文件名称:Windows Forensic Analysis Including DVD Toolkit.pdf
文件大小:4.37MB
文件格式:PDF
更新时间:2022-09-10 07:58:30
Windows Forensic Analysis Including DVD
The purpose of this book is to address a need.One thing that many computer forensic examiners have noticed is an overreliance by investigators on what forensic analysis tools are telling them,without really understanding where this information is coming from or how it is being created or derived.The age of “Nintendo forensics”(i.e.,loading an acquired image into a forensic analysis application and pushing a button) is over.As analysts and examiners,we can no longer expect to investigate a case in such a manner.Cybercrime has increased in sophistication,and investigators need to understand what artifacts are avail- able on a system,as well as how those artifacts are created and modified.With this level of knowledge,we come to understand that the absence of an artifact is itself an artifact.In addition,more and more presentations and material are available regarding anti-forensics,or techniques used to make forensic analysis more difficult.Moreover,there have been presentations at major conferences that discuss the anti-forensic technique of using the forensic analysts’training and tools against them.This book is intended to address the need for a more detailed,granular level of understanding.It attempts not only to demonstrate what information is available to the investigator on both a live Windows system and in an acquired image but also to provide information on how to locate additional artifacts that may be of interest. My primary reason for writing this book has been so that I can give back to a community and field of endeavor that has given so much to me.Since I started in the information security field over 10 years ago (prior to that,I was in the military and involved in physical and communications security),I’ve met a lot of great people and done a lot of really interesting things.Over time, people have shared things with me that have been extremely helpful,and some xix Preface 423_Win_Foren_Pre.qxd 3/26/07 12:44 PM Page xix of those things have served as stepping stones into further research.Some of that research has found its way into presentations I’ve given at various confer- ences,and from there,others have asked questions and provided insight and answers that have helped push that research forward.The repeated exchanging of information and engaging in discussion have moved the interest and the level of knowledge forward,thus advancing the field. This book is intended to address the technical aspects of collecting and ana- lyzing data during both live and post-mortem investigations of Windows sys- tems.It does not cover everything that could possibly be addressed.There is still considerable room for research in several areas,and a great deal of information needs to be catalogued.My hope is that this book will awaken the reader to the possibilities and opportunities that exist within Windows systems for a more comprehensive investigation and analysis. Intended Audience This book focuses on a fairly narrow technical area,Windows forensic analysis, but it’s intended for anyone who does,might do,or is thinking about per- forming forensic analysis of Windows systems.This book will be a useful refer- ence for many,and my hope is that any readers who initially feel that the book is over their heads or beyond their technical reach will use the material they find as a starting point and a basis for questions and further study.When I started writing this book,it was not intended to be a second or follow-on edi- tion to my first book,Windows Forensics and Incident Recovery,which was pub- lished by Addison-Wesley in July 2004.Rather,my intention was to move away from a more general focus and provide a resource not only for myself but also for others working in the computer forensic analysis field. In writing this book,my goal was to provide a resource for forensic ana- lysts,investigators,and incident responders.My hope is to provide not only useful material for those currently performing forensic investigations but also insight to system administrators who have been faced with incident response activities and have been left wondering,“What should I have done?”On that front,my hope is that we can eventually move away from the misconception that wiping the hard drive and reinstalling the operating system from clean media are acceptable resolutions to an incident.Even updating the patches on the system does not address configuration issues and in many cases will result in reinfection or the system being compromised all over again.