Book Review: Mastering Windows Network Forensics & Investigations

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts.

My only real complaint is the book tackles a very expansive subject and tries to do it all.  For instance, memory analysis easily deserves its own chapter, but it is lumped together with live response.  In other cases, such as log review and registry analysis, an appropriate number of pages were allotted to give the topics fair coverage.  The event log coverage was excellent; a difficult and prosaic topic was explained in simple terms and with just the right amount of depth.  I enjoyed the coverage of event log internals and Steve Bunting’s contributions were evident in the section on repairing corrupted logs.  One of my favorite sections included the recovery of event log fragments from free space.  This is a critical skill with no “easy button”.  Recovery of both .Evt and .Evtx files was demonstrated, with the .Evtx information representing the state of the art for a difficult problem.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Both free and commercial tools were discussed throughout the book, including those from Splunk, SysInternals, Guidance Software and AccessData.  A pleasant surprise was “Appendix B: Test Environments”, which included a complete listing of tools discussed and a section-by-section overview of system setup requirements to follow along with major examples in the book.

Even with brief coverage of some topics, there was still enough meat in most chapters to benefit nearly any forensic investigator.  The chapters on the Windows registry were excellent and had space for rarely talked about advanced concepts like volatile hives, registry redirection and reflection, and registry virtualization.  The investigative uses of XP Restore Points and Windows 7 Shadow Volumes tied in nicely with other topics.  I also give kudos to the authors for the best overview of Windows auto-run locations I have seen in print.

The new chapter on virtualization and cloud forensics is a good addition.  While I would have liked to see several chapters (or an entire book) on the topic, I was pleased to see the information went beyond the typical cloud-based storage artifacts that often substitute for a real discussion of the inherent challenges.  Live response and data acquisition in virtualized environments like VMWare ESX was covered, and an intelligent discussion on how to prepare for collecting cloud data was started.

In this second edition (released in June 2012), it is obvious the authors took pains to include the most current information available.  Windows 7, Server 2008R2, and their associated artifacts are discussed extensively.  Guidance Software’s EnCase v7 and Volatility 2.0 are both introduced.  There are even references to computer crime cases occurring in 2012.

Overall, I found the book to be a good read with few problems.  It provides an excellent introduction to a broad field.  I plan to recommend it to my digital forensics students.

Chad is currently an independent consultant and member of the SANS Institute forensic faculty where he co-authored the FOR408:Windows Forensics and FOR508:Advanced Forensics and Incident Response courses. You can find Chad at http://forensicmethods.com or on Twitter @chadtilbury.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...