Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 provides an overview of live and postmortem response collection and analysis methodologies for Windows 7. It considers the core investigative and analysis concepts that are critical to the work of professionals within the digital forensic analysis community, as well as the need for immediate response once an incident has been identified. Organized into eight chapters, the book discusses Volume Shadow Copies (VSCs) in the context of digital forensics and explains how analysts can access the wealth of information available in VSCs without interacting with the live system or purchasing expensive solutions. It also describes files and data structures that are new to Windows 7 (or Vista), Windows Registry Forensics, how the presence of malware within an image acquired from a Windows system can be detected, the idea of timeline analysis as applied to digital forensic analysis, and concepts and techniques that are often associated with dynamic malware analysis. Also included are several tools written in the Perl scripting language, accompanied by Windows executables. This book will prove useful to digital forensic analysts, incident responders, law enforcement officers, students, researchers, system administrators, hobbyists, or anyone with an interest in digital forensic analysis of Windows 7 systems.
- Timely 3e of a Syngress digital forensic bestseller
- Updated to cover Windows 7 systems, the newest Windows version
- New online companion website houses checklists, cheat sheets, free tools, and demos
Computer forensic and incident response professionals. This includes LE, federal government, commercial/private sector contractors, consultants, etc.
- About the Author
- About the Technical Editor
- Chapter 1. Analysis Concepts
- Analysis Concepts
- Setting up an Analysis System
- Chapter 2. Immediate Response
- Being Prepared to Respond
- Data Collection
- Chapter 3. Volume Shadow Copies
- What are “Volume Shadow Copies”?
- Live Systems
- Acquired Images
- Chapter 4. File Analysis
- Event Logs
- Recycle Bin
- Prefetch Files
- Scheduled Tasks
- Jump Lists
- Hibernation Files
- Application Files
- Chapter 5. Registry Analysis
- Registry Analysis
- Chapter 6. Malware Detection
- Malware Characteristics
- Detecting Malware
- Chapter 7. Timeline Analysis
- Creating Timelines
- Case Study
- Chapter 8. Application Analysis
- Log Files
- Dynamic Analysis
- Network Captures
- Application Memory Analysis
- No. of pages:
- © Syngress 2012
- 27th January 2012
- Paperback ISBN:
- eBook ISBN:
Harlan Carvey is a senior information security researcher with the Dell SecureWorks Counter Threat Unit - Special Ops (CTU-SO) team, where his efforts are focused on targeted threat hunting, response, and research. He continues to maintain a passion and focus in analyzing Windows systems, and in particular, the Windows Registry.
Harlan is an accomplished author, public speaker, and open source tool author. He dabbles in other activities, including home brewing and horseback riding. As a result, he has become quite adept at backing up and parking a horse trailer.
Harlan earned a bachelor’s degree in electrical engineering from the Virginia Military Institute, and a master’s degree in the same discipline from the Naval Postgraduate School. He served in the United States Marine Corps, achieving the rank of captain before departing the service. He resides in Northern Virginia with his family.
DFIR analyst, presenter, and open-source tool author
"Harlan has done it again! Continuing in the tradition of excellence established by the previous editions, Windows Forensics Analysis Toolkit 3e is an indispensable resource for any forensic examiner. Whether you're a seasoned veteran or just starting out, this work is required reading. WFA3e will maintain a perennial spot on my core reference bookshelf!"--Cory Altheide, Google
"Windows Forensic Analysis Toolkit 3rd Edition provides a wealth of important information for new and old practitioners alike. Not only does it provide a great overview of artifacts of interest on Windows 7 systems, but it also presents plenty of technology independent concepts that play an important role in any investigation. Feel free to place a copy on your shelf next to WFA 2ed and WRF."--Digital4rensics.com
"The third edition of this reference for system administrators, digital forensic analysts, students, and law enforcement does not replace the second edition, but rather serves as a companion. Coverage encompasses areas such as immediate response, volume shadow copies, file and registry analysis, malware detection, and application analysis. Learning features include b&w screenshots, tip and warning boxes, code (also available on a website), case studies, and 'war stories' from the field. The tools described throughout the book are written in the Perl scripting language, but readers don't need to be experts in Perl, and most of the scripts are accompanied by Windows executables found online. For this third edition, a companion website provides printable checklists, cheat sheets, custom tools, and demos."--Reference and Research Book News, Inc.
"There is a good reason behind the success of the previous editions of this book, and it has to do with two things: new Windows versions are different enough from previous ones to warrant a new edition and, most importantly, the author is simply that good at explaining things. This edition is no different."--HelpNetSecurity