BN.com Gift Guide

Windows Forensics and Incident Recovery

Multimedia Set (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Multimedia Set)
  • All (18) from $1.99   
  • New (7) from $37.46   
  • Used (11) from $1.99   

Overview

Praise for Windows Forensics and Incident Recovery

"Windows Forensics and Incident Recovery doesn't just discuss forensics, it also includes tools for analysis and shows readers how to use them. I look forward to putting these tools through their paces, and I recommend Carvey's book as a terrific addition to the security professional's bookshelf."
—Warren G. Kruse II, Partner

Computer Forensic Services, LLC

"This book is a good reference for the tools needed to prepare for, respond to, and confirm a Windows-based computer incident."
—Brian Carrier
Digital forensics researcher

"This book provides a unique 'command-line centric' view of Microsoft and non-Microsoft tools that can be very helpful to folks responsible for security and system administration on the Windows platform."
—Vishwas Lele, principal architect
Applied Information Sciences, Inc.

"Harlan Carvey's book serves as a great resource for investigators and systems administrators looking to peek under the hoods of their Windows systems."
—Jason Chan, security consultant
@stake

"Regardless of what you know already, you are guaranteed to learn something new about Windows incident response from this book."
—Brian Behler, computer forensics and intrusion analyst/engineer

"Harlan Carvey's vast security and forensics experience shows through in all facets of this work. Many books have attempted to be the prescriptive guide to forensics on the Windows platform. This book not only attempts it, but it succeeds—with guidance to spare."
—Rick Kingslan, Microsoft MVP
West Corporation

"This book is the first to bring together into a single volume the topics of malicious code, incident response, and forensics on the Windows platform. Mr. Carvey's work should serve as a valuable reference for any Windows system administrator or security professional."
—Jennifer Kolde, information security consultant, author, and instructor

"Harlan Carvey's book is a one-of-a-kind approach to do-it-yourself Windows forensics. With detailed and illustrative examples coupled with Harlan's renowned Perl scripts, this book certainly is a great find."
—Mark Burnett, security consultant and author

  • The first book to focus on forensics and incident recovery in a Windows environment
  • Teaches through case studies and real world-examples
  • Companion CD contains unique tools developed by the author.
  • Covers Windows Server 2003, Windows 2000, Windows NT, and Windows XP

If you're responsible for protecting Windows systems, firewalls and anti-virus aren't enough. You also need to master incident response, recovery, and auditing. Leading Windows security expert and instructor Harlan Carvey offers a start-to-finish guide to the subject: everything administrators must know to recognize and respond to virtually any attack.

Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete incident response toolset that combines today's best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book's tools and techniques apply to every current and professional version of Windows: NT, 2000, XP, and Windows Server 2003. Coverage includes:

  • Developing a practical methodology for responding to potential attacks
  • Preparing your systems to prevent and detect incidents
  • Recognizing the signatures of an attack—in time to act
  • Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools
  • Using the Forensic Server Project to automate data collection during live investigations
  • Analyzing live forensics data in order to determine what occurred
CD-ROM INCLUDED

CD-ROM contains incident response and forensics toolkit code developed by the author, sample network packet captures, as well as data collected from compromised systems using the Forensic Server Project. You can also access Carvey's website at http://www.windows-ir.com for code samples, updates, and errata.

Acknowledgments

I'd like to start by thanking Larry Leibrock and Jay Heiser for getting me started down this road. Several years ago, I had developed a 2-day, hands-on incident response course for Windows 2000, and Larry provided me with my initial opportunity to teach it at the University of Texas in Austin. This book began its life as the presentation for the incident response course. I had done a technical review of Jay and Warren Kruse's computer forensics book, and Jay provided my name to his former editor as someone who may be interested in writing a book on the subject of Windows security.

Karen Gettman offered me the opportunity to write this book, and I decided to take it. I'd had articles published, but I'd never written a book. Karen and her assistant, Elizabeth Zdunich, kept me on track throughout this process.

I'd like to thank several of the reviewers as well. Of all of the reviewers who've been involved in this process, I'd like to recognize Jennifer Kolde, Mike Lyman, and Jason Chan for their efforts and input. The reviews from these three individuals provided valuable constructive criticism regarding the content and structure of the book. I can't say that I followed all the advice they provided, but I did read and consider everything they said thoroughly. With their help and insight, I didn't feel as if I were working on this book alone. Thanks, guys, for your time and effort. And Jen, thanks for indulging me all those time I'd email you with thoughts about your comments. Those exchanges gave me even more insight into to the content of the book, as well as the subject of incident response on Windows systems, in general.

Finally, and most importantly, I'd like to thank Terri Dougherty. I've written a book, and yet I can't seem to find the words to express my gratitude for your support throughout this process. Thank you. I owe you a debt that I will be repaying for a long time.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Product Details

Meet the Author

Harlan Carvey¿s interest in computer and information security began while he was an officer in the U.S. military, during which time he earned his master¿s degree in Electrical Engineering. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information (i.e., Registry entries, file information, configuration settings, etc.) from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also done considerable work in the area of incident response and forensics, performing internal and external investigations. He has also written a number of proof-of- concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of files.

Harlan¿s experience with computers began in the early ¿80s, with a Timex-Sinclair 1000. Around that time, he was learning to program BASIC on an Apple IIe. From there, he moved on to computers such as the Epson QX-10 and the TRS-80, on which he programmed BASIC learned PASCAL, using the TurboPASCAL compiler. Since then, he¿s worked with SunOS and Solaris systems, as well as various versions of DOS and Windows, OS/2, and Linux.

Harlan has presented at Usenix, DefCon9, Black Hat, GMU2003 on various topics specific to issues on Windows platforms, such as data hiding. He has had articles published in the Information Security Bulletin and on the SecurityFocus web site.

Read More Show Less

Read an Excerpt

  • Preface Normal Pearson User 2 2004-07-09T19:30:00Z 2004-07-09T19:30:00Z 3 1555 8865 Pearson Inc. 73 17 10886 10.260 0 0 pt 0 pt 0 0 0 pt 0 pt &#lt;style&#gt;@font-face {font-family:"Times New Roman"; panose-1:0 2 2 6 3 5 4 5 2 3; mso-font-alt:Times; mso-font-charset:77; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:50331648 0 0 0 1 0;}@font-face {font-family:Geneva; panose-1:0 2 11 5 3 3 4 4 4 2; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:50331648 0 0 0 1 0;}@font-face {font-family:"Frutiger 67BoldCn"; mso-font-alt:Arial; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;}@font-face {font-family:"New Caledonia"; mso-font-alt:Arial; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;}@font-face {font-family:"I New Caledonia Italic"; mso-font-alt:Arial; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;}@font-face {font-family:Courier-AddisonWesley; mso-font-alt:Arial; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Geneva; color:fuchsia;}p.HB, li.HB, div.HB {mso-style-name:HB; mso-style-parent:""; margin-top:12.0pt; margin-right:0in; margin-bottom:71.0pt; margin-left:0in; line-height:36.0pt; mso-line-height-rule:exactly; mso-pagination:widow-orphan; font-size:34.0pt; font-family:"Frutiger 67BoldCn";}p.Body, li.Body, div.Body {mso-style-name:Body; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:48.0pt; margin-bottom:.0001pt; text-align:justify; text-indent:.25in; line-height:13.0pt; mso-line-height-rule:exactly; mso-pagination:widow-orphan lines-together; font-size:11.0pt; font-family:"New Caledonia";}p.BodyNoIndent, li.BodyNoIndent, div.BodyNoIndent {mso-style-name:BodyNoIndent; mso-style-parent:Body; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:48.0pt; margin-bottom:.0001pt; text-align:justify; line-height:13.0pt; mso-line-height-rule:exactly; mso-pagination:widow-orphan lines-together; font-size:11.0pt; font-family:"New Caledonia";}span.BodyCODE {mso-style-name:BodyCODE; mso-style-parent:""; font-size:9.5pt; letter-spacing:0pt;} @page {mso-page-border-surround-header:no; mso-page-border-surround-footer:no; mso-footnote-position:end-of-section; mso-endnote-position:end-of-section; mso-footnote-numbering-start:0; mso-endnote-numbering-style:arabic; mso-endnote-numbering-start:0;}@page Section1 {size:588.0pt 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;}div.Section1 {page:Section1;}—></style>

Preface

As long as networks of Microsoft Windows systems aremanaged, administered, and used by people, security incidents will occur.Regardless of whether weÕre talking about hundreds of corporate Windowsworkstations and servers or home user systems running Windows XP on broadbandconnections to the Internet, Windows systems will be attacked, compromised, andused for malicious purposes. This is not to say that only Windows systems willbe attacked; rather, Windows systems are highly pervasive throughout the entirecomputing infrastructure, from home and school systems to high-end e-commercesites. In contrast to this pervasiveness, information regarding conductingeffective incident response and forensic audit activities on Windows systems islimited, to say the least. Attacks may come from insiders who have legitimatephysical access to systems and are authorized to use them or from facelessindividuals hiding in the shapeless ether of the Internet. Knowing this, anyonewho manages or administers Windows systems (including the home user) needs toknow how to react when he suspects that an incident has occurred.

When it comes to investigating and resolving computer securityincidents, Windows systems lag well behind Linux and *nix systems. This gapcan be attributed to a variety of reasons. One reason is a lack of detailedtechnical knowledge regarding Windows systems themselves on the part ofadministrators. This lack of understanding may be due at least in part toMicrosoftÕs use of graphical user interfaces (GUIs) to control everything fromthe installation process to all aspects of system administration. Attackers andmalicious users take steps to ensure that their activities remain hidden fromview, particularly from the systemÕs GUI tools such as the Event Viewer and theTask Manager. For example, enabling an audit policy requires that the systemadministrator navigate through multiple layers of the GUI, while an attackercan easily disable (and then reenable, if necessary) that audit policy with asingle command line tool (which, incidentally, is provided for free fromMicrosoft).

Other reasons for the "incident response gap" include a lack ofunderstanding regarding how to use available native and third-party tools toretrieve data and how to interpret the data that is collected from potentiallyinfected or compromised systems. Many useful and powerful tools that mirror thefunctionality used on Linux systems are not available through either theMicrosoft operating system distributions or the Resource Kits. Sites that makethese tools available are scattered across the Internet, with no centrallocation cataloguing them. This book was written to aid anyone investigatingincidents that occur on Windows systems by providing information regarding thetools and techniques used to respond to incidents and conduct forensic audits.

This book arose out of a need that I, and I am sure others, haveseen in the Microsoft Windows system administration community. MicrosoftÕsnetwork operating systems, beginning with Windows NT, are designed to be easyto use and manage. These systems come with some very powerful tools. As usefulas these tools are to the administrator, they are also very useful to anattacker or to a malicious user. Most system administrators and owners spendtheir time dealing with Windows operating systems through the GUI, and in doingso, miss many of the important aspects of the operating system that go on"under the hood." For example, the Task Manager does not show the complete pathto the executable image for each process, nor does it display the command lineused to launch each process. This information is available using third-partytools, which most folks who work with Windows systems may not be familiar with.Therefore, it may be relatively simple to hide an errant process, such as anetwork backdoor, by renaming the file "svchost.exe" or something similarlyinnocuous.

Several years ago, I developed a hands-on course for teachingsystem administrators how to respond to security incidents on Windows 2000systems. While teaching the course to system administrators at variousorganizations, I saw the same things that I saw on listservs and on forums onthe Internet. During the first break on the first day of the course, I would goaround the room and "infect" all of the systems with a "Trojan." This "Trojan"was netcat, renamed to "inetinfo.exe," listening on port 80. When the attendeesreturned to the room, IÕd tell them that I "infected" their systems andchallenged them to find it. The purpose of this exercise was not to find outwho could find the "Trojan" first but to look at the steps that the attendeeswould go through in their incident response activities, to look at their"methodology." Invariably, every attendee would examine the contents of theEvent Log, comb through the Task Manager, and maybe run netstat Ðan from acommand prompt. All of the systems were connected to the Internet, and the onlyinstructions I would give to the class was that they could not use any of thetools from the course CD that IÕd put together. As the course progressedthrough the rest of the two days, the attendees became familiar with the toolsand techniques they could use to retrieve valuable data about a system, as wellas how to interpret that data.

IÕve assembled a good deal of unique content for this book,information that IÕve developed because I havenÕt been able to locate it anyplace else and therefore had to do my own research. For example, when I firstbegan researching NTFS alternate data streams, there wasnÕt much informationavailable. Over time, research has revealed additional information, which isincluded in this book. IÕve included tools that IÕve developed (written inPerl) and information, results, and insights from my own research. This bookalso includes information from a variety of sources put together in a singlelocation so that it can be easily referenced.

Unlike other books about incident response, this book is specificto Windows systems. Other books on the subject will present a great deal ofinformation regarding Linux and Unix systems, and in some cases, leave it up tothe reader to extrapolate the information to Windows. All of the tools andtechniques presented in this book are specific to Windows (NT, 2000, XP, and2003) systems.

The book is organized so that the reader progresses through anunderstanding of incidents, what they are and how they can (and do) occur. Fromthere, the reader is guided through developing an understanding of what isrequired to prevent incidents and how to prepare for them, and then where tolook for data and how to analyze that data, should an incident occur. Datahiding and tools used in incident response and live forensic audits are coveredat great length, and all of the information presented is specific to Windowsoperating systems, file systems (i.e., NTFS), and applications (i.e., MS Word,etc.). This information is presented in a progression, each chapter taking thecontent of the previous chapter further. However, each chapter can also stand onits own, as a reference that the reader can return to time and time again.

The main premise of this book is really very simple. Whenincidents occur, an entire spectrum of incident response activities can beperformed. The lower end of the spectrum involves...well...nothing. Noactivity. Basically, the incident goes completely unrecognized or is simplyignored. The opposite end of the spectrum consists of those activities thatpurists think of when they hear the word "forensics": the system is shut down ina forensically sound manner and a bit-level image of the drive is made. Allinvestigative activities are then conducted against that copy. This is usuallyaccompanied by law enforcement involvement and may even lead to prosecution.However, many organizations do not wish to involve law enforcement when anincident occurs and generally conduct non-litigious investigations because theyjust want to get systems back online and in use. In other cases, potentiallycompromised systems may be part of an e-commerce infrastructure, in whichdowntime is measured in hundreds of dollars per minute. In such cases, aninvestigation will occur, but it will not involve law enforcement or legalprosecution, as the goal is determining what, if anything, happened. These stepsmay be required to gather information and facts in order to justify furtheraction, such as taking the system down.

In addition, a great deal of extremely valuable informationregarding the state of the system is lost when the system is shut down. This informationis referred to as "volatile" information, and it includes such things asprocess information, network connections, clipboard contents, etc. Thisinformation can be retrieved, parsed, and analyzed in order to determine firstwhether an incident has even occurred, and then the extent of the incident. Insome cases, enough information may have been collected to show that theincident is manageable, and the system does not have to be taken out of serviceto be "cleaned." More importantly, the investigator will want to understand how the system was infectedor compromised so that shortfalls in security policies can be rectified andother systems protected.

The Perl programming language is used to programmaticallydemonstrate many of the concepts addressed throughout the book. The underlyingpremise of the book is to get the reader "under the hood" within the Windowssystem, that is, to show the reader how to move beyond the simple GUI toolsprovided with the operating system in order to collect information about thestate of the system. Many third-party tools are discussed, and several Perlscripts are provided in order to support this premise. Perl scripts are alsoused in this book to provide for customization and automation. Bycustomization, we mean that Perl is used to correlate and "massage" the outputof various third-party tools in order to present a more complete picture of thedata. By automation, we mean that Perl is used in this book to implement amethodology so that the investigator does not have to perform the steps byhand, thereby avoiding mistakes and making the overall process more efficient.

This book guides the reader through information, tools, andtechniques that are required to conduct incident response and live forensicaudit activities. By providing the necessary background for understanding howincidents occur and how data can be hidden on compromised systems, the readerwill have a better understanding of the "whyÕs" and "howÕs" of incidentresponse and forensic audit activities.

Read More Show Less

Table of Contents

Preface.

1. Introduction.

Definitions.

Intended Audience.

Book Layout.

Defining the Issue.

The Pervasiveness and Complexity of Windows Systems.

The Pervasiveness of High-Speed Connections.

The Pervasiveness of Easy-to-Use Tools.

Purpose.

Real Incidents.

Where To Go For More Information.

Conclusion.

2. How Incidents Occur.

Definitions.

Purpose.

Incidents.

Local vs. Remote.

Manual vs. Automatic.

Lowest Common Denominator.

Attacks Are Easy.

Summary.

3. Data Hiding.

File Attributes.

The Hidden Attribute.

File Signatures.

File Times.

File Segmentation.

File Binding.

NTFS Alternate Data Streams.

Hiding Data in the Registry.

Office Documents.

OLE Structured Storage.

Steganography.

Summary.

4. Incident Preparation.

Perimeter Devices.

Host Configuration.

NTFS File System.

Configuring the System with the SCM.

Group Policies.

Getting Under the Hood.

User Rights.

Restricting Services.

Permissions.

Audit Settings and the Event Log.

Windows File Protection.

WFP and ADSs.

Patch Management.

Anti-Virus.

Monitoring.

Summary.

5. Incident Response Tools.

Definitions.

Tools for Collecting Volatile Information.

Logged On User(s).

Process Information.

Process Memory.

Network Information and Connections.

Clipboard Contents.

Command History.

Services and Drivers.

Group Policy Information.

Tools for Collecting Non-Volatile Information.

Collecting Files.

Contents for the Recycle Bin.

Registry Key Contents and Information.

Scheduled Tasks.

User Information.

Dumping the Event Logs.

Tools for Analyzing Files.

Executable files.

Process Memory Dumps.

Microsoft Word Documents.

PDF Documents.

Summary.

6. Developing a Methodology.

Introduction.

Prologue.

First Dream.

Second Dream.

Third Dream.

Fourth Dream.

Fifth Dream.

Summary.

7. Knowing What to Look For.

Investigation Overview.

Infection Vectors.

Malware Footprints and Persistence.

Files and Directories.

Registry Keys.

Processes.

Open Ports.

Services.

Rootkits.

AFX Windows Rootkit 2003.

Detecting Rootkits.

Preventing Rootkit Installations.

Summary.

8. Using the Forensic Server Project.

The Forensic Server Project.

Collecting Data Using FSP.

Launching the Forensic Server.

Running the First Responder Utility.

File Client Component.

Correlating and Analyzing Data Using FSP.

Infected Windows 2003 System.

A Rootkit on a Windows 2000 System.

A Compromised Windows 2000 System.

Future Directions of the Forensic Server Project.

Summary.

9. Scanners and Sniffers.

Port Scanners.

Netcat.

Portqry.

Nmap.

Network Sniffers.

NetMon.

Netcap.

Windump.

Analyzer.

Ethereal.

Summary.

Appendix A. Installing Perl on Windows.

Installing Perl and Perl Modules.

Perl Editors.

Running Perl Scripts.

Setting Up Perl for Use with this Book.

Win32::Lanman.

Win32::TaskScheduler.

Win32::File::Ver.

Win32::API::Prototype.

Win32::Perms.

Win32::GUI.

Win32::FileOp.

Win32::DriveInfo.

Win32::IPConfig.

Summary.

Appendix B. Web Sites.

Searching.

Sites for Information about Windows.

Anti-Virus Sites.

Program Sites.

Security Information Sites.

Perl Programming and Code Sites.

General Reading.

Appendix C. Answers to Chapter 9 Questions.

FTP Traffic Capture.

Netcat Traffic Capture.

Null Session Traffic Capture.

IIS Traffic Capture.

Nmap Traffic Capture.

Appendix D. CD Contents.

Index.

Read More Show Less

Preface

Preface

As long as networks of Microsoft Windows systems aremanaged, administered, and used by people, security incidents will occur.Regardless of whether weÕre talking about hundreds of corporate Windowsworkstations and servers or home user systems running Windows XP on broadbandconnections to the Internet, Windows systems will be attacked, compromised, andused for malicious purposes. This is not to say that only Windows systems willbe attacked; rather, Windows systems are highly pervasive throughout the entirecomputing infrastructure, from home and school systems to high-end e-commercesites. In contrast to this pervasiveness, information regarding conductingeffective incident response and forensic audit activities on Windows systems islimited, to say the least. Attacks may come from insiders who have legitimatephysical access to systems and are authorized to use them or from facelessindividuals hiding in the shapeless ether of the Internet. Knowing this, anyonewho manages or administers Windows systems (including the home user) needs toknow how to react when he suspects that an incident has occurred.

When it comes to investigating and resolving computer securityincidents, Windows systems lag well behind Linux and *nix systems. This gapcan be attributed to a variety of reasons. One reason is a lack of detailedtechnical knowledge regarding Windows systems themselves on the part ofadministrators. This lack of understanding may be due at least in part toMicrosoftÕs use of graphical user interfaces (GUIs) to control everything fromthe installation process to all aspects of system administration. Attackers andmalicious users take steps to ensure that their activities remain hidden fromview, particularly from the systemÕs GUI tools such as the Event Viewer and theTask Manager. For example, enabling an audit policy requires that the systemadministrator navigate through multiple layers of the GUI, while an attackercan easily disable (and then reenable, if necessary) that audit policy with asingle command line tool (which, incidentally, is provided for free fromMicrosoft).

Other reasons for the "incident response gap" include a lack ofunderstanding regarding how to use available native and third-party tools toretrieve data and how to interpret the data that is collected from potentiallyinfected or compromised systems. Many useful and powerful tools that mirror thefunctionality used on Linux systems are not available through either theMicrosoft operating system distributions or the Resource Kits. Sites that makethese tools available are scattered across the Internet, with no centrallocation cataloguing them. This book was written to aid anyone investigatingincidents that occur on Windows systems by providing information regarding thetools and techniques used to respond to incidents and conduct forensic audits.

This book arose out of a need that I, and I am sure others, haveseen in the Microsoft Windows system administration community. MicrosoftÕsnetwork operating systems, beginning with Windows NT, are designed to be easyto use and manage. These systems come with some very powerful tools. As usefulas these tools are to the administrator, they are also very useful to anattacker or to a malicious user. Most system administrators and owners spendtheir time dealing with Windows operating systems through the GUI, and in doingso, miss many of the important aspects of the operating system that go on"under the hood." For example, the Task Manager does not show the complete pathto the executable image for each process, nor does it display the command lineused to launch each process. This information is available using third-partytools, which most folks who work with Windows systems may not be familiar with.Therefore, it may be relatively simple to hide an errant process, such as anetwork backdoor, by renaming the file "svchost.exe" or something similarlyinnocuous.

Several years ago, I developed a hands-on course for teachingsystem administrators how to respond to security incidents on Windows 2000systems. While teaching the course to system administrators at variousorganizations, I saw the same things that I saw on listservs and on forums onthe Internet. During the first break on the first day of the course, I would goaround the room and "infect" all of the systems with a "Trojan." This "Trojan"was netcat, renamed to "inetinfo.exe," listening on port 80. When the attendeesreturned to the room, IÕd tell them that I "infected" their systems andchallenged them to find it. The purpose of this exercise was not to find outwho could find the "Trojan" first but to look at the steps that the attendeeswould go through in their incident response activities, to look at their"methodology." Invariably, every attendee would examine the contents of theEvent Log, comb through the Task Manager, and maybe run netstat Ðan from acommand prompt. All of the systems were connected to the Internet, and the onlyinstructions I would give to the class was that they could not use any of thetools from the course CD that IÕd put together. As the course progressedthrough the rest of the two days, the attendees became familiar with the toolsand techniques they could use to retrieve valuable data about a system, as wellas how to interpret that data.

IÕve assembled a good deal of unique content for this book,information that IÕve developed because I havenÕt been able to locate it anyplace else and therefore had to do my own research. For example, when I firstbegan researching NTFS alternate data streams, there wasnÕt much informationavailable. Over time, research has revealed additional information, which isincluded in this book. IÕve included tools that IÕve developed (written inPerl) and information, results, and insights from my own research. This bookalso includes information from a variety of sources put together in a singlelocation so that it can be easily referenced.

Unlike other books about incident response, this book is specificto Windows systems. Other books on the subject will present a great deal ofinformation regarding Linux and Unix systems, and in some cases, leave it up tothe reader to extrapolate the information to Windows. All of the tools andtechniques presented in this book are specific to Windows (NT, 2000, XP, and2003) systems.

The book is organized so that the reader progresses through anunderstanding of incidents, what they are and how they can (and do) occur. Fromthere, the reader is guided through developing an understanding of what isrequired to prevent incidents and how to prepare for them, and then where tolook for data and how to analyze that data, should an incident occur. Datahiding and tools used in incident response and live forensic audits are coveredat great length, and all of the information presented is specific to Windowsoperating systems, file systems (i.e., NTFS), and applications (i.e., MS Word,etc.). This information is presented in a progression, each chapter taking thecontent of the previous chapter further. However, each chapter can also stand onits own, as a reference that the reader can return to time and time again.

The main premise of this book is really very simple. Whenincidents occur, an entire spectrum of incident response activities can beperformed. The lower end of the spectrum involves...well...nothing. Noactivity. Basically, the incident goes completely unrecognized or is simplyignored. The opposite end of the spectrum consists of those activities thatpurists think of when they hear the word "forensics": the system is shut down ina forensically sound manner and a bit-level image of the drive is made. Allinvestigative activities are then conducted against that copy. This is usuallyaccompanied by law enforcement involvement and may even lead to prosecution.However, many organizations do not wish to involve law enforcement when anincident occurs and generally conduct non-litigious investigations because theyjust want to get systems back online and in use. In other cases, potentiallycompromised systems may be part of an e-commerce infrastructure, in whichdowntime is measured in hundreds of dollars per minute. In such cases, aninvestigation will occur, but it will not involve law enforcement or legalprosecution, as the goal is determining what, if anything, happened. These stepsmay be required to gather information and facts in order to justify furtheraction, such as taking the system down.

In addition, a great deal of extremely valuable informationregarding the state of the system is lost when the system is shut down. This informationis referred to as "volatile" information, and it includes such things asprocess information, network connections, clipboard contents, etc. Thisinformation can be retrieved, parsed, and analyzed in order to determine firstwhether an incident has even occurred, and then the extent of the incident. Insome cases, enough information may have been collected to show that theincident is manageable, and the system does not have to be taken out of serviceto be "cleaned." More importantly, the investigator will want to understand how the system was infectedor compromised so that shortfalls in security policies can be rectified andother systems protected.

The Perl programming language is used to programmaticallydemonstrate many of the concepts addressed throughout the book. The underlyingpremise of the book is to get the reader "under the hood" within the Windowssystem, that is, to show the reader how to move beyond the simple GUI toolsprovided with the operating system in order to collect information about thestate of the system. Many third-party tools are discussed, and several Perlscripts are provided in order to support this premise. Perl scripts are alsoused in this book to provide for customization and automation. Bycustomization, we mean that Perl is used to correlate and "massage" the outputof various third-party tools in order to present a more complete picture of thedata. By automation, we mean that Perl is used in this book to implement amethodology so that the investigator does not have to perform the steps byhand, thereby avoiding mistakes and making the overall process more efficient.

This book guides the reader through information, tools, andtechniques that are required to conduct incident response and live forensicaudit activities. By providing the necessary background for understanding howincidents occur and how data can be hidden on compromised systems, the readerwill have a better understanding of the "whyÕs" and "howÕs" of incidentresponse and forensic audit activities.

Read More Show Less

Customer Reviews

Average Rating 4
( 4 )
Rating Distribution

5 Star

(1)

4 Star

(2)

3 Star

(1)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 4 Customer Reviews
  • Anonymous

    Posted September 22, 2004

    Priceless Reference For Todays Windows Administrators

    I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today¿s Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring. This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit. The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 8, 2004

    distinctive case studies

    Perhaps an overdue book! Inasmuch as satisfying an unmet need goes. Carvey writes this book as a counterpart to those about defending a linux/unix system or network against attacks. He points out that Microsoft Windows sysadmins often suffer from several disadvantages compared to the other counterparts. There are fewer open source tools for network diagnostics. In part because the Microsoft operating systems are closed, it is harder, though not impossible, to write such tools. Plus, a sysadmin tends to be more dependent on the UI tools that come with the operating system. That is, if the UI tools show nothing anomalous, then the sysadmin thinks everything is hunky dory. But those tools can be fooled by smart attacks. Mind you, similar could also be said of some unix sysadmins, who restrict themselves to a UI. Carvey wrote this book to remedy these deficiencies. He goes into clear explanations of malware and how, for example, an attacker has various ways to hide a foreign file. A distinctive part of the book is the chapter on developing a methodology. He walks through several case studies of a sysadmin and his network, and how anomalies arise and can be tracked down. Written in an informal, novelistic style. Very readable and educational. Any sysadmin can easily relate to the flow of events and the logic and decisions the 'hero' makes. The chapter is the equivalent of the problem sets at the ends of chapters in other books. You do these to assimilate the chapters. But when discussing network security, it is hard to have that format of questions. Instead, Carvey presents each case study as a logical puzzle. To actually apply what he's covered in the preceding chapters.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted December 12, 2008

    No text was provided for this review.

  • Anonymous

    Posted August 4, 2010

    No text was provided for this review.

Sort by: Showing all of 4 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)