Windows Forensics: The Field Guide for Corporate Computer Investigations


The evidence is in--to solve Windows crime, you need Windows tools

An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.

Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book...

See more details below
Other sellers (Paperback)
  • All (8) from $20.97   
  • New (4) from $20.97   
  • Used (4) from $25.97   
Sending request ...


The evidence is in--to solve Windows crime, you need Windows tools

An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.

Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.
* Identify evidence of fraud, electronic theft, and employee Internet abuse
* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)
* Learn what it takes to become a computer forensics analyst
* Take advantage of sample forms and layouts as well as case studies
* Protect the integrity of evidence
* Compile a forensic response toolkit
* Assess and analyze damage from computer crime and process the crime scene
* Develop a structure for effectively conducting investigations
* Discover how to locate evidence in the Windows Registry

Read More Show Less

Product Details

  • ISBN-13: 9780470038628
  • Publisher: Wiley
  • Publication date: 5/15/2006
  • Edition number: 1
  • Pages: 408
  • Sales rank: 511,388
  • Product dimensions: 7.30 (w) x 9.10 (h) x 0.80 (d)

Meet the Author

Chad Steel has investigated more than 300 computer security incidents. As an adjunct faculty member, he developed and taught the Computer Forensics graduate course in Penn State's engineering program and has instructed federal and local law enforcement, commercial clients, and graduate students in forensic analysis. His experience includes serving as head of IT investigations for a Global 100 corporation and as managing director of the Systems Integration and Security practice at Qwest Communications.
Read More Show Less

Table of Contents

Chapter 1. Windows Forensics.

The Corporate Computer Forensic Analyst.

Windows Forensics.

People, Processes, and Tools.

Computer Forensics: Today and Tomorrow.

Additional Resources.

Chapter 2. Processing the Digital Crime Scene.

Identify the Scene.

Perform Remote Research.

Secure the Crime Scene.

Document the Scene.

Process the Scene for Physical Evidence.

Process the Scene for Electronic Evidence.

Chain of Custody.

Best Evidence.

Working with Law Enforcement.

Additional Resources.

Chapter 3. Windows Forensic Basics.

History and Versions.


Windows 1.x, 2.x, and 3.x.

Windows NT and 2000.

Windows 95, 98, and ME.

Windows XP and 2003.

Non-Volatile Storage.

Floppy Disks.


CDs and DVDs.

USB Flash Drives.

Hard Disks.

Additional Resources.

Chapter 4. Partitions and File Systems.

Master Boot Record.

Windows File Systems.






Additional Resources.

Chapter 5. Directory Structure and Special Files.

Windows NT/2000/XP.



Windows 9x.



Additional Resources.

Chapter 6. The Registry.


Registry Basics.

Registry Analysis.


Folder Locations.

Startup Items.


Advanced Registry Analysis.

Additional Resources.

Chapter 7. Forensic Analysis.

Chapter 8. Live System Analysis.

Covert Analysis.

System State Analysis.

System Tools.


Services and Applications.

Remote Enumeration.


Keystroke Recording.

Network Monitoring.

Overt Analysis.

GUI-based Overt Analysis.

Local Command Line Analysis.

Remote Command Line Analysis.

Basic Information Gathering.

System State Information.

Running Program Information.

Main Memory Analysis.

Additional Resources.

Chapter 9. Forensic Duplication.

Hard Disk Duplication.

In-Situ Duplication.

Direct Duplication.

Magnetic Tape.

Hard Disks.

Optical Disks.

Multi-tiered Storage.

Log File Duplication.

Additional Resources.

Chapter 10. File System Analysis.


Index-based Searching.

Bitwise Searching.

Search Methodology.

Hash Analysis.

Positive Hash Analysis.

Negative Hash Analysis.

File Recovery.

Special Files.

Print Spool Files.

Windows Shortcuts.

Paging File.

Additional Resources.

Chapter 11. Log File Analysis.

Event Logs.

Application Log.

System Log.

Security Log.

Successful Log-on/Log-off Events.

Failed Log-on Event.

Change of Policy.

Successful or Failed Object Access.

Account Change.

Log Clearing.

Internet Logs.

HTTP Logs.

FTP Logs.

SMTP Logs.

Additional Resources.

Chapter 12. Internet Usage Analysis.

Web Activity.

Internet Explorer.












Toolbar History.

Network, Proxy, and DNS History.

Peer-to-Peer Networking.

Gnutella Clients.




Other Information.




FastTrack Clients.

Overnet, eMule, and eDonkey2000 Clients.



Instant Messaging.

AOL Instant Messenger.

Microsoft Messenger.

Additional Resources.

Chapter 13. Email Investigations.

Outlook/Outlook Express.

Outlook Express.





Access Control.


Lotus Notes.


Access Control and Logging.


Address Book.

Additional Resources.

Appendix A. Sample Chain of Custody Form.

Appendix B. Master Boot Record Layout.

Appendix C. Partition Types.

Appendix D. FAT32 Boot Sector Layout.

Appendix E. NTFS Boot Sector Layout.

Appendix F. NTFS Metafiles.

Appendix G. Well-Known SIDs.


Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)