Windows Forensics and Incident Recovery
If you're responsible for protecting Windows systems, firewalls and anti-virus aren't enough. You also need to master incident response, recovery, and auditing. Leading Windows security expert and instructor Harlan Carvey offers a start-to-finish guide to everything administrators must know to recognize and respond to virtually any attack.
Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete toolset that combines today's best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book's tools and techniques apply to every current version of Windows: NT, 2000, XP, and Windows Server 2003.
Coverage includes:
- Developing a practical methodology for responding to potential attacks
- Preparing your systems to prevent and detect incidents
- Recognizing the signatures of an attack—in time to act
- Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools
- Using the Forensic Server Project to automate data collection during live investigations
- Analyzing live forensics data in order to determine what occurred
/ul
Review By: Stephen Long
07/08/2010"Windows Forensics and Incident Recovery" by Harlan Carvey presents a good discussion about Microsoft Windows security that technically explains details about the program's vulnerabilities, how attacks (incidents) are conducted, preparing for and responding to incidents, and developing a methodology for investigating incidents. The author provides lots of Perl scripts for collecting and analyzing volatile (active users, processes, memory utilization, network connections, clipboard contents, etc.) and non-volatile (Windows registry contents, file MAC times, scheduled tasks, user data, event logs, etc.) system information.
One chapter is set up like a series of dreams in which the system administrator works through a string of incidents, each time improving his skills as he uses more of the tools presented in the book. Although the author mentions commercially available tools, he concentrates on free tools and scripts that work in an ActiveState Perl environment.
The author combines all the tools he discusses into his Forensic Server Project, which is available on an enclosed CD. The set of scripts on the CD uses two PCs: one is the home (clean) machine that takes the captured data from the compromised system through a listener software network connection. This ensures the investigation does not corrupt (overwrite) anything on the compromised system.
The final chapter provides a good overview of using port scanners and network sniffers. Again, all the tools the author discusses are freeware; he also provides links to the sites where one can download the tools from. Instructions for installing ActiveState Perl on Windows are provided, including all the modules required by his scripts - some require more than just running ppm.
There is a lot of useful information in this book, but it reads like a series of articles pasted together. I would have organized the book differently, like put the methodology chapter before discussing the tools (i.e. putting the motivation before the technical application details).
The layout is clean and the information jumps off the page. However, there are a few minor typos in the web links and some of the Perl scripts. It could be that the author did not run Perl with the "-w" switch since many of the scripts generated warnings.
I learned a lot from the scripts included on the CD. I think the author should have provided instructions on how to install all the required Win32 modules in a Unix or Cygwin environment since the Forensic Server Module might find these environments to be a safer listener platform.
This book helps one understand basic computer security attacks. I recommended it for system and security administrators as well as knowledgeable home users.