Windows Forensics Cookbook

Contents......Page 3 Preface......Page 11 Introduction......Page 17 Identifying evidence sources......Page 20 Ensuring evidence is forensically sound......Page 22 Writing reports......Page 23 Digital forensic investigation - an international field......Page 25 Challenges of acquiring digital evidence from Windows systems......Page 27 Introduction......Page 29 Windows memory acquisition with Belkasoft RAM Capturer......Page 31 Windows memory acquisition with DumpIt......Page 33 Windows memory image analysis with Belkasoft Evidence Center......Page 35 Windows memory image analysis with Volatility......Page 40 Variations in Windows versions......Page 47 Introduction......Page 51 Drive acquisition in E01 format with FTK Imager......Page 52 Drive acquisition in RAW format with dc3dd......Page 61 Mounting forensic images with Arsenal Image Mounter......Page 63 Introduction......Page 67 NTFS Analysis with The Sleuth Kit......Page 68 Undeleting files from NTFS with Autopsy......Page 74 Undeleting files from ReFS with ReclaiMe File Recovery......Page 81 File carving with PhotoRec......Page 85 Introduction......Page 93 Browsing and copying files from VSCs on a live system with ShadowCopyView......Page 94 Mounting VSCs from disk images with VSSADMIN and MKLINK......Page 99 Processing and analyzing VSC data with Magnet AXIOM......Page 102 Introduction......Page 109 Extracting and viewing Windows Registry files with Magnet AXIOM......Page 110 Parsing registry files with RegRipper......Page 117 Recovering deleted Registry artifacts with Registry Explorer......Page 119 Registry analysis with FTK Registry Viewer......Page 122 Introduction......Page 130 Recycle Bin content analysis with EnCase Forensic......Page 131 Recycle bin content analysis with Rifiuti2......Page 136 Recycle bin content analysis with Magnet AXIOM......Page 138 Event log analysis with FullEventLogView......Page 140 Event log analysis with Magnet AXIOM......Page 143 Event log recovery with EVTXtract......Page 146 LNK file analysis with EnCase forensic......Page 148 LNK file analysis with LECmd......Page 152 LNK file analysis with Link Parser......Page 155 Prefetch file analysis with Magnet AXIOM......Page 156 Prefetch file parsing with PECmd......Page 160 Prefetch file recovery with Windows Prefetch Carver......Page 162 Introduction......Page 165 Mozilla Firefox analysis with BlackBag's BlackLight......Page 166 Google Chrome analysis with Magnet AXIOM......Page 170 Microsoft Internet Explorer and Microsoft Edge analysis with Belkasoft Evidence Center......Page 173 Extracting web browser data from Pagefile.sys......Page 178 Introduction......Page 183 Outlook mailbox parsing with Intella......Page 184 Thunderbird mailbox parsing with Autopsy......Page 195 Webmail analysis with Magnet AXIOM......Page 199 Skype forensics with Belkasoft Evidence Center......Page 201 Skype forensics with SkypeLogView......Page 204 Introduction......Page 207 Parsing Windows 10 Notifications......Page 208 Cortana forensics......Page 212 OneDrive forensics......Page 214 Dropbox forensics......Page 219 Windows 10 mail app......Page 223 Windows 10 Xbox App......Page 226 Introduction......Page 228 Data visualization with FTK......Page 229 Making a timeline in Autopsy......Page 232 Introduction......Page 243 Troubleshooting in commercial tools......Page 244 Troubleshooting in free and open source tools......Page 245 Troubleshooting when processes fail......Page 246 False positives during data processing with digital forensics software......Page 250 Taking your first steps in digital forensics......Page 251 Advanced further reading......Page 254 Index......Page 258 Maximize the power of Windows Forensics to perform highly effective forensic investigations About This Book Prepare and perform investigations using powerful tools for Windows, Collect and validate evidence from suspects and computers and uncover clues that are otherwise difficult Packed with powerful recipes to perform highly effective field investigations Who This Book Is For If you are a forensic analyst or incident response professional who wants to perform computer forensics investigations for the Windows platform and expand your took kit, then this book is for you. What You Will Learn Understand the challenges of acquiring evidence from Windows systems and overcome them Acquire and analyze Windows memory and drive data with modern forensic tools. Extract and analyze data from Windows file systems, shadow copies and the registry Understand the main Windows system artifacts and learn how to parse data from them using forensic tools See a forensic analysis of common web browsers, mailboxes, and instant messenger services Discover how Windows 10 differs from previous versions and how to overcome the specific challenges it presents Create a graphical timeline and visualize data, which can then be incorporated into the final report Troubleshoot issues that arise while performing Windows forensics In Detail Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations. You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations. By the end of the book, you will be able to carry out forensics investigations efficiently. Style and approach This practical guide filled with hands-on, actionable recipes to detect, capture, and recover digital artifacts and del..