Windows Forensics Cookbook

Maximize the power of Windows Forensics to perform highly effective forensic investigations
Preview in Mapt
Code Files

Windows Forensics Cookbook

Oleg Skulkin, Scar de Courcier

Maximize the power of Windows Forensics to perform highly effective forensic investigations
Mapt Subscription
FREE
$29.99/m after trial
eBook
$25.20
RRP $35.99
Save 29%
Print + eBook
$44.99
RRP $44.99
What do I get with a Mapt Pro subscription?
  • Unlimited access to all Packt’s 5,000+ eBooks and Videos
  • Early Access content, Progress Tracking, and Assessments
  • 1 Free eBook or Video to download and keep every month after trial
What do I get with an eBook?
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with Print & eBook?
  • Get a paperback copy of the book delivered to you
  • Download this book in EPUB, PDF, MOBI formats
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
What do I get with a Video?
  • Download this Video course in MP4 format
  • DRM FREE - read and interact with your content when you want, where you want, and how you want
  • Access this title in the Mapt reader
$0.00
$25.20
$44.99
$29.99p/m after trial
RRP $35.99
RRP $44.99
Subscription
eBook
Print + eBook
Start 30 Day Trial

Frequently bought together


Windows Forensics Cookbook Book Cover
Windows Forensics Cookbook
$ 35.99
$ 25.20
Windows Presentation Foundation Cookbook Book Cover
Windows Presentation Foundation Cookbook
$ 43.99
$ 30.80
Buy 2 for $35.00
Save $44.98
Add to Cart
Subscribe and access every Packt eBook & Video.
 
  • 5,000+ eBooks & Videos
  • 50+ New titles a month
  • 1 Free eBook/Video to keep every month
Start Free Trial
 

Book Details

ISBN 139781784390495
Paperback274 pages

Book Description

Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations.

You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations.

By the end of the book, you will be able to carry out forensics investigations efficiently.

Table of Contents

Chapter 1: Digital Forensics and Evidence Acquisition
Introduction
Identifying evidence sources
Ensuring evidence is forensically sound
Writing reports
Digital forensic investigation - an international field
Challenges of acquiring digital evidence from Windows systems
Chapter 2: Windows Memory Acquisition and Analysis
Introduction
Windows memory acquisition with Belkasoft RAM Capturer
Windows memory acquisition with DumpIt
Windows memory image analysis with Belkasoft Evidence Center
Windows memory image analysis with Volatility
Variations in Windows versions
Chapter 3: Windows Drive Acquisition
Introduction
Drive acquisition in E01 format with FTK Imager
Drive acquisition in RAW format with dc3dd
Mounting forensic images with Arsenal Image Mounter
Chapter 4: Windows File System Analysis
Introduction
NTFS Analysis with The Sleuth Kit
Undeleting files from NTFS with Autopsy
Undeleting files from ReFS with ReclaiMe File Recovery
File carving with PhotoRec
Chapter 5: Windows Shadow Copies Analysis
Introduction
Browsing and copying files from VSCs on a live system with ShadowCopyView
Mounting VSCs from disk images with VSSADMIN and MKLINK
Processing and analyzing VSC data with Magnet AXIOM
Chapter 6: Windows Registry Analysis
Introduction
Extracting and viewing Windows Registry files with Magnet AXIOM
Parsing registry files with RegRipper
Recovering deleted Registry artifacts with Registry Explorer
Registry analysis with FTK Registry Viewer
Chapter 7: Main Windows Operating System Artifacts
Introduction
Recycle Bin content analysis with EnCase Forensic
Recycle bin content analysis with Rifiuti2
Recycle bin content analysis with Magnet AXIOM
Event log analysis with FullEventLogView
Event log analysis with Magnet AXIOM
Event log recovery with EVTXtract
LNK file analysis with EnCase forensic
LNK file analysis with LECmd
LNK file analysis with Link Parser
Prefetch file analysis with Magnet AXIOM
Prefetch file parsing with PECmd
Prefetch file recovery with Windows Prefetch Carver
Chapter 8: Web Browser Forensics
Introduction
Mozilla Firefox analysis with BlackBag's BlackLight
Google Chrome analysis with Magnet AXIOM
Microsoft Internet Explorer and Microsoft Edge analysis with Belkasoft Evidence Center
Extracting web browser data from Pagefile.sys
Chapter 9: Email and Instant Messaging Forensics
Introduction
Outlook mailbox parsing with Intella
Thunderbird mailbox parsing with Autopsy
Webmail analysis with Magnet AXIOM
Skype forensics with Belkasoft Evidence Center
Skype forensics with SkypeLogView
Chapter 10: Windows 10 Forensics
Introduction
Parsing Windows 10 Notifications
Cortana forensics
OneDrive forensics
Dropbox forensics
Windows 10 mail app
Windows 10 Xbox App
Chapter 11: Data Visualization
Introduction
Data visualization with FTK
Making a timeline in Autopsy
Chapter 12: Troubleshooting in Windows Forensic Analysis
Introduction
Troubleshooting in commercial tools
Troubleshooting in free and open source tools
Troubleshooting when processes fail
False positives during data processing with digital forensics software
Taking your first steps in digital forensics
Advanced further reading

What You Will Learn

  • Understand the challenges of acquiring evidence from Windows systems and overcome them
  • Acquire and analyze Windows memory and drive data with modern forensic tools.
  • Extract and analyze data from Windows file systems, shadow copies and the registry
  • Understand the main Windows system artifacts and learn how to parse data from them using forensic tools
  • See a forensic analysis of common web browsers, mailboxes, and instant messenger services
  • Discover how Windows 10 differs from previous versions and how to overcome the specific challenges it presents
  • Create a graphical timeline and visualize data, which can then be incorporated into the final report
  • Troubleshoot issues that arise while performing Windows forensics

Authors

Table of Contents

Chapter 1: Digital Forensics and Evidence Acquisition
Introduction
Identifying evidence sources
Ensuring evidence is forensically sound
Writing reports
Digital forensic investigation - an international field
Challenges of acquiring digital evidence from Windows systems
Chapter 2: Windows Memory Acquisition and Analysis
Introduction
Windows memory acquisition with Belkasoft RAM Capturer
Windows memory acquisition with DumpIt
Windows memory image analysis with Belkasoft Evidence Center
Windows memory image analysis with Volatility
Variations in Windows versions
Chapter 3: Windows Drive Acquisition
Introduction
Drive acquisition in E01 format with FTK Imager
Drive acquisition in RAW format with dc3dd
Mounting forensic images with Arsenal Image Mounter
Chapter 4: Windows File System Analysis
Introduction
NTFS Analysis with The Sleuth Kit
Undeleting files from NTFS with Autopsy
Undeleting files from ReFS with ReclaiMe File Recovery
File carving with PhotoRec
Chapter 5: Windows Shadow Copies Analysis
Introduction
Browsing and copying files from VSCs on a live system with ShadowCopyView
Mounting VSCs from disk images with VSSADMIN and MKLINK
Processing and analyzing VSC data with Magnet AXIOM
Chapter 6: Windows Registry Analysis
Introduction
Extracting and viewing Windows Registry files with Magnet AXIOM
Parsing registry files with RegRipper
Recovering deleted Registry artifacts with Registry Explorer
Registry analysis with FTK Registry Viewer
Chapter 7: Main Windows Operating System Artifacts
Introduction
Recycle Bin content analysis with EnCase Forensic
Recycle bin content analysis with Rifiuti2
Recycle bin content analysis with Magnet AXIOM
Event log analysis with FullEventLogView
Event log analysis with Magnet AXIOM
Event log recovery with EVTXtract
LNK file analysis with EnCase forensic
LNK file analysis with LECmd
LNK file analysis with Link Parser
Prefetch file analysis with Magnet AXIOM
Prefetch file parsing with PECmd
Prefetch file recovery with Windows Prefetch Carver
Chapter 8: Web Browser Forensics
Introduction
Mozilla Firefox analysis with BlackBag's BlackLight
Google Chrome analysis with Magnet AXIOM
Microsoft Internet Explorer and Microsoft Edge analysis with Belkasoft Evidence Center
Extracting web browser data from Pagefile.sys
Chapter 9: Email and Instant Messaging Forensics
Introduction
Outlook mailbox parsing with Intella
Thunderbird mailbox parsing with Autopsy
Webmail analysis with Magnet AXIOM
Skype forensics with Belkasoft Evidence Center
Skype forensics with SkypeLogView
Chapter 10: Windows 10 Forensics
Introduction
Parsing Windows 10 Notifications
Cortana forensics
OneDrive forensics
Dropbox forensics
Windows 10 mail app
Windows 10 Xbox App
Chapter 11: Data Visualization
Introduction
Data visualization with FTK
Making a timeline in Autopsy
Chapter 12: Troubleshooting in Windows Forensic Analysis
Introduction
Troubleshooting in commercial tools
Troubleshooting in free and open source tools
Troubleshooting when processes fail
False positives during data processing with digital forensics software
Taking your first steps in digital forensics
Advanced further reading

Book Details

ISBN 139781784390495
Paperback274 pages
Read More

Read More Reviews

Recommended for You

Windows Presentation Foundation Cookbook Book Cover
Windows Presentation Foundation Cookbook
$ 43.99
$ 30.80
Windows Server 2016 Automation with PowerShell Cookbook - Second Edition Book Cover
Windows Server 2016 Automation with PowerShell Cookbook - Second Edition
$ 47.99
$ 33.60
Windows Server 2016 Hyper-V Cookbook - Second Edition Book Cover
Windows Server 2016 Hyper-V Cookbook - Second Edition
$ 47.99
$ 33.60
Windows Application Development Cookbook Book Cover
Windows Application Development Cookbook
$ 39.99
$ 28.00
Windows Server 2016 Cookbook Book Cover
Windows Server 2016 Cookbook
$ 47.99
$ 33.60
Windows Server 2012 R2 Administrator Cookbook Book Cover
Windows Server 2012 R2 Administrator Cookbook
$ 29.99
$ 21.00