Windows Forensics and Incident Recovery
Addison-Wesley Educational Publishers Inc
978-0-321-20098-3 (ISBN)
- Titel ist leider vergriffen;
keine Neuauflage - Artikel merken
As long as networks of Microsoft Windows systems are managed,administered, and used by people, security incidents will occur. Windowssystems are highly pervasive throughout the entire computing infrastructure,from home and school systems, to high-end e-commerce sites. In contrast tothis pervasiveness, information regarding conducting effective incidentresponse and forensic audit activities on Windows systems is limited. Whilethere are many security books available, none focus specifically on Windowssecurity. There are also resources available online, but they are scattered andoften too general. This book is a compilation of all the information currentlyavailable on this subject. It is for anyone who manages or administers Windowssystems (including home users) and needs to know how to react when theysuspect that an incident has occurred. It guides the reader throughinformation, tools, and techniques that are required to conduct incidentresponse or a live forensics audit activities. By providing the necessarybackground for understanding how incidents occur and how data can behidden on compromised systems, the reader will have a better understanding ofthe "whys" and "hows" of incident response and forensic audit activities. *It isimportant to note that regulatory issues are also pushing organizations towardbetter security and incident preparedness policies.
Harlan Carvey¿s interest in computer and information security began while he was an officer in the U.S. military, during which time he earned his master¿s degree in Electrical Engineering. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information (i.e., Registry entries, file information, configuration settings, etc.) from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also done considerable work in the area of incident response and forensics, performing internal and external investigations. He has also written a number of proof-of- concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of files. Harlan¿s experience with computers began in the early ¿80s, with a Timex-Sinclair 1000. Around that time, he was learning to program BASIC on an Apple IIe. From there, he moved on to computers such as the Epson QX-10 and the TRS-80, on which he programmed BASIC learned PASCAL, using the TurboPASCAL compiler. Since then, he¿s worked with SunOS and Solaris systems, as well as various versions of DOS and Windows, OS/2, and Linux. Harlan has presented at Usenix, DefCon9, Black Hat, GMU2003 on various topics specific to issues on Windows platforms, such as data hiding. He has had articles published in the Information Security Bulletin and on the SecurityFocus web site.
Preface.
1. Introduction.
Definitions.
Intended Audience.
Book Layout.
Defining the Issue.
The Pervasiveness and Complexity of Windows Systems.
The Pervasiveness of High-Speed Connections.
The Pervasiveness of Easy-to-Use Tools.
Purpose.
Real Incidents.
Where To Go For More Information.
Conclusion.
2. How Incidents Occur.
Definitions.
Purpose.
Incidents.
Local vs. Remote.
Manual vs. Automatic.
Lowest Common Denominator.
Attacks Are Easy.
Summary.
3. Data Hiding.
File Attributes.
The Hidden Attribute.
File Signatures.
File Times.
File Segmentation.
File Binding.
NTFS Alternate Data Streams.
Hiding Data in the Registry.
Office Documents.
OLE Structured Storage.
Steganography.
Summary.
4. Incident Preparation.
Perimeter Devices.
Host Configuration.
NTFS File System.
Configuring the System with the SCM.
Group Policies.
Getting Under the Hood.
User Rights.
Restricting Services.
Permissions.
Audit Settings and the Event Log.
Windows File Protection.
WFP and ADSs.
Patch Management.
Anti-Virus.
Monitoring.
Summary.
5. Incident Response Tools.
Definitions.
Tools for Collecting Volatile Information.
Logged On User(s).
Process Information.
Process Memory.
Network Information and Connections.
Clipboard Contents.
Command History.
Services and Drivers.
Group Policy Information.
Tools for Collecting Non-Volatile Information.
Collecting Files.
Contents for the Recycle Bin.
Registry Key Contents and Information.
Scheduled Tasks.
User Information.
Dumping the Event Logs.
Tools for Analyzing Files.
Executable files.
Process Memory Dumps.
Microsoft Word Documents.
PDF Documents.
Summary.
6. Developing a Methodology.
Introduction.
Prologue.
First Dream.
Second Dream.
Third Dream.
Fourth Dream.
Fifth Dream.
Summary.
7. Knowing What to Look For.
Investigation Overview.
Infection Vectors.
Malware Footprints and Persistence.
Files and Directories.
Registry Keys.
Processes.
Open Ports.
Services.
Rootkits.
AFX Windows Rootkit 2003.
Detecting Rootkits.
Preventing Rootkit Installations.
Summary.
8. Using the Forensic Server Project.
The Forensic Server Project.
Collecting Data Using FSP.
Launching the Forensic Server.
Running the First Responder Utility.
File Client Component.
Correlating and Analyzing Data Using FSP.
Infected Windows 2003 System.
A Rootkit on a Windows 2000 System.
A Compromised Windows 2000 System.
Future Directions of the Forensic Server Project.
Summary.
9. Scanners and Sniffers.
Port Scanners.
Netcat.
Portqry.
Nmap.
Network Sniffers.
NetMon.
Netcap.
Windump.
Analyzer.
Ethereal.
Summary.
Appendix A. Installing Perl on Windows.
Installing Perl and Perl Modules.
Perl Editors.
Running Perl Scripts.
Setting Up Perl for Use with this Book.
Win32::Lanman.
Win32::TaskScheduler.
Win32::File::Ver.
Win32::API::Prototype.
Win32::Perms.
Win32::GUI.
Win32::FileOp.
Win32::DriveInfo.
Win32::IPConfig.
Summary.
Appendix B. Web Sites.
Searching.
Sites for Information about Windows.
Anti-Virus Sites.
Program Sites.
Security Information Sites.
Perl Programming and Code Sites.
General Reading.
Appendix C. Answers to Chapter 9 Questions.
FTP Traffic Capture.
Netcat Traffic Capture.
Null Session Traffic Capture.
IIS Traffic Capture.
Nmap Traffic Capture.
Appendix D. CD Contents.
Index.
Erscheint lt. Verlag | 5.8.2004 |
---|---|
Verlagsort | New Jersey |
Sprache | englisch |
Maße | 178 x 236 mm |
Gewicht | 948 g |
Themenwelt | Informatik ► Betriebssysteme / Server ► Windows |
Informatik ► Netzwerke ► Sicherheit / Firewall | |
Informatik ► Theorie / Studium ► Kryptologie | |
ISBN-10 | 0-321-20098-5 / 0321200985 |
ISBN-13 | 978-0-321-20098-3 / 9780321200983 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |