Windows Forensics: The Field Guide for Corporate Computer Investigations
| 2006-05-15 00:00:00 | | 0 | Windows
The evidence is in--to solve Windows crime, you need Windows tools
An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.
Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.
* Identify evidence of fraud, electronic theft, and employee Internet abuse
* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)
* Learn what it takes to become a computer forensics analyst
* Take advantage of sample forms and layouts as well as case studies
* Protect the integrity of evidence
* Compile a forensic response toolkit
* Assess and analyze damage from computer crime and process the crime scene
* Develop a structure for effectively conducting investigations
* Discover how to locate evidence in the Windows Registry
User review
In a world with few Windows-specific options, this is a helpful forensics book
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: `File System Forensic Analysis` (FSFA) by Brian Carrier, `Windows Forensics` (WF) by Chad Steel, and `EnCase Computer Forensics` (ECF) by Steve Bunting and William Wei. All three books contain the word `forensics` in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book (`Real Digital Forensics`) and Brian Carrier cites my book `The Tao of Network Security Monitoring` on p 10. I tried to not let those facts sway my reviews.
WF is a great guide to forensic investigation of Windows. By this I mean WF presents Windows from the perspective of the important directories, files, and registry entries that help an analyst discover malfeasance. WF also covers some of the core applications one would expect to review during host-based forensics, like email, Web browsing history, and P2P application usage. I expected coverage of popular Windows application formats relevant to investigations, like .doc, .ppt, and .xls, but those were missing.
WF addresses the core operational aspects of host-centric forensics, like forming a team and acquiring evidence from live and dead targets. I did not think these sections were as good as material from what I consider the book best suited for all-around hands-on forensic use -- `Incident Response: Computer Forensics, 2nd Ed` by Mandia, Prosise, and Pepe. Live response is one area where I thought WF didn't shine too brightly. I did like the frequent mini-case studies which shared stories from the author's investigative experiences.
A few other aspects of WF resulted in me offering a four star review. I thought the discussion of `vampire taps` on p 157 revealed a real lack of contact with modern network monitoring methods. I don't know anyone who uses or recommends such a contraption in an era of network taps. I continue to question the need to build so-called `sniffing cables,` especially when proper interface configuration serves the same purpose. Furthermore, a remotely managed sensor will not be able to hide its traffic on the network anyway, so savvy intruders can usually find them (unless a completely separate management network is run out-of-band). `Chapter 7` was also way too short -- 2 pages!
Although I liked the case studies, I thought there were far too many `gray box` entries. These contain useful hints, but their frequent appearance sometimes interrupted flow of the book. This indicates a need for better organization. Finally, I felt the recent Syngress book `Winternals` did a decent job explaining how to analyze malware, rootkits, and rogue processes on Windows. WF didn't explore this key aspect of Windows incident response.
Overall, however, I would recommend reading WF if you need to understand data sources from Windows systems. I suggest concentrating on the sections that explain where you'll find quality information on Windows, and rely on other sources for generic forensics guidance. I could see readers using WF as a primer for learning about key Windows artifacts, then searching for them in the image files in `Real Digital Forensics.`
User review
Finally, the right book for Windows forensics
I have to say, like the next geek, I get frustrated by the lack of Linux/Unix use on the desktops of the corporate world; however, the fact is that Windows desktops outnumber Linux/Unix desktops by way more than 100:1. For this reason, it has been very frustrating to me that so many security books focus on Linux/Unix. I don't care if it's the best platform (though I agree); it's not the most common and we need tools on and for Windows.
This book tells you how Windows file systems work and how to perform forensic analysis on these systems. However, it's more than this - it is a great all around book on forensics analysis and the computer crime investigation process. I highly recommend this resource.
Tom Carpenter - Author: CWSP Certification Official Study Guide
User review
Excellent focus on corporate security
Just read through my copy of this book. I do Cisco work as a CCSE and SANS certified network security specialist, but have been called on to do some investigations at work as the resident `security geek`.
I read Brian Carrier's book on file system forensics, which is much deeper into data structures and is a very good book, but this book gives a better holistic look at investigations. We run a mostly Windows shop, and I'm happy to see a book that doesn't just cover Unix stuff. I want to pick up Windows Forensics and Incident Recovery next and see how they compare.
Definitely recomment!