What Is Forensic Profiling?

This book mainly discusses the technical issues of the collection and analysis of evidence data at different moments when Windows is turned on and off. It focuses on Windows memory analysis, registry analysis, file analysis, executable file analysis, and rootkits.

Windows Forensics Analysis

"Windows Forensic Analysis" not only provides references for forensic analysts, investigators and emergency response personnel, but also provides reference and assistance for government and corporate investigators, judicial officials, and readers interested in Windows forensic analysis. [1]
Harlan Carvey (CISSP) and author of Windows Forensics and Incident Recovery. Harlan Carvey is a computer forensics and emergency response consultant in northern Silicon Valley and the metropolitan area. He now provides emergency response and computer forensics services to customers in all regions of the United States. Harlan's areas of expertise focus on emergency response, registry and memory analysis of Windows 2000 and subsequent platforms, and post-mortem computer forensics analysis. Harlan has provided vulnerability assessment and penetration testing services as a full-time security engineer. Harlan also provides emergency response and computer forensics services to federal government agencies.
Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in electrical engineering from the Naval Postgraduate School
Harlan would like to thank his wife, Terri, for his support, patience, and humor during the writing of this book.
Foreword
Chapter 1. Booting Forensics: Data Collection
introduction
Power on forensics (Live Response)
Nocardi exchange principle
Order of variable information
When to start forensics
What data is collected
system time
Currently logged in user
Open file
Network information (cached NetBIOS name list)
Internet connection
Process information
Process-to-port mapping
Process memory
network status
Clipboard contents
Service / Driver Information
Command line history
Mapped drive
shared
Non-volatile information
Registry settings
Event log
Equipment and other information
How to choose a tool
Boot forensics method
Local boot forensics method
Remote forensics
Hybrid approach
summary
References
Quick solution
common problem
Chapter 2 Booting Forensics: Data Analysis
introduction
data analysis
Case number one
Case two
Agile analysis
expand the range
response
Prevent
summary
References
Quick solution
common problem
Chapter 3 Windows Memory Analysis
introduction
A brief history of memory analysis
Get physical memory image
Hardware-based solution
Use FireWire Interface
Crash dump
Leveraging virtual machines
Hibernation file
DD
Analyzing physical memory mirroring
Process basis
Analyzing memory mirroring
Analyzing process memory
Extract process executable image
Memory mirror analysis and page swap file
Determine the type of operating system based on memory mirroring
Analyzing the memory pool
Get process memory
...

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?