Windows Forensic Analysis DVD Toolkit / Edition 2

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $17.87
Usually ships in 1-2 business days
(Save 74%)
Other sellers (Paperback)
  • All (10) from $17.87   
  • New (3) from $53.79   
  • Used (7) from $17.87   
Close
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any BN.com coupons and promotions
$53.79
Seller since 2008

Feedback rating:

(4380)

Condition:

New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

New
New Book. Shipped from UK within 4 to 14 business days. Established seller since 2000.

Ships from: Horcott Rd, Fairford, United Kingdom

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
$59.41
Seller since 2014

Feedback rating:

(29)

Condition: New
All orders ship same business day via standard shipping (USPS Media Mail) if received by 4 PM CST. We do not ship to APO/FPO addresses.

Ships from: Richardson, TX

Usually ships in 1-2 business days

  • Standard, 48 States
$69.94
Seller since 2008

Feedback rating:

(17202)

Condition: New
Brand New, Perfect Condition, Please allow 4-14 business days for delivery. 100% Money Back Guarantee, Over 1,000,000 customers served.

Ships from: Westminster, MD

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Close
Sort by

Overview

"If your job requires investigating compromised Windows hosts, you must read Windows Forensic Analysis." -Richard Bejtlich, Coauthor of Real Digital Forensics and Amazon.com Top 500 Book Reviewer

"The Registry Analysis chapter alone is worth the price of the book." -Troy Larson, Senior Forensic Investigator of Microsoft's IT Security Group "I also found that the entire book could have been written on just registry forensics. However, in order to create broad appeal, the registry section was probably shortened. You can tell Harlan has a lot more to tell." -Rob Lee, Instructor and Fellow at the SANS Technology Institute, coauthor of Know Your Enemy: Learning About Security Threats, 2E

Author Harlan Carvey has brought his best-selling book up-to-date to give you: the responder, examiner, or analyst the must-have tool kit for your job. Windows is the largest operating system on desktops and servers worldwide, which mean more intrusions, malware infections, and cybercrime happen on these systems. Windows Forensic Analysis DVD Toolkit, 2E covers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. The book is also accessible to system administrators, who are often the frontline when an incident occurs, but due to staffing and budget constraints do not have the necessary knowledge to respond effectively. The book’s companion DVD contains significant new and updated materials (movies, spreadsheet, code, etc.) not available any place else, because they are created and maintained by the author.

  • Best-Selling Windows Digital Forensic book completely updated in this 2nd Edition
  • Learn how to Analyze Data During Live and Post-Mortem Investigations
  • DVD Includes Custom Tools, Updated Code, Movies, and Spreadsheets!
Read More Show Less

Editorial Reviews

From the Publisher

"If your job requires investigating compromised Windows hosts, you must read Windows Forensic Analysis." -Richard Bejtlich, Coauthor of Real Digital Forensics and Amazon.com Top 500 Book Reviewer

"The Registry Analysis chapter alone is worth the price of the book." -Troy Larson, Senior Forensic Investigator of Microsoft's IT Security Group "I also found that the entire book could have been written on just registry forensics. However, in order to create broad appeal, the registry section was probably shortened. You can tell Harlan has a lot more to tell." -Rob Lee, Instructor and Fellow at the SANS Technology Institute, coauthor of Know Your Enemy: Learning About Security Threats, 2E

Read More Show Less

Product Details

  • ISBN-13: 9781597494229
  • Publisher: Elsevier Science
  • Publication date: 6/11/2009
  • Edition description: Older Edition
  • Edition number: 2
  • Pages: 512
  • Product dimensions: 7.50 (w) x 9.20 (h) x 1.10 (d)

Meet the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms.
Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.
Read More Show Less

Read an Excerpt

Windows Forensic Analysis

DVD Toolkit
By Harlan Carvey

Syngress

Copyright © 2007 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055644-4


Chapter One

Live Response: Collecting Volatile Data

Solutions in this chapter:

* Live Response

* What Data to Collect

* Nonvolatile Information

* Live-Response Methodologies

[

  •  ] Summary

[

  •  ] Solutions Fast Track

[

  •  ] Frequently Asked Questions

Introduction

More and more, investigators are faced with situations in which the traditional, accepted computer forensics methodology of unplugging the power from a computer and then acquiring a bit-stream image of the system hard drive is, quite simply, not a viable option. Investigators and incident responders are also seeing instances in which the questions they have (or are asked) cannot be answered using the contents of an imaged hard drive alone. For example, I've spoken with law enforcement officers regarding how best to handle situations involving missing children who were lured from their homes or school via instant messages (IMs).

These questions are not limited to law enforcement. In many cases, the best source of information or evidence is available in computer memory (network connections, contents of the IM client window, memory used by the IM client process, and so on), since an IM client does not automatically create a log of the conversation, for example. In other cases, investigators are asked if there was a Trojan or some other malware active on the system and whether sensitive information was copied off the system. First responders and investigators are being asked questions about what activity was going on while the system was live. Members of IT staffs are finding anomalous or troubling traffic in their firewall and IDS logs and are shutting off the system from which the traffic is originating before determining which process was responsible for the traffic. Situations like these require that the investigator perform live response—collecting data from a system while it is still running. This in itself raises some issues, which we will address throughout this chapter.

Live Response

There are a number of issues facing investigators today where unplugging a system (or several systems) and acquiring an image of the hard drive(s) might not be an option. As the use of e-commerce continues to grow, system downtime is measured in hundreds or thousands of dollars per minute, based on lost transactions. Therefore, taking a system down to acquire a hard drive image has a serious effect on the bottom line. Also, some companies have service-level agreements (SLAs) guaranteeing "five nines" of uptime—that is, the company guarantees to its customers that the systems will be up and operational 99.999 percent of the time (outside of maintenance windows, of course). Taking a system with a single hard drive offline to perform imaging can take several hours, depending on the configuration of the system.

The Information Superhighway is no longer just a place for joy riders and pranksters. A great deal of serious crime takes place in cyberspace, and criminal activities are becoming more and more sophisticated. There are software programs that can get into your computer system and steal your personal information (passwords, personal files, income tax returns, and the like), yet the code for some of these programs is never written to the hard drive; the programs exist only in memory. When the system is shut down, all evidence of the program disappears.

In April 2006, Seagate introduced the first 750GB hard drives. (For more information go to www.seagate.com/cda/newsinfo/newsroom/releases/ article/0,1121,3153,00.html.) Imagine a RAID system with five or eight such hard drives, topping out at 6 terabytes (TB) of storage. How long would it take you to image those hard drives? With certain configurations, it can take investigators four or more hours to acquire and verify a single 80GB hard drive. And would you need to image the entire system if you were interested in only the activities of a single process and not in the thousands of files resident on the system?

In some cases, before stepping off into a more traditional computer forensics investigation, we might want to collect some information about the live system before shutting it down and acquiring a bit-stream image of the hard drive or drives. The information you would be most interested in is volatile in nature, meaning that it ceases to exist when power is removed from the system. This volatile information usually exists in physical memory, or RAM, and consists of such things as information about processes, network connections, the contents of the clipboard, and so on. This information describes the state of the system at the time you are standing in front of it or sitting at the console. As an investigator, you could be faced with a situation in which you must quickly capture and analyze data (covered in the next chapter) to make a determination of the nature and scope of the incident. When power is removed from the system in preparation for imaging the hard drive in the traditional manner, this information simply disappears.

We do have options available to us—tools and techniques we can use to collect this volatile information from a live system, giving us a better overall picture of the state of the system as well as providing us with a greater scope of information. This is what "live response" entails: accessing a live, running system and collecting volatile (and in some cases, nonvolatile) information.

There is another term you might hear that is often confused with live response: live acquisition. Live response deals with collecting volatile information from a system; live acquisition describes acquiring the hard drive while the system is still running and creating an image of that hard drive. In this chapter, we start by discussing tools, techniques, and methodologies for performing live response. When we talk about performing live response, we need to understand what information we want to collect from the system and how we should go about collecting it. In this chapter, we will walk through the what and how of collecting volatile information from a system; in the next chapter, we will discuss how to analyze this data. Following that, we will examine some solutions for performing a live acquisition. Analysis of the image collected during live acquisition will be covered in the remaining chapters of this book.

Before we start discussing live response tools and activities, we need to address two important topics: Locard's Exchange Principle and the order of volatility. These concepts are the cornerstones of this chapter and live response in general, and we will discuss them in detail.

Locard's Exchange Principle

In performing live response, investigators and first responders need to keep a very important principle in mind. When we interact with a live system, whether as a user or as an investigator, changes will occur on that system. On a live system, changes will occur simply due to the passage of time, as processes work, as data is saved and deleted, as network connections time out or are created, and so on. Some changes happen when the system just sits there and runs. Changes also occur as the investigator runs programs on the system to collect information, volatile or otherwise. Running a program causes information to be loaded into physical memory, and in doing so, physical memory used by other, already running processes may be written to the page file. As the investigator collects information and sends it off the system, new network connections will be created. All these changes can be collectively explained by Locard's Exchange Principle.

In the early 20th century, Dr. Edmond Locard's work in the area of forensic science and crime scene reconstruction became known as Locard's Exchange Principle. This principle states, in essence, that when two objects come into contact, material is exchanged or transferred between them. If you watch the popular CSI crime show on TV, you'll invariably hear one of the crime scene investigators refer to possible transfer. This usually occurs after a car hits something or when an investigator examines a body and locates material that seems out of place.

This same principle applies to the digital realm. For example, when two computers communicate via a network, information is exchanged between them. Information about one computer will appear in process memory and/or log files on the other (see the "Locard and Netcat" sidebar for a really cool demonstration of this concept). When a peripheral such as removable storage device (a thumb drive, an iPod, or the like) is attached to a Windows computer system, information about the device will remain resident on the computer. When an investigator interacts with a live system, changes will occur to that system as programs are executed and data is copied from the system. These changes might be transient (process memory, network connections) or permanent (log files, Registry entries).

Programs that we use to collect information might have other effects on a live system. For example, a program might need to read several Registry keys, and the paths to those keys will be read into memory. Windows XP systems perform application prefetching, so if the investigator runs a program that the user has already run on the system, the last access and modification times of the prefetch file (as well as the contents of the file itself) for that application will be modified. If the program that the investigator runs hasn't been used before, a new prefetch file will be created in the Prefetch directory (assuming the contents of the Prefetch directory haven't reached their 128 .pf file limit ... but more on that later in the book).

Investigators not only need to understand that these changes will occur, they must also document those changes and be able to explain the effects their actions had on the system, to a reasonable extent. For example, as an investigator you should be able to determine which .pf files in the XP Prefetch directory are a result of your efforts and which are the result of user activities. The same is true for Registry values. As with the application prefetching capabilities of Windows XP, your actions will have an effect on the system Registry. Specifically, entries may appear in the Registry, and as such the LastWrite times of the Registry keys will be updated. Some of these changes might not be a direct result of your tools or actions but rather are made by the shell (i.e., Windows Explorer), due simply to the fact that the system is live and running.

By testing and understanding the tools you use, you will be able to document and explain what artifacts found on a system are the result of your efforts and which are the result of actions taken by a user or an attacker.

Order of Volatility

We know that volatile information exists in memory on a live system and that certain types of volatile information can be, well, more volatile than others. That is, some information on a live system has a much shorter shelf life than other information. For instance, network connections time out, sometimes within several minutes, if they aren't used. You can see this by browsing to a specific site or making some other network connection and viewing that connection via netstat.exe. Then shut down the client application you're using and the state of the network connection will change over time before it eventually disappears from the output of netstat.exe. The system time, however, changes much more quickly, while the contents of the clipboard will remain constant until either they are changed or power is removed from the system. Additionally, some processes, such as services (referred to as daemons in the UNIX realm) run for a long time, whereas other processes can be extremely short lived, performing their tasks quickly before disappearing from memory. This would indicate that we need to collect certain information first so that we can capture it before it changes, whereas other volatile data that happens to be more persistent can be collected later.

(Continues...)



Excerpted from Windows Forensic Analysis by Harlan Carvey Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Chapter 1. Live Response: Collecting Volatile Data
Chapter 2. Live Response: Analyzing Volatile Data
Chapter 3. Windows Memory Analysis
Chapter 4. Registry Analysis
Chapter 5. File Analysis
Chapter 6. Executable File Analysis
Chapter 7. Rootkits and Rootkit Detection
Chapter 8. Tying It All Together
Chapter 9. Forensic Analysis on a Budget
Read More Show Less

Customer Reviews

Average Rating 5
( 3 )
Rating Distribution

5 Star

(3)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 3 Customer Reviews
  • Posted June 13, 2009

    Excellent, Once again!

    Harlan has hit it out of the park again with great information for all computer forensic practicioners. This is a must read for anyone in the computer forensics field.

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 9, 2007

    A reviewer

    Harlan's latest book, Windows Forensic Analysis covers topics that no other books have touched on. Before I even had a chance to read through the book, I started to use it as a reference in an active case. The obstacles encountered by forensic examiners on a regular basis are answered in detail in this book and can be put to use immediately. I can't agree more with Troy Larson's statement about the registry, because if that is the only chapter you read, it is time and money well spent. I know that the material in this book will save many hours of any examination. The explanations were written in clear, easy to understand language. A very nice book and DVD. This is a must have resource on the shelf or desk of every forensic examiner, bar none.

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Posted February 7, 2012

    VERY VERY HIGHLY RECOMMENDED!!

    Are you thinking about performing forensic analysis of Windows systems? If you are, then this book is for you! Author Harlan Carvey, has done an outstanding job of writing a second edition of a book that demonstrates what information is available to the investigator on both a live Windows system; as well as, in an acquired image, but also to provide information on how to go about locating additional artifacts that may be of interest, and correlating multiple data sources to build a more complete picture of the incident . Author Carvey, begins by addressing the basic issues of collecting volatile data from live systems. In addition, the author presents a framework for correlating and analyzing the data collected during a live response in order to develop a cohesive picture of activity on the system and make an analysis and identification of the root cause a bit easier and more understandable. He then provides a snapshot of what tools are available for performing memory collection and analysis, demonstrating what data can be collected from memory dumps. The author then presents the structure of the Registry, so that you’ll b able to recognize Registry artifacts in binary data and unallocated space within an acquired image. The author continues by discussing the various files, file formats, and file metadata in detail, and the tools for extracting much of the information. In addition, the author shows how the examiner can determine which files are legitimate; as well as, what artifacts to attribute to a particular piece of malware. He then addresses the topic of rootkits in the hopes of piercing the veil of mystery surrounding this particular type of malware; and, presents the administrator, first responder, and forensic analysts with the necessary information to be able to locate and recognize a rootkit. The author then shows you how information from different areas of your examination, can be correlated and tied together to build a more complete picture, whether you’re a law enforcement examiner attempting to disprove the Trojan Defense or a corporate analysts or consultant attempting to determine if a system may have been compromised. Finally, he shows you how forensic analysis is about process, not about tools. The goal of this most excellent book, is to provide a resource for forensic analysts, investigators and incident responders. Perhaps more importantly, this book provides not only useful material for those currently performing forensic investigations, but also insight into system administrators who have been faced with incident response activities.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 3 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)