvey, H. (2018). Investigating Windows Systems ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1829107/investigating-windows-systems-pdf (Original work published 2018)
Chicago Citation
Carvey, Harlan. (2018) 2018. Investigating Windows Systems. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1829107/investigating-windows-systems-pdf.
Harvard Citation
Carvey, H. (2018) Investigating Windows Systems. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1829107/investigating-windows-systems-pdf (Accessed: 15 October 2022).
MLA 7 Citation
Carvey, Harlan. Investigating Windows Systems. [edition unavailable]. Elsevier Science, 2018. Web. 15 Oct. 2022.
Investigating Windows Systems
Автор: bhaer от 9-09-2018, 22:53, Коментариев: 0
Категория: КНИГИ » ОС И БД
Название: Investigating Windows Systems
Автор: Harlan Carvey
Издательство: Academic Press
Год: 2018
Страниц: 136
Формат: True PDF
Размер: 10 Mb
Язык: English
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way.
Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way.
A must-have guide for those in the field of digital forensic analysis and incident response.
Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
Coverage will include malware detection, user activity, and how to set up a testing environment
Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
Нашел ошибку? Есть жалоба? Жми!
Пожаловаться администрации
Уважаемый посетитель, Вы зашли на сайт как незарегистрированный пользователь.
Мы рекомендуем Вам зарегистрироваться либо войти на сайт под своим именем.
Информация
Посетители, находящиеся в группе Гости, не могут оставлять комментарии к данной публикации.
Author 7 books358 followers
Right to the point, aka TL:DR
This is a good book. If the title fits with what you are currently doing or want to do, then this book is for you and worth it. I recommend that this be one of your books on your DFIR book shelf.
About the book (not the content, but the book):
I’ll get to the one thing about Investigating Windows Systems (IWS) right off the bat. The book is physically small. I am only coming right out about the size because I have read comments online about the size, and personally, when I first saw the book, my thought was “Wow. It’s small.”
Print quality is very good, better in fact than many similar books. The layout, callouts, and information boxes are all well done. Graphics are in black & white and could only be better if they were in color. Color is more expensive, so black & white works to keep book prices under control.
The text is easy on the eyes, and the separated sections with bold section headers are helpful when flipping back to previous pages to review content.
The important part: Contents!
I have to address the size again, only because of comments that I have read and a conversation that I had about the size where some were judging the contents by the size of the book. This is my take on the size of a book:
If a book weighs 10 pounds, is 10 inches wide, cost 10 dollars, but the information value is only worth 10 cents, then that book is a rock.
Conversely, if a book is small, full of valuable content, then that book is a gold nugget regardless of cost or size.
IWS is a gold nugget. Small but packs a punch. This is not a book for anyone who judges a book by its cover or its weight or its price. This is a book judged by its content.
The most important aspect of this book that I like, is that of Harlan Carvey’s thoughts being in text. Thoughts, as in, what he thinks and what his objectives are in addressing an analysis. Coupled with using publicly available images and open source tools, you get a full picture of “What would Harlan do?” in the images he has chosen.
But do not misunderstand my point. I do not mean that Harlan is right, or that his plans and objectives are best, or that he is even on the right track. I mean that he lays out the methods and processes that he uses so that you can at least see and feel how someone else does what you will probably do differently. This is a good thing for more reasons that I can describe, because every examiner is different, every case is different, and every day is different in how you will approach a problem. IWS gives you the perspective of someone else working cases and how they think.
This is one of the things that I find missing in many DFIR texts . The “how to” is always an easy thing to teach, to write, and to do. Click here. Click there. Copy here. Paste there. I am always on the lookout for the books that guide you in how to ‘think’, not ‘what to do’. The ‘what to do’ changes like the wind depending on the circumstance. Knowing how to think handles any changes you come across.
As one example, Harlan uses the CFReDS hacking case image (from NIST). He states the analysis goals, things to consider, an analysis plan, works through the exercises, and talks about lesson learned. Every case should be a lesson learned. There has not been a case that I have not reflected back on and learned something. This is a point to be made in any DFIR teachings. Reflect back and learn. You should know and accept, that if you re-worked any case that you worked before, you could do it better this time. That doesn’t mean you did a bad job, it just means that you learned and will do better on the next case, and the next case, and the next case.
I wrote about this concept in a blog post ( https://brettshavers.com/brett-s-blog… ) about figuring things out yourself. To clarify a little more, I don’t mean that we should flounder on the floor trying to figure out everything without help, but that when given guidance on “how to think”, we can figure out practically anything on our own. That is where IWS shines in the aspect of thought processes.
I must confess something about every DFIR book that I have ever read. Of all the books that contained exercises, I have not done every exercise. I have actually just read them and took for granted that the author was correct in showing how the exercises are done. I have done some exercises, but certainly not all. This was the first book that I did every exercise. Partly because all the evidence files and tools are readily available, partly because I could follow along in the book, but mostly because I wanted to see if my thought processes were the same, similar, or completely different. My result was that some of my thought process were the same, some were similar, and some were completely different.
Harlan mentions in the book that he set out to learn something, but ended up learning something that he had not planned on. That’s the way it works when you do it right.
If you have read anything that I have written, or been in a class or presentation that I have given, then you probably have heard me say that if you learn “one thing” that makes a world of difference in your life or work, then the time you spent learning that “one thing” was worth it. Whether you learned it in a classroom, book, video, conference, or working a case doesn’t matter. As long as you learned that “one thing”. This book certainly has that one thing for you.
Хотите разобраться в компьютерной или мобильной криминалистике? Научиться реагированию на инциденты? Реверсу вредоносных программ? Проактивному поиску угроз (Threat Hunting)? Киберразведке? Подготовиться к собеседованию? В этой статье Игорь Михайлов, специалист Лаборатории компьютерной криминалистики Group-IB, собрал топ-11 книг по компьютерной криминалистике, расследованию инцидентов и реверсу вредоносных программ, которые помогут изучить опыт профессионалов, прокачать свои скиллы, получить более высокую должность или новую высокооплачиваемую работу.
Когда я пришел в компьютерную экспертизу — а это был в 2000 год — из методической литературы у специалистов было только 71 страничное пособие: «Общие положения по назначению и производству компьютерно-технической экспертизы: Методические рекомендации», выпущенное МВД России и ряд публикаций в различных периодических изданиях. И даже эти немногие материалы были доступны лишь ограниченному кругу. Приходилось искать, ксерокопировать, переводить иностранные книги по форензике — литература достойного качества по этой теме на русском языке отсутствовала.
Сейчас ситуация немного другая. Литературы очень много, как и раньше она преимущественно на английском языке. И чтобы сориентироваться в этом море информации, чтобы в 101 раз не перечитывать книгу, содержащую материал начального уровня, я подготовил эту подборку, изучить которую будет полезно как начинающим, так и профессионалам.
1. File Systems Forensic Analysis
автор: Brian Carrier
С чего начинается практически любое исследование цифрового объекта? С определения операционной и файловой систем исследуемого устройства. Автор книги проделал огромную работу по обобщению сведений о различных файловых системах. Читатель узнает много подробностей о том, как хранится информация на жестких дисках и RAID-массивах. Его ждет глубокое погружение в архитектуру и тонкости файловых систем на компьютерах под управлением Linux/BSD и под управлением операционных систем семейства Windows.
В своей работе автор использовал такой известнейший криминалистический инструмент, как Sleuth Kit (TSK), разработанный им на основе The Coroner’s Toolkit. Любой желающий может повторить шаги, проделанные автором с помощью этого инструмента, или провести свои исследования. Графическая оболочка Sleuth Kit — программа Autopsy — широко применяется для криминалистического анализа цифровых доказательств и расследования инцидентов.
Эта книга переведена на русский язык под названием «Криминалистический анализ файловых систем». Но будьте аккуратны с изложенной в ней информацией, так как в переводе есть неточности, которые в некоторых случаях серьезно искажают смысл.
2. Incident Response & Computer Forensics (третье издание)
авторы: Jason T. Luttgens, Matthew Pepe, Kevin Mandia
Книга является практическим руководством по расследованию инцидентов. В ней подробно расписаны все этапы расследования: от подготовки к реагированию на инцидент, криминалистического копирования цифровых доказательств и поиска артефактов инцидента в различных операционных системах (Windows, Linux, MacOS) до составления отчета о произошедшем инциденте.
Книга получилась настолько хорошей, что ее включили в комплект учебных материалов по курсу SANS «FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics» — топовому учебному курсу по расследованию инцидентов.
Существует переводное издание этой книги: «Защита от вторжений. Расследование компьютерных преступлений». Перевод издан в России двумя тиражами. Но поскольку переводилась первая версия книги, информация в ней устарела.
3. Investigating Windows Systems
автор: Harlan Carvey
Особенная книга от автора множества бестселлеров по компьютерной криминалистике. В ней автор рассказывает не только о технических деталях исследования артефактов Windows и расследования инцидентов, но и о своих методологических подходах. Философия от Харлэна Карви, специалиста с огромным опытом реагирования на инциденты, — бесценна.
4. Digital Forensics and Incident Response (второе издание)
автор: Gerard Johansen
Расследование инцидентов, анализ оперативной памяти, сетевая криминалистика и чуть-чуть классической форенсики — все это собрано в одной книге и описано легким, доступным языком.
Дополнительно читатель получит базовое представление об исследовании системных журналов, узнает принципы реверса вредоносных программ, основы проактивного поиска угроз (Threat Hunting’а) и киберразведки (Threat Intelligence), а также ознакомится с правилами написания отчетов.
5. Windows Forensics Cookbook
авторы: Oleg Skulkin, Scar de Courcier
Эта книга, которую написал в соавторстве мой коллега по Group-IB Олег Скулкин, представляет собой сборник советов («рецептов») о том, как действовать в той или иной ситуации при исследовании артефактов операционной системы Windows 10. Материал построен по принципу: имеется проблема — авторы приводят пошаговое руководство по ее решению (от того, каким инструментом можно решить проблему и где его взять, до того, как настроить и правильно применить этот инструмент). Приоритет в книге отдан бесплатным утилитам. Поэтому у читателя не будет необходимости приобретать дорогие специализированные криминалистические программы. В книге 61 совет — это охватывает все типовые задачи, с решением которых обычно сталкивается исследователь при анализе Windows. Кроме классических криминалистических артефактов, в книге рассмотрены примеры анализа артефактов, характерных только для Windows 10.
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
автор: Michael Hale Ligh
Огромный (более 900 страниц), прямо-таки академический труд, посвященный исследованию оперативной памяти компьютеров. Книга разделена на четыре основных части. Первая часть знакомит читателя с тем, как устроена оперативная память компьютера и как криминалистически правильно захватить данные, которые в ней находятся. В трех последующих частях подробно рассказывается о подходах к извлечению артефактов из дампов оперативной памяти компьютеров под управлением операционных систем Windows, MacOS и Linux.
Рекомендуется к прочтению тем, кто решил максимально подробно разобраться в том, какие криминалистические артефакты можно найти в оперативной памяти.
7. Network Forensics
автор: Ric Messier
Эта книга для тех, кто хочет погрузиться в изучение сетевой криминалистики. Читателю рассказывается об архитектуре сетевых протоколов. Затем описываются методы захвата и анализа сетевого трафика. Рассказывается, как детектировать атаки на основе данных из сетевого трафика и системных журналов операционных систем, роутеров и свитчей.
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (четвертое издание)
авторы: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
За последние десять лет мир сильно изменился. Все личные данные (фотографии, видео, переписка в мессенджерах и т.п.) перекочевали с персональных компьютеров и ноутбуков в смартфоны. Книга «Practical Mobile Forensics» — бестселлер издательства Packt Publishing, она издавалась уже четыре раза. В книге подробно рассказывается об извлечении данных из смартфонов под управлением операционных систем iOS, Android, Windows 10, о том, как проводить восстановление и анализ извлеченных данных, как анализировать данные приложений, установленных в смартфонах. Также эта книга знакомит читателя с принципами функционирования операционных систем на мобильных устройствах.
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (второе издание)
авторы: Oleg Skulkin, Donnie Tindall, Rohit Tamma
Исследование устройств под управлением операционной системы Android становится сложнее с каждым днем. Об этом мы писали в статье «Криминалистический анализ резервных копий HiSuite». Эта книга призвана помочь читателю глубоко погрузиться в анализ подобных мобильных устройств. Кроме традиционных практических советов по извлечению и анализу данных из Android-смартфонов, читатель узнает, как сделать копию оперативной памяти смартфона, произвести анализ данных приложений, сделать реверс вредоносной программы под Android и написать YARA-правило для детектирования подобных программ в памяти мобильных устройств.
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
автор: Monnappa K. A.
Выпуск этой книги экспертное сообщество ожидало более года. И автор не подвел своих читателей. У него получилось очень хорошее пособие для тех, кто хочет начать свой путь в реверсе вредоносных программ. Информация изложена четко и доходчиво.
Читатель узнает, как настроить свою лабораторию для анализа вредоносных программ, ознакомится с методами статического и динамического анализа подобных программ, получит уроки работы с интерактивным дизассемблером IDA Pro, узнает, как обходить обфускацию — технологию, усложняющую изучение исходного кода программ.
Эта книга доступна в переводе на русском языке: «Анализ вредоносных программ».
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
авторы: Alex Matrosov, Eugene Rodionov, Sergey Bratus
В данном издании рассматривается сложная тема: исследование руткитов и буткитов. Книга написана тремя профессионалами. В данной книге описываются как базовые принципы реверса вредоносных программ, так и сложные приемы, рассчитанные на профессиональных исследователей таких программ — вирусных аналитиков.
Читатель ознакомится с такими темами, как процесс загрузки 32- и 64-разрядных операционных систем Windows, на примерах вместе с авторами разберет методы анализа конкретных руткитов и буткитов, узнает о векторах атак на BIOS и UEFI и разработке методов детектирования подобных атак, узнает о применении виртуализации для анализа поведения буткитов.
Приятного чтения!
Institutional Subscription
Free Global Shipping
No minimum order
Description
Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way. Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way. A must-have guide for those in the field of digital forensic analysis and incident response.
Key Features
- Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
- Coverage will include malware detection, user activity, and how to set up a testing environment
- Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response
Readership
Digital forensic professionals and analysts, information security professionals, researchers, and practitioners. Students in digital forensics programs at community college or university
Table of Contents
-
1. Introduction
2. Malware Detection
3. User Activity
4. Test Environment
5. Field Manual
Product details
- No. of pages: 136
- Language: English
- Copyright: © Academic Press 2018
- Published: August 14, 2018
- Imprint: Academic Press
- eBook ISBN: 9780128114162
- Paperback ISBN: 9780128114155
About the Author
Harlan Carvey
Mr. Carvey is a digital forensics and incident response analyst with past experience in vulnerability assessments, as well as some limited pen testing. He conducts research into digital forensic analysis of Window systems, identifying and parsing various digital artifacts from those systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. He is the developer of RegRipper, a widely-used tool for Windows Registry parsing and analysis. Mr. Carvey has developed and taught several courses, including Windows Forensics, Registry, and Timeline Analysis.
Affiliations and Expertise
DFIR analyst, presenter, and open-source tool author
Ratings and Reviews
Write a review
Latest reviews
(Total rating for all reviews)
-
DimiDer Mon Jul 01 2019
Investigating Windows Systems
I’ve read several books by Harlan, and I’ve never been disappointed. I love his direct way of writing. IWS is thinner and smaller than his other books, but no less important, on the contrary.
Harlan writes that IWS is not for beginners, I still see myself as a beginner and should contradict Harlan here, also IWS is a book that is important, or may be, for any beginner, although some pieces in the book are not so easy with an effort of the reader and a search on the Internet everything becomes understandable.The book is well organized. It teaches you from the beginning that a good analysis plan is important. It teaches you to focus between ‘nice to know’ and ‘need to know’.
The book is divided into several cases (finding malware, user activity, web server compromise). Harlan explains to you how he would deal with these cases himself, and then teaches you how to make a self-reflection. What did you learn from your case, and how would you tackle it next time?
The book is not about the analysis of images themselves, nor about which tools you should use, but about how you should do the analysis, what plan you make. He teaches you to make the difference between a targeted approach and an automated approach.In the last part, Harlan will teach you how to set up a testing environment, and convince you that testing changes in the file system yourself by deleting files, installing programs, is often more instructive than just asking for help on the net.
I really enjoyed the book.
-
Robert M. Sun Mar 03 2019
Excellent Book — Get into the mind of an expert in DFIR!
I am writing this review for two reasons:
1. Investigating Windows Systems by Harlan Carvey is excellent
2. Our industry does not support the leaders in our industry enough.Harlan is a man who speaks what he thinks and backs it up with experience, knowledge, and facts. This is something that I appreciate.
Anyone can complain and point out that things are not being done properly or analyzed in the right way, but few can provide clear ideas and opinions on how it should be done that others will less experience can follow.
This book is smaller than your typical book in the computer industry, which is a positive.
I have read too many monstrous technical books that claim to provide all the answers but are limited on practical details and instead list example after example that may or may not provide insight into real-world issues.Harlan went the opposite direction and wrote a book which provides just the facts and just the information you need to feel more confident in responding to a cyber incident.
The book is broken down into 5 parts
1. Analysis Process
2. Finding Malware
3. User Activity
4. Web Server Compromise
5. Setting Up a Test EnvironmentIn the Preface, Harlan starts off by stating “I am not an expert”, but with over 30 years in the information security field, I think it’s safe to say Harlan is being a bit humble.
The reality is that he IS an expert and clearly knows what he is talking about when it comes to incident response which is very apparent in this book.
For someone like me, that feels overwhelmed at the idea of responding to a cyber incident, getting into the mind of an expert who has dealt with countless cyber incidents is extremely valuable.
Each decision is explained and evidence is shown on what step to take next and why to reduce the overall amount of data that you need to process and analyze. His examples flow, allowing you to ‘see’ what Harlan sees as he steps you through the different examples.
In my mind, Harlan’s book is a must for folks working in Incident Response. I strongly encourage you to purchase the book so that you can get into Harlan’s head and see why he makes the decisions he makes during an incident response.
I started off this review stating that his book is excellent and that we must support Harlan and others like him that give so much to the DFIR community. Training within the DFIR field is expensive and if we hope to have Harlan and others produce books like this, which provide so much useful information at a fraction of formal training costs, then we have to support them by purchasing the book and encouraging others to do the same.
Full Book Review at: https://www.computerforensicsworld.com/investigating-windows-systems-book-review/
-
Luis M. Wed Oct 31 2018
Really exciting content from a highly respectable investigator
I was anxiously awaiting the release of this book, since the summer. I knew I had to have it for one reason — the book’s author. I’ve read Windows Forensic Analysis Toolkit (one of Harlan’s other books), and was not disappointed. One section in that book, in particular, appealed to me — the report writing/documentation section. This is an area of digital forensics for which I do not find many resources. So, when I opened Investigating Windows Systems, and realized the content was divided into various scenarios (each scenario was basically written in report-format) my eyes almost popped out of my head (that’s a good thing). Harlan provides great perspective on a myriad of topics, and sparks a lot of thought on how an investigation can be handled. It’ll also spark thought on other items of interest, based on the reader’s experience (I’m sure).
One overarching concept I identified in the book was this — a practitioner must give value to findings, by documenting the meaning of particular artifacts, as a function of context (ie given a scenario, an artifact means ‘x’; in another scenario, the same artifact still proves ‘x’, and may prove ‘y’. Additionally, the concept of drilling down, and making sense of digital evidence, must be part of a practitioner’s feedback (to a prosecutor, client, or student of the trade).
Harlan’s method of conveying examination/analytical details, makes sense to me, and gives me a rhythm to emulate. Whether in part or in whole, I can use the content of this book as a template, and modify as necessary. As you read Harlan’s book (any of them really), you’ll notice great value through the explanations he provides. I purchased the electronic version, but wish I had purchased the paper version — this way I could highlight and use sticky-flag, for parts that are of interest to me.
Top reviews from Australia
There are 0 reviews and 0 ratings from Australia
Top reviews from other countries
5.0 out of 5 stars
DFIR Field Manual?
Reviewed in the United States 🇺🇸 on 26 September 2018
Verified Purchase
“Investigating Windows Systems” by Harlan Carvey was a great read on so many different levels for me. After binge-reading it over a weekend, I was so excited about it that the following Monday morning I found myself almost shouting at warp-speed to a co-worker about why it was such an important read. Our chat reminded me of something I had thought about while still making my way through the book. How could a book so compact, contain that much valuable information?! I actually believe this book could have been titled, “DFIR Field Manual”, or “DFIRFM.”
For one thing, the book was easily digestible. At times, I found myself “playing along”, almost like a CTF. That’s because the book takes you (step-by-step) on an analyst’s journey through several investigations, and invites you to follow-along by downloading all the free images and open source tools the author is using to walk you through. You get to learn alongside a seasoned veteran, almost in real-time, and observe, even as critical case decisions are being made along the way.
The book felt really timely to me. I’d recently been following some thought-provoking discourse around the pronounced differences between the “DF” and “IR” of “DFIR” — Digital Forensics and Incident Response, and have even myself gotten into some rather animated discussions during time-sensitive incidents asking, “Where’s our DirListing?!” or, “May I please just have a DirListing!”
The book had a recurring theme for me, and that was, the steps you take regardless of the type of investigation, are often consistent. Why? Low hanging fruit! My take-away was that Harlan almost always makes a visual inspection of the data before he does anything else. That is not just to verify that he has an image that isn’t damaged, but it’s also so that he can identify outliers rather quickly, such as a batch file sitting in the root of C: — might be nothing, but could be something. Things that make you go, “hmmm”.
Another important concept I learned was the art of discernment and how critical that can be to your end-goal (which an analyst must keep in mind is often guided by a paying client, not your own curiosity). So, should you choose to dive down a rabbit-hole, (and we all do), a concise analysis plan will help keep you on track, and he shows you how.
As our digital landscape continues to grow, and the average size of hard drives (and memory) gets larger and larger, sometimes it can seem like we’re trying to “boil the ocean”. To combat that, Harlan teaches us the art of timelining and how that process can help you streamline your analysis by distilling down the data and filtering out the noise. Additionally, we learn that we have tiered options in our approach, so that we don’t lose meaningful data by doing so; mini, micro, and even nano timelines.
I also learned how to “fail fast”. Trust me, when you have a client or upper management breathing down your neck for answers, you’ll be glad you grasped that concept. Regardless of how long you’ve been in the field, you will be astounded at the knowledge you acquire from this book. New folks might learn not to assume that malware or “hacking tools” simply sitting on a system, are bad. On the contrary, they’ll become proficient in how to prove whether or not those tools were launched, and how they might have been used. Or, what local accounts on a system with no profile might mean, and how FTP being run from a browser might be overlooked as it leaves fewer artifacts and in “unusual” places. Even TimeStomping is covered, as well as using the “Conversations” filter in WireShark to “Follow Stream”. It’s all there!
The book also tackles another topic I’ve been seeing articles around recently – Sufficiency. How much data is enough data for us to come to our analysis goals? Lately that’s been on a lot of people’s minds. Well, perhaps that answer depends. For example, have we answered the questions the (paying) principal has asked of us? It also pivots on another very important case concept – have we, as the investigator, helped our client ask the right questions, because they don’t always know themselves what questions they need to be asking. If so, and we’ve come to a solid conclusion, then yes, we can confidently state that “our work here is done!” Even more so, if the principal cannot articulate those questions, and in fact leaves you with almost no information to begin your quest, how do you still make magic happen? Those answers are all in the book, and the reader is steadily guided through every scenario.
You’ll learn what persistence can look like, and how to spot it. You’ll grasp what the artifacts of “staging” resemble, whether it’s being done by an advanced adversary, or an insider who’s ready to bolt. You will also learn how not to allow your own analysis to create a red herring in your case, in other words, if you detonate a piece of malware from the Desktop of your VM, you need to understand that you might be building artifacts that would not be present had it been introduced via its native vector (email, URL, USB), and what those are so you don’t include them in your findings. You might even find a new trick for using Calc.exe.
I also learned a new thought process around triaging malware that I hadn’t read before and found it to be quite clever. Execute the sample, let it run for a bit, then shut the box down and grab an image. Then you can perform analysis to examine the complete file system after the malware runs. Perhaps not all incidents have time for that, but I thought it was a brilliant methodology. I typically use RegShot or other tools to snapshot the Registry state before (and after) I run a sample, but now I no longer need to chance missing anything that the malware might have changed.
In conclusion, it truly is fascinating how much ground the book covers in such a concise manner, which I believe can only be attributed to the author being both an accomplished writer, and a seasoned investigator. Whether you’re running-to-ground File System Tunneling, WindowsXP, Windows10, a Web Server running iis or Apache, it’s all covered in the book, and with log locations and examples. You. Will. NOT. Be. Disappointed!
5.0 out of 5 stars
DFIR Field Manual?
Reviewed in the United States 🇺🇸 on 26 September 2018
“Investigating Windows Systems” by Harlan Carvey was a great read on so many different levels for me. After binge-reading it over a weekend, I was so excited about it that the following Monday morning I found myself almost shouting at warp-speed to a co-worker about why it was such an important read. Our chat reminded me of something I had thought about while still making my way through the book. How could a book so compact, contain that much valuable information?! I actually believe this book could have been titled, “DFIR Field Manual”, or “DFIRFM.”
For one thing, the book was easily digestible. At times, I found myself “playing along”, almost like a CTF. That’s because the book takes you (step-by-step) on an analyst’s journey through several investigations, and invites you to follow-along by downloading all the free images and open source tools the author is using to walk you through. You get to learn alongside a seasoned veteran, almost in real-time, and observe, even as critical case decisions are being made along the way.
The book felt really timely to me. I’d recently been following some thought-provoking discourse around the pronounced differences between the “DF” and “IR” of “DFIR” — Digital Forensics and Incident Response, and have even myself gotten into some rather animated discussions during time-sensitive incidents asking, “Where’s our DirListing?!” or, “May I please just have a DirListing!”
The book had a recurring theme for me, and that was, the steps you take regardless of the type of investigation, are often consistent. Why? Low hanging fruit! My take-away was that Harlan almost always makes a visual inspection of the data before he does anything else. That is not just to verify that he has an image that isn’t damaged, but it’s also so that he can identify outliers rather quickly, such as a batch file sitting in the root of C: — might be nothing, but could be something. Things that make you go, “hmmm”.
Another important concept I learned was the art of discernment and how critical that can be to your end-goal (which an analyst must keep in mind is often guided by a paying client, not your own curiosity). So, should you choose to dive down a rabbit-hole, (and we all do), a concise analysis plan will help keep you on track, and he shows you how.
As our digital landscape continues to grow, and the average size of hard drives (and memory) gets larger and larger, sometimes it can seem like we’re trying to “boil the ocean”. To combat that, Harlan teaches us the art of timelining and how that process can help you streamline your analysis by distilling down the data and filtering out the noise. Additionally, we learn that we have tiered options in our approach, so that we don’t lose meaningful data by doing so; mini, micro, and even nano timelines.
I also learned how to “fail fast”. Trust me, when you have a client or upper management breathing down your neck for answers, you’ll be glad you grasped that concept. Regardless of how long you’ve been in the field, you will be astounded at the knowledge you acquire from this book. New folks might learn not to assume that malware or “hacking tools” simply sitting on a system, are bad. On the contrary, they’ll become proficient in how to prove whether or not those tools were launched, and how they might have been used. Or, what local accounts on a system with no profile might mean, and how FTP being run from a browser might be overlooked as it leaves fewer artifacts and in “unusual” places. Even TimeStomping is covered, as well as using the “Conversations” filter in WireShark to “Follow Stream”. It’s all there!
The book also tackles another topic I’ve been seeing articles around recently – Sufficiency. How much data is enough data for us to come to our analysis goals? Lately that’s been on a lot of people’s minds. Well, perhaps that answer depends. For example, have we answered the questions the (paying) principal has asked of us? It also pivots on another very important case concept – have we, as the investigator, helped our client ask the right questions, because they don’t always know themselves what questions they need to be asking. If so, and we’ve come to a solid conclusion, then yes, we can confidently state that “our work here is done!” Even more so, if the principal cannot articulate those questions, and in fact leaves you with almost no information to begin your quest, how do you still make magic happen? Those answers are all in the book, and the reader is steadily guided through every scenario.
You’ll learn what persistence can look like, and how to spot it. You’ll grasp what the artifacts of “staging” resemble, whether it’s being done by an advanced adversary, or an insider who’s ready to bolt. You will also learn how not to allow your own analysis to create a red herring in your case, in other words, if you detonate a piece of malware from the Desktop of your VM, you need to understand that you might be building artifacts that would not be present had it been introduced via its native vector (email, URL, USB), and what those are so you don’t include them in your findings. You might even find a new trick for using Calc.exe.
I also learned a new thought process around triaging malware that I hadn’t read before and found it to be quite clever. Execute the sample, let it run for a bit, then shut the box down and grab an image. Then you can perform analysis to examine the complete file system after the malware runs. Perhaps not all incidents have time for that, but I thought it was a brilliant methodology. I typically use RegShot or other tools to snapshot the Registry state before (and after) I run a sample, but now I no longer need to chance missing anything that the malware might have changed.
In conclusion, it truly is fascinating how much ground the book covers in such a concise manner, which I believe can only be attributed to the author being both an accomplished writer, and a seasoned investigator. Whether you’re running-to-ground File System Tunneling, WindowsXP, Windows10, a Web Server running iis or Apache, it’s all covered in the book, and with log locations and examples. You. Will. NOT. Be. Disappointed!
Images in this review
5.0 out of 5 stars
Highly valuable information from a highly respected practitioner
Reviewed in the United States 🇺🇸 on 31 October 2018
Verified Purchase
I was anxiously awaiting the release of this book, since the summer. I knew I had to have it for one reason — the book’s author. I’ve read Windows Forensic Analysis Toolkit (one of Harlan’s other books), and was not disappointed. One section in that book, in particular, appealed to me — the report writing/documentation section. This is an area of digital forensics for which I do not find many resources. So, when I opened Investigating Windows Systems, and realized the content was divided into various scenarios (each scenario was basically written in report-format) my eyes almost popped out of my head (that’s a good thing). Harlan provides great perspective on a myriad of topics, and sparks a lot of thought on how an investigation can be handled. It’ll also spark thought on other items of interest, based on the reader’s experience (I’m sure).
One overarching concept I identified in the book was this — a practitioner must give value to findings, by documenting the meaning of particular artifacts, as a function of context (ie given a scenario, an artifact means ‘x’; in another scenario, the same artifact still proves ‘x’, and may prove ‘y’. Additionally, the concept of drilling down, and making sense of digital evidence, must be part of a practitioner’s feedback (to a prosecutor, client, or student of the trade).
Harlan’s method of conveying examination/analytical details, makes sense to me, and gives me a rhythm to emulate. Whether in part or in whole, I can use the content of this book as a template, and modify as necessary. As you read Harlan’s book (any of them really), you’ll notice great value through the explanations he provides. I purchased the electronic version, but wish I had purchased the paper version — this way I could highlight and use sticky-flag, for parts that are of interest to me.
4.0 out of 5 stars
Practical, and immediately useful, information
Reviewed in the United States 🇺🇸 on 19 December 2019
Verified Purchase
While reading this book I quickly discovered that I really enjoyed the approach Harlan took delivering this information. He’s basically inviting you to follow along with his thought process as he works various cases. This was immensely helpful to me. Much of my training has been tool based, i.e. use THIS tool to find THAT artifact. Harlan starts at a higher level than that and shows what types of questions we should be asking when approaching a given investigation. He then models forming a «plan of attack» when analyzing a given data set, and then walks through that plan showing each step he takes along the way, and most helpful to me, WHY he took that step.
Learning how another investigator approaches various use cases is really helpful and this book provides a lot of value for a relatively thin book. If you are new to the DFIR domain you will find loads of useful examples on how to «tell the story» of various case types. For those who have been in the field for awhile, I believe you will still find value in «watching» Harlan work, as he shares many tips and tricks he has learned along the way.
In short, this book should be on every DFIR practitioners bookshelf.
3.0 out of 5 stars
A main summary of his past Windows Forensics books.
Reviewed in the United States 🇺🇸 on 7 August 2019
Verified Purchase
The book is a good read consider it 121 pages, is pretty much a summary of Harlan books, I cannot say that I’m disappointed but the price is way to much for this book, the techniques are not in details like in past books, like «Windows Forensic Analysis Toolkit.» This book is an overview utilizing open source images from different webs, Harlan’s own tools and open source forensics tools just like in his describe book before, creating timelines (more in details in his past books.) Hi actually mention this on this book «This book is not intended for the truly new analyst who has not foundation in analysis work at all.» I gave it 3 start because the price and the content of this book is pretty much a summary from his past books, but overall is a good book to read.
3.0 out of 5 stars
A main summary of his past Windows Forensics books.
Reviewed in the United States 🇺🇸 on 7 August 2019
The book is a good read consider it 121 pages, is pretty much a summary of Harlan books, I cannot say that I’m disappointed but the price is way to much for this book, the techniques are not in details like in past books, like «Windows Forensic Analysis Toolkit.» This book is an overview utilizing open source images from different webs, Harlan’s own tools and open source forensics tools just like in his describe book before, creating timelines (more in details in his past books.) Hi actually mention this on this book «This book is not intended for the truly new analyst who has not foundation in analysis work at all.» I gave it 3 start because the price and the content of this book is pretty much a summary from his past books, but overall is a good book to read.
Images in this review
3.0 out of 5 stars
Content is great. Book quality is BAD!!
Reviewed in the United States 🇺🇸 on 12 February 2019
Verified Purchase
The content of the book is awesome! Definitely a must for DFIR practitioners.
But, my copy of the book was of very low quality. It looks like a pirated version of the original. Like if someone had the digital file and they printed it and sold it to me. The font is so small and you can’t even see the figures in the book. Not sure if i’m the only one with this problem… definitely something worth checking before buying.
Although i love the content and i’m a big fan of Carvey’s work, i have to give it 3 stars bc the book condition is terrible.