Chapter 7: Forensic Analysis

The previous chapters detailed the basics of the Windows environment that are relevant to a forensic investigation. Effective computer investigators put together that knowledge with recognized forensic techniquesthat is one of the things that separate a computer investigator from an MCSE or other Windows professional. The following chapters use the building blocks of knowledge provided in the previous chapters and apply them to actual forensic activities.

Tip 

The Microsoft Certified Software Engineer (MCSE), specifically the MCSE: Security Certification, is an excellent baseline to start from when learning Windows forensics. MCSE courses are widely available and are a recommended addition to any security certifications held by a computer investigator focusing on Windows.

The techniques used in a computer investigation can be broken down into several categories:

  • Live system analysis. These techniques are used before shutting down and imaging a system and can provide information on running programs, currently logged-in users, and other activities that may be lost in an off-line analysis.

  • Forensic duplication. Creating forensically sound images of content on a Windows system presents a host of challenges. Techniques for imaging content are varied and provide the basis for further analysis.

  • File systems analysis. Most forensic analysis involves looking at the file systemfinding files, recovering files, providing details on file creation, ownership, and modification, and so on. Learning these techniques will provide the most frequently used tools in the computer investigator's arsenal.

  • Internet analysis. Almost all Windows investigations today involve the analysis of Internet activity to some degree. Looking at peer-to-peer, web browsing, and instant messaging usage can provide a detailed record of past Internet activity.

  • Email forensics. The identification and recovery of emails gives the computer investigator records of communication between the suspect and his associates . Microsoft Outlook, Outlook Express, and Lotus Notes are the most common Windows-based email applications encountered in investigations.

  • Log file analysis. Analyzing individual log files for data that was recorded on system, application, or user activity is important for both client and server analyses. Records of past actions can be found using Event Viewer, Microsoft's event log analysis application, as well as through the inspection of server logs.

  • Network monitoring. Although detailed network forensics is beyond the scope of this book, some knowledge of monitoring on Windows systems is useful to a forensic examiner . Effectively using network sniffing tools is a stealthy way to obtain evidence in real-time.

With a detailed understanding of the basic Windows forensic techniques, the computer investigator is equipped to handle a broad range of situations. Almost any computer investigation can be undertaken, from finding evidence of email fraud to showing inappropriate usage, by putting the same techniques to use in a logical manner.



Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net