Windows Forensics and Incident Recovery (Addison-Wesley Microsoft Technology Series) (Paperback)

by Harlan Carvey (Author)

Editorial Reviews

Product Description
As long as networks of Microsoft Windows systems are managed,administered, and used by people, security incidents will occur. Windowssystems are highly pervasive throughout the entire computing infrastructure,from home and school systems, to high-end e-commerce sites. In contrast tothis pervasiveness, information regarding conducting effective incidentresponse and forensic audit activities on Windows systems is limited. Whilethere are many security books available, none focus specifically on Windowssecurity. There are also resources available online, but they are scattered andoften too general. This book is a compilation of all the information currentlyavailable on this subject. It is for anyone who manages or administers Windowssystems (including home users) and needs to know how to react when theysuspect that an incident has occurred. It guides the reader throughinformation, tools, and techniques that are required to conduct incidentresponse or a live forensics audit activities.By providing the necessarybackground for understanding how incidents occur and how data can behidden on compromised systems, the reader will have a better understanding ofthe "whys" and "hows" of incident response and forensic audit activities. *It isimportant to note that regulatory issues are also pushing organizations towardbetter security and incident preparedness policies.

From the Back Cover

Praise for Windows Forensics and Incident Recovery

"Windows Forensics and Incident Recovery doesn't just discuss forensics, it also includes tools for analysis and shows readers how to use them. I look forward to putting these tools through their paces, and I recommend Carvey's book as a terrific addition to the security professional's bookshelf."
—Warren G. Kruse II, Partner

Computer Forensic Services, LLC

"This book is a good reference for the tools needed to prepare for, respond to, and confirm a Windows-based computer incident."
—Brian Carrier
Digital forensics researcher

"This book provides a unique 'command-line centric' view of Microsoft and non-Microsoft tools that can be very helpful to folks responsible for security and system administration on the Windows platform."
—Vishwas Lele, principal architect
Applied Information Sciences, Inc.

"Harlan Carvey's book serves as a great resource for investigators and systems administrators looking to peek under the hoods of their Windows systems."
—Jason Chan, security consultant
@stake

"Regardless of what you know already, you are guaranteed to learn something new about Windows incident response from this book."
—Brian Behler, computer forensics and intrusion analyst/engineer

"Harlan Carvey's vast security and forensics experience shows through in all facets of this work. Many books have attempted to be the prescriptive guide to forensics on the Windows platform. This book not only attempts it, but it succeeds—with guidance to spare."
—Rick Kingslan, Microsoft MVP
West Corporation

"This book is the first to bring together into a single volume the topics of malicious code, incident response, and forensics on the Windows platform. Mr. Carvey's work should serve as a valuable reference for any Windows system administrator or security professional."
—Jennifer Kolde, information security consultant, author, and instructor

"Harlan Carvey's book is a one-of-a-kind approach to do-it-yourself Windows forensics. With detailed and illustrative examples coupled with Harlan's renowned Perl scripts, this book certainly is a great find."
—Mark Burnett, security consultant and author

• The first book to focus on forensics and incident recovery in a Windows environment

• Teaches through case studies and real world-examples

• Companion CD contains unique tools developed by the author.

• Covers Windows Server 2003, Windows 2000, Windows NT, and Windows XP

If you're responsible for protecting Windows systems, firewalls and anti-virus aren't enough. You also need to master incident response, recovery, and auditing. Leading Windows security expert and instructor Harlan Carvey offers a start-to-finish guide to the subject: everything administrators must know to recognize and respond to virtually any attack.

Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete incident response toolset that combines today's best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book's tools and techniques apply to every current and professional version of Windows: NT, 2000, XP, and Windows Server 2003. Coverage includes:

• Developing a practical methodology for responding to potential attacks

• Preparing your systems to prevent and detect incidents

• Recognizing the signatures of an attack—in time to act

• Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools

• Using the Forensic Server Project to automate data collection during live investigations

• Analyzing live forensics data in order to determine what occurred

CD-ROM INCLUDED

CD-ROM contains incident response and forensics toolkit code developed by the author, sample network packet captures, as well as data collected from compromised systems using the Forensic Server Project. You can also access Carvey's website at http://www.windows-ir.com for code samples, updates, and errata.

Acknowledgments

I'd like to start by thanking Larry Leibrock and Jay Heiser for getting me started down this road. Several years ago, I had developed a 2-day, hands-on incident response course for Windows 2000, and Larry provided me with my initial opportunity to teach it at the University of Texas in Austin. This book began its life as the presentation for the incident response course. I had done a technical review of Jay and Warren Kruse's computer forensics book, and Jay provided my name to his former editor as someone who may be interested in writing a book on the subject of Windows security.

Karen Gettman offered me the opportunity to write this book, and I decided to take it. I'd had articles published, but I'd never written a book. Karen and her assistant, Elizabeth Zdunich, kept me on track throughout this process.

I'd like to thank several of the reviewers as well. Of all of the reviewers who've been involved in this process, I'd like to recognize Jennifer Kolde, Mike Lyman, and Jason Chan for their efforts and input. The reviews from these three individuals provided valuable constructive criticism regarding the content and structure of the book. I can't say that I followed all the advice they provided, but I did read and consider everything they said thoroughly. With their help and insight, I didn't feel as if I were working on this book alone. Thanks, guys, for your time and effort. And Jen, thanks for indulging me all those time I'd email you with thoughts about your comments. Those exchanges gave me even more insight into to the content of the book, as well as the subject of incident response on Windows systems, in general.

Finally, and most importantly, I'd like to thank Terri Dougherty. I've written a book, and yet I can't seem to find the words to express my gratitude for your support throughout this process. Thank you. I owe you a debt that I will be repaying for a long time.

© Copyright Pearson Education. All rights reserved.

See all Editorial Reviews

Product Details

• Paperback: 480 pages
• Publisher: Addison-Wesley Professional (July 31, 2004)
• Language: English
• ISBN-10: 0321200985
• ISBN-13: 978-0321200983
• Product Dimensions: 9.1 x 6.9 x 1 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars See all reviews (7 customer reviews)
• Amazon.com Sales Rank: #455,808 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #44 in	Books > Computers & Internet > Security & Encryption > Forensics
  #56 in	Books > Computers & Internet > Security & Encryption > Windows Security

Customer Reviews

Most Helpful Customer Reviews

11 of 11 people found the following review helpful:

5.0 out of 5 stars An Excellent and Informative Book, September 25, 2004

By	Richard L. Bunnell (Avon, CT USA) - See all my reviews (REAL NAME)

I am a nuts and bolts kind of guy and this book suits me to a tee. Harlan covers the topics thoroughly and has added to my knowledge of forensic methodology and shown me new techniques to discover information the many recent versions of the Windows operating system. He has done his homework, mixed it up with lots of coding examples, and even added some dream weaving to illustrate his points.

He lays the groundwork in chapters one, two, and three so that anyone reading the book will be sure to understand his purpose and see the framework that will be used for a methodology for Windows incident response.

Chapters four and five cover incident response. Among the preventative tools mentioned are group policies and configuration options that can be used on a Windows system so it can be configured to effectively take advantage of native security features. One of the topics in this chapter is using and extending Windows File Protection (WFP). A useful suggestion found here is the extension of WFP to protect static pages located on the root of a web site - especially since there are web site defacements occurring all the time. In Chapter five he covers the collection of volatile and non-volatile information. Although there are many tools out there for collection of this information, many well known to forensic examiners, Harlan progresses in a logical sequence and enumerates the pros and cons of each in a very understandable way. There are many examples of command lines, screen shots, and perl scripts to explain the concepts. In chapter 5 there are 47 web links that can be used to research the tools mentioned.

I had never imagined a dream sequence in a book about computer forensics - but there it was in chapter six. We follow in the footsteps of Andy, a network administrator unlucky enough to be the victim of a network incident. Andy develops a methodology to prepare for, contain, and analyze network incidents. We can see the consequences of being unprepared and then follow Andy through the development of this methodology. In hindsight, this was a good teaching tool based on experience and it brings the reader through a logical set of steps so they can start to think about developing their own methodology.

Chapter seven covers what to look for when doing incident investigation. Windows, an operating system where most people use the graphical user interface (GUI), hides many of its internals from the user. This chapter covers the functions of these internals, and locations of data and tools that can be used to discover it. There also is a look at the AFT Windows Rootkit 2003. This rootkit hides itself from the casual investigator. Using the proper tools, this rootkit can be discovered.

Harlan's Forensic Server Project (FSP) is discussed in chapter eight. This project takes the elements discussed earlier in the book and brings them together so that an investigator can adapt and customize to fit the needs of their own investigation. The FSP is not an end to itself, but rather furthers forensic techniques and knowledge with the use of open-source tools and a structured methodology. An additional chapter covers scanners and sniffers that can be used for network forensic investigations.

The investigator will find over 200 links to Internet sites for further exploration. It is a good solid start to an ongoing and exciting project that will evolve and grow now that the solid foundation has been published.

Windows is a complex operating system and the fact that it is used in the majority of computers in the world makes it a tempting target. In the future I would expect that the chapter on rootkits would be expanded. There are several varieties of rootkits in the wild and the forensic community will value any light that can be shown on their operation and malicious functions.

Harlan Carvey's book is a valuable addition to my bookshelf.

10 of 11 people found the following review helpful:

5.0 out of 5 stars Invaluable Resource For Any Windows Admin, February 13, 2005

By	Tony Bradley "s3kur3.com" (Houston, TX) - See all my reviews

About a year ago I was investigating a system to try and determine if it was attacked, as well as when and how if it had been. I wrote for help to a list that I am on and Harlan Carvey responded with detailed and useful information that helped me out.

I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.

There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.

Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.

I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.

(...)

7 of 7 people found the following review helpful:

5.0 out of 5 stars Invaluable Reference for Todays Windows Admins, September 22, 2004

By	Mark A. Mckinnon (Jenison, Michigan USA) - See all my reviews (REAL NAME)

I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today's Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring.

This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit.

The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.

I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring.