List of Figures

Chapter 3: Windows Forensics Basics

Figure 3-1: Windows client operating system usage
Figure 3-2: Disk platter layout
Figure 3-3: Hard Disk Sector Layout

Chapter 4: Partitions and File Systems

Figure 4-1: Hard disk master boot record
Figure 4-2: FAT partition layout
Figure 4-3: Drive fragmentation
Figure 4-4: MFT standard information for pagefile.sys
Figure 4-5: Compressed and uncompressed file comparison
Figure 4-6: Microsoft Certificates storage location

Chapter 6: The Registry

Figure 6-1: Windows Registry Editor
Figure 6-2: Registry activity viewed with Regmon
Figure 6-3: Windows Secret Explorer decryption
Figure 6-4: RegShot registry snapshot tool
Figure 6-5: Regmon dynamic analysis

Chapter 8: Live System Analysis

Figure 8-1: Computer Management console
Figure 8-2: Device Manager
Figure 8-3: Indexing Service query results
Figure 8-4: Port scan results
Figure 8-5: Windows Enumeration results
Figure 8-6: Spector Pro keystroke capture
Figure 8-7: Win ARP spoof software
Figure 8-8: FTP packet capture dt>
Figure 8-9: Clipboard contents
Figure 8-10: PuTTY connection to NetCat

Chapter 9: Forensic Duplication

Figure 9-1: Duplication timeframes for 100GB of data

Chapter 10: File System Analysis

Figure 10-1: Google Desktop search results
Figure 10-2: dtSearch output
Figure 10-3: WinHex search for GIF87
Figure 10-4: EnCase Enterprise searching
Figure 10-5: Initial FAT values
Figure 10-6: First data cluster initial values
Figure 10-7: Additional FAT entry for used cluster
Figure 10-8: File name directory entry
Figure 10-9: File contents
Figure 10-10: FAT cluster map after deletion
Figure 10-11: Directory entry after deletion
Figure 10-12: File data after deletion
Figure 10-13: File MFT directory entry
Figure 10-14: File data
Figure 10-15: MFT entry after deletion
Figure 10-16: File $DATA attribute location after deletion
Figure 10-17: FreeUndelete recovery of test.txt
Figure 10-18: Start of the spool file
Figure 10-19: User name in the print file
Figure 10-20: Reconstructed printer file
Figure 10-21: Google Search LNK file properties

Chapter 11: Log File Analysis

Figure 11-1: Virus infection details
Figure 11-2: Sample application log filtering
Figure 11-3: Printing event
Figure 11-4: Browser report showing a Nessus scan

Chapter 12: Internet Usage Analysis

Figure 12-1: Favorites folder contents
Figure 12-2: Properties of a favorite link
Figure 12-3: Malicious Hosts file entry
Figure 12-4: NetAnalysis output
Figure 12-5: Pasco output
Figure 12-6: WinHex view of URL records
Figure 12-7: The http://www.bookmarks.html file viewed as a web page
Figure 12-8: http://www.bookmarks.html in Bookmark Manager
Figure 12-9: The history.dat file viewed with NetAnalysis
Figure 12-10: Firefox disk cache
Figure 12-11: Cookie contents

Chapter 13: Email Investigations

Figure 13-1: Outlook Express Inbox
Figure 13-2: OE Viewer contents of a folder called Test
Figure 13-3: Actual message source
Figure 13-4: Find Message searching in Outlook Express
Figure 13-5: Windows Address Book in Outlook Express
Figure 13-6: Recovered Windows Address Book
Figure 13-7: Outlook Journal features
Figure 13-8: Outlook search for messages to smith@foo.com
Figure 13-9: Notes Access Control List
Figure 13-10: Notes message search
Figure 13-11: Lotus Notes address book


Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net