The first book completely devoted to this important part of security in a Windows environment.
° A one-stop shop for Microsoft Windows sys admins to find technical security information.
° The CD-Rom contains unique tools the author has written (code, network packet captures, and the results of a capture using the tools) and research methodologies that the reader can implement immediately.
° Provides strong examples and case studies to enhance understanding.
Praise for Windows Forensics and Incident Recovery
"Windows Forensics and Incident Recovery doesn't just discuss forensics, it also includes tools for analysis and shows readers how to use them. I look forward to putting these tools through their paces, and I recommend Carvey's book as a terrific addition to the security professional's bookshelf."
Warren G. Kruse II, Partner
Computer Forensic Services, LLC
"This book is a good reference for the tools needed to prepare for, respond to, and confirm a Windows-based computer incident."
Digital forensics researcher
"This book provides a unique 'command-line centric' view of Microsoft and non-Microsoft tools that can be very helpful to folks responsible for security and system administration on the Windows platform."
Vishwas Lele, principal architect
Applied Information Sciences, Inc.
"Harlan Carvey's book serves as a great resource for investigators and systems administrators looking to peek under the hoods of their Windows systems."
Jason Chan, security consultant
"Regardless of what you know already, you are guaranteed to learn something new about Windows incident response from this book."
Brian Behler, computer forensics and intrusion analyst/engineer
"Harlan Carvey's vast security and forensics experience shows through in all facets of this work. Many books have attempted to be the prescriptive guide to forensics on the Windows platform. This book not only attempts it, but it succeedswith guidance to spare."
Rick Kingslan, Microsoft MVP
"This book is the first to bring together into a single volume the topics of malicious code, incident response, and forensics on the Windows platform. Mr. Carvey's work should serve as a valuable reference for any Windows system administrator or security professional."
Jennifer Kolde, information security consultant, author, and instructor
"Harlan Carvey's book is a one-of-a-kind approach to do-it-yourself Windows forensics. With detailed and illustrative examples coupled with Harlan's renowned Perl scripts, this book certainly is a great find."
Mark Burnett, security consultant and author
The first book to focus on forensics and incident recovery in a Windows environment
Teaches through case studies and real world-examples
Companion CD contains unique tools developed by the author.
Covers Windows Server 2003, Windows 2000, Windows NT, and Windows XP
If you're responsible for protecting Windows systems, firewalls and anti-virus aren't enough. You also need to master incident response, recovery, and auditing. Leading Windows security expert and instructor Harlan Carvey offers a start-to-finish guide to the subject: everything administrators must know to recognize and respond to virtually any attack.
Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete incident response toolset that combines today's best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book's tools and techniques apply to every current and professional version of Windows: NT, 2000, XP, and Windows Server 2003. Coverage includes:
Developing a practical methodology for responding to potential attacks
Preparing your systems to prevent and detect incidents
Recognizing the signatures of an attackin time to act
Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools
Using the Forensic Server Project to automate data collection during live investigations
Analyzing live forensics data in order to determine what occurred
CD-ROM contains incident response and forensics toolkit code developed by the author, sample network packet captures, as well as data collected from compromised systems using the Forensic Server Project. You can also access Carvey's website at http://www.windows-ir.com for code samples, updates, and errata.
I'd like to start by thanking Larry Leibrock and Jay Heiser for getting me started down this road. Several years ago, I had developed a 2-day, hands-on incident response course for Windows 2000, and Larry provided me with my initial opportunity to teach it at the University of Texas in Austin. This book began its life as the presentation for the incident response course. I had done a technical review of Jay and Warren Kruse's computer forensics book, and Jay provided my name to his former editor as someone who may be interested in writing a book on the subject of Windows security.
Karen Gettman offered me the opportunity to write this book, and I decided to take it. I'd had articles published, but I'd never written a book. Karen and her assistant, Elizabeth Zdunich, kept me on track throughout this process.
I'd like to thank several of the reviewers as well. Of all of the reviewers who've been involved in this process, I'd like to recognize Jennifer Kolde, Mike Lyman, and Jason Chan for their efforts and input. The reviews from these three individuals provided valuable constructive criticism regarding the content and structure of the book. I can't say that I followed all the advice they provided, but I did read and consider everything they said thoroughly. With their help and insight, I didn't feel as if I were working on this book alone. Thanks, guys, for your time and effort. And Jen, thanks for indulging me all those time I'd email you with thoughts about your comments. Those exchanges gave me even more insight into to the content of the book, as well as the subject of incident response on Windows systems, in general.
Finally, and most importantly, I'd like to thank Terri Dougherty. I've written a book, and yet I can't seem to find the words to express my gratitude for your support throughout this process. Thank you. I owe you a debt that I will be repaying for a long time.
© Copyright Pearson Education. All rights reserved.
Download the Sample
Chapter related to this title.
Defining the Issue.
The Pervasiveness and Complexity of Windows Systems.
The Pervasiveness of High-Speed Connections.
The Pervasiveness of Easy-to-Use Tools.
Where To Go For More Information.
2. How Incidents Occur.
Local vs. Remote.
Manual vs. Automatic.
Lowest Common Denominator.
Attacks Are Easy.
3. Data Hiding.
The Hidden Attribute.
NTFS Alternate Data Streams.
Hiding Data in the Registry.
OLE Structured Storage.
4. Incident Preparation.
NTFS File System.
Configuring the System with the SCM.
Getting Under the Hood.
Audit Settings and the Event Log.
Windows File Protection.
WFP and ADSs.
5. Incident Response Tools.
Tools for Collecting Volatile Information.
Logged On User(s).
Network Information and Connections.
Services and Drivers.
Group Policy Information.
Tools for Collecting Non-Volatile Information.
Contents for the Recycle Bin.
Registry Key Contents and Information.
Dumping the Event Logs.
Tools for Analyzing Files.
Process Memory Dumps.
Microsoft Word Documents.
6. Developing a Methodology.
7. Knowing What to Look For.
Malware Footprints and Persistence.
Files and Directories.
AFX Windows Rootkit 2003.
Preventing Rootkit Installations.
8. Using the Forensic Server Project.
The Forensic Server Project.
Collecting Data Using FSP.
Launching the Forensic Server.
Running the First Responder Utility.
File Client Component.
Correlating and Analyzing Data Using FSP.
Infected Windows 2003 System.
A Rootkit on a Windows 2000 System.
A Compromised Windows 2000 System.
Future Directions of the Forensic Server Project.
9. Scanners and Sniffers.
Appendix A. Installing Perl on Windows.
Installing Perl and Perl Modules.
Running Perl Scripts.
Setting Up Perl for Use with this Book.
Appendix B. Web Sites.
Sites for Information about Windows.
Security Information Sites.
Perl Programming and Code Sites.
Appendix C. Answers to Chapter 9 Questions.
FTP Traffic Capture.
Netcat Traffic Capture.
Null Session Traffic Capture.
IIS Traffic Capture.
Nmap Traffic Capture.
Appendix D. CD Contents.
Download the Index
file related to this title.