What Is Forensic Profiling?
This book mainly discusses the technical issues of the collection and analysis of evidence data at different moments when Windows is turned on and off. It focuses on Windows memory analysis, registry analysis, file analysis, executable file analysis, and rootkits.
Windows Forensics Analysis
- "Windows Forensic Analysis" not only provides references for forensic analysts, investigators and emergency response personnel, but also provides reference and assistance for government and corporate investigators, judicial officials, and readers interested in Windows forensic analysis. [1]
- Harlan Carvey (CISSP) and author of Windows Forensics and Incident Recovery. Harlan Carvey is a computer forensics and emergency response consultant in northern Silicon Valley and the metropolitan area. He now provides emergency response and computer forensics services to customers in all regions of the United States. Harlan's areas of expertise focus on emergency response, registry and memory analysis of Windows 2000 and subsequent platforms, and post-mortem computer forensics analysis. Harlan has provided vulnerability assessment and penetration testing services as a full-time security engineer. Harlan also provides emergency response and computer forensics services to federal government agencies.
- Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in electrical engineering from the Naval Postgraduate School
- Harlan would like to thank his wife, Terri, for his support, patience, and humor during the writing of this book.
- Foreword
- Chapter 1. Booting Forensics: Data Collection
- introduction
- Power on forensics (Live Response)
- Nocardi exchange principle
- Order of variable information
- When to start forensics
- What data is collected
- system time
- Currently logged in user
- Open file
- Network information (cached NetBIOS name list)
- Internet connection
- Process information
- Process-to-port mapping
- Process memory
- network status
- Clipboard contents
- Service / Driver Information
- Command line history
- Mapped drive
- shared
- Non-volatile information
- Registry settings
- Event log
- Equipment and other information
- How to choose a tool
- Boot forensics method
- Local boot forensics method
- Remote forensics
- Hybrid approach
- summary
- References
- Quick solution
- common problem
- Chapter 2 Booting Forensics: Data Analysis
- introduction
- data analysis
- Case number one
- Case two
- Agile analysis
- expand the range
- response
- Prevent
- summary
- References
- Quick solution
- common problem
- Chapter 3 Windows Memory Analysis
- introduction
- A brief history of memory analysis
- Get physical memory image
- Hardware-based solution
- Use FireWire Interface
- Crash dump
- Leveraging virtual machines
- Hibernation file
- DD
- Analyzing physical memory mirroring
- Process basis
- Analyzing memory mirroring
- Analyzing process memory
- Extract process executable image
- Memory mirror analysis and page swap file
- Determine the type of operating system based on memory mirroring
- Analyzing the memory pool
- Get process memory
- ...