Mastering Windows Network Forensics and Investigation


An authoritative guide to investigating high-technology crimes Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book—aimed at law enforcement personnel, prosecutors, and corporate investigators—provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.
• Specifies the ...

See more details below
$43.45 price
(Save 27%)$59.99 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (23) from $19.94   
  • New (13) from $24.99   
  • Used (10) from $19.94   
Mastering Windows Network Forensics and Investigation

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$34.49 price
(Save 42%)$59.99 List Price


An authoritative guide to investigating high-technology crimes Internet crime is seemingly ever on the rise, making the need for a comprehensive resource on how to investigate these crimes even more dire. This professional-level book—aimed at law enforcement personnel, prosecutors, and corporate investigators—provides you with the training you need in order to acquire the sophisticated skills and software solutions to stay one step ahead of computer criminals.
• Specifies the techniques needed to investigate, analyze, and document a criminal act on a Windows computer or network
• Places a special emphasis on how to thoroughly investigate criminal activity and now just perform the initial response
• Walks you through ways to present technically complicated material in simple terms that will hold up in court
• Features content fully updated for Windows Server 2008 R2 and Windows 7
• Covers the emerging field of Windows Mobile forensics Also included is a classroom support package to ensure academic adoption, Mastering Windows Network Forensics and Investigation, 2nd Edition offers help for investigating high-technology crimes.

Read More Show Less

Product Details

  • ISBN-13: 9781118163825
  • Publisher: Wiley
  • Publication date: 6/26/2012
  • Edition number: 2
  • Pages: 696
  • Sales rank: 480,816
  • Product dimensions: 7.30 (w) x 9.20 (h) x 1.50 (d)

Meet the Author

Steve Anson , CISSP, MCSE, is a special agent with the Pentagon’s Defense Criminal Investigative Service. He has a master’s degree in computer science as well as numerous industry certifications. As a former contract instructor for the FBI, he has taught hundreds of veteran federal agents, state and local police officers, and intelligence agency employees techniques for conducting computerintrusion investigations. He also founded and supervised a local police department computer crime and information services unit and served as a task force agent for the FBI. He has conducted investigations involving large-scale computer intrusions, counterterrorism, crimes against children, and many other offenses involving the substantive use of computers.

Steve Bunting is a captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers. He has more than thirty years experience in law enforcement, and his background in computer forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence. He has a bachelor’s degree in applied professions/business management from Wilmington College and a computer applications certificate in network environments from the University of Delaware. He has conducted computer forensic examinations for numerous local, state, and federal agencies on a variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a lead instructor at all course levels. He has been a presenter at several seminars and workshops, is the author of numerous white papers, and is the primary author of the book EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide , which was published by Sybex in early 2006. You can reach him at

Read More Show Less

Table of Contents

Introduction     xix
Network Investigation Overview     3
Performing the Initial Vetting     3
Meeting with the Victim Organization     5
Understanding the Victim Network Information     6
Understanding the Incident Information     7
Identifying and Preserving Evidence     8
Establishing Expectations and Responsibilities     10
Collecting the Evidence     11
Analyzing the Evidence     13
Analyzing the Suspect's Computers     15
Recognizing the Investigative Challenges of Microsoft Networks     18
The Bottom Line     19
The Microsoft Network Structure     21
Connecting Computers     21
Windows Domains     23
Interconnecting Domains     25
Organizational Units     29
Users and Groups     31
Types of Accounts     31
Groups     34
Permissions     37
File Permissions     39
Share Permissions     42
Reconciling Share and File Permissions     43
Example Hack     45
The Bottom Line     52
Beyond the Windows GUI     55
Understanding Programs, Processes, and Threads     56
Redirecting Process Flow     59
DLL Injection     62
Hooking     66
Maintaining Order Using Privilege Modes     70
Using Rootkits     72
The Bottom Line     75
Windows Password Issues     77
Understanding Windows Password Storage     77
Cracking Windows Passwords Stored on Running Systems     79
Exploring Windows Authentication Mechanisms     87
LanMan Authentication     88
NTLM and Kerberos Authentication     91
Sniffing and Cracking Windows Authentication Exchanges     94
Cracking Offline Passwords     102
The Bottom Line     106
Windows Ports and Services     107
Understanding Ports     107
Using Ports as Evidence     111
Understanding Windows Services     117
The Bottom Line     124
Live-Analysis Techniques     129
Finding Evidence in Memory     129
Creating Windows Live-Analysis CDs     131
Selecting Tools for Your Live-Response CD     133
Verifying Your CD     139
Using Your CD      142
Monitoring Communication with the Victim Box     146
Scanning the Victim System     149
Using Stand-alone Tools for Live-analysis     150
Using Commercial Products     150
Using EnCase FIM     150
Using Free Products     157
The Bottom Line     158
Windows File Systems     161
File Systems vs. Operating Systems     161
Understanding FAT File Systems     164
Understanding NTFS File Systems     177
Using NTFS Data Structures     178
Creating, Deleting, and Recovering Data in NTFS     184
Dealing with Alternate Data Streams     187
The Bottom Line     191
The Registry Structure     193
Understanding Registry Concepts     193
Registry History     195
Registry Organization and Terminology     195
Performing Registry Research     201
Viewing the Registry with Forensic Tools     203
Using EnCase to View the Registry     204
Using AccessData's Registry Viewer     207
The Bottom Line     212
Registry Evidence     215
Finding Information in the Software Key     216
Installed Software     216
Last Logon     218
Banners     219
Exploring Windows Security Center and Firewall Settings     220
Analyzing Restore Point Registry Settings     225
Exploring Security Identifiers     231
Investigating User Activity     234
Extracting LSA Secrets     245
Discovering IP Addresses     246
Compensating for Time Zone Offsets     251
Determining the Startup Locations     253
The Bottom Line     260
Tool Analysis     263
Understanding the Purpose of Tool Analysis     263
Exploring Tools and Techniques     267
Strings     268
Dependency Walker     271
Monitoring the Code     273
Monitoring the Tool's Network Traffic     282
External Port Scans     284
The Bottom Line     286
Text-Based Logs     289
Parsing IIS Logs     289
Parsing FTP Logs     300
Parsing DHCP Server Logs     306
Parsing Windows Firewall Logs     310
Using the Microsoft Log Parser     313
The Bottom Line     324
Windows Event Logs      327
Understanding the Event Logs     327
Exploring Auditing Settings     329
Using Event Viewer     334
Searching with Event Viewer     347
The Bottom Line     351
Logon and Account Logon Events     353
Exploring Windows NT Logon Events     353
Analyzing Windows 2000 Event Logs     361
Comparing Logon and Account Logon Events     361
Examining Windows 2000 Logon Events     364
Examining Windows 2000 Account Logon Events     366
Contrasting Windows 2000 and XP Logging     386
Examining Windows Server 2003 Account Logon and Logon Events     393
The Bottom Line     397
Other Audit Events     399
Evaluating Account Management Events     399
Interpreting File and Other Object Access Events     409
Examining Audit Policy Change Events     416
Examining System Log Entries     417
Examining Application Log Entries     422
The Bottom Line     423
Forensic Analysis of Event Logs     425
Using EnCase to Examine Windows Event Log Files     425
Windows Event Log Files Internals     433
Repairing Corrupted Event Log Databases      444
Finding and Recovering Event Logs from Free Space     446
The Bottom Line     453
Presenting the Results     455
Creating a Narrative Report with Hyperlinks     455
The Electronic Report Files     462
Timelines     463
Testifying About Technical Matters     466
The Bottom Line     467
The Bottom Line     469
Network Investigation Overview     469
The Microsoft Network Structure     471
Beyond the Windows GUI     472
Windows Password Issues     474
Windows Ports and Services     475
Live Analysis Techniques     477
Windows File Systems     478
The Registry Structure     480
Registry Evidence     482
Tool Analysis     486
Text-Based Logs     488
Windows Event Logs     492
Logon and Account Logon Events     493
Other Audit Events     495
Forensic Analysis of Event Logs     496
Presenting The Results     498
Index     501
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted April 17, 2007


    As a law enforcement officer, I've often found myself frustrated by books that cover incident response, but never discuss law enforcement involvement, except as an afterthought. While I understand that it's important for corporate and internal investigators to have this type of information, it's refreshing to find a book that talks about the law enforcement response to an computer crime incident. I've had the privilege of attending classes instructed by both of these authors. One of the things that impressed me about their classes is that they were able to break down complicated technical concepts into terms that cops can understand. They continue to do that in this book. Computer crime investigators need to add this book to their libraries. I'd say it's a must have.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)