Mastering Windows® Network Forensics and Investigation -- Contents -- Introduction -- Part 1: Understanding and Exploiting Windows Networks -- Chapter 1: Network Investigation Overview -- Performing the Initial Vetting -- Meeting with the Victim Organization -- Collecting the Evidence -- Analyzing the Evidence -- Analyzing the Suspect's Computers -- Recognizing the Investigative Challenges of Microsoft Networks -- The Bottom Line -- Chapter 2: The Microsoft Network Structure -- Connecting Computers -- Windows Domains -- Users and Groups -- Permissions -- Example Hack -- The Bottom Line -- Chapter 3: Beyond the Windows GUI -- Understanding Programs, Processes, and Threads -- Redirecting Process Flow -- Maintaining Order Using Privilege Modes -- Using Rootkits -- The Bottom Line -- Chapter 4: Windows Password Issues -- Understanding Windows Password Storage -- Cracking Windows Passwords Stored on Running Systems -- Exploring Windows Authentication Mechanisms -- Sniffing and Cracking Windows Authentication Exchanges -- Cracking Offline Passwords -- The Bottom Line -- Chapter 5: Windows Ports and Services -- Understanding Ports -- Using Ports as Evidence -- Understanding Windows Services -- The Bottom Line -- Part 2: Analyzing the Computer -- Chapter 6: Live-Analysis Techniques -- Finding Evidence in Memory -- Creating a Windows Live-Analysis Toolkit -- Monitoring Communication with the Victim Box -- Scanning the Victim System -- The Bottom Line -- Chapter 7: Windows Filesystems -- Filesystems vs. Operating Systems -- Understanding FAT Filesystems -- Understanding NTFS Filesystems -- Dealing with Alternate Data Streams -- The exFAT Filesystem -- The Bottom Line -- Chapter 8: The Registry Structure -- Understanding Registry Concepts -- Performing Registry Research -- Viewing the Registry with Forensic Tools -- Using EnCase to View the Registry.

Using AccessData's Registry Viewer -- Other Tools -- The Bottom Line -- Chapter 9: Registry Evidence -- Finding Information in the Software Key -- Exploring Windows Security, Action Center, and Firewall Settings -- Analyzing Restore Point Registry Settings -- Windows XP Restore Point Content -- Analyzing Volume Shadow Copies for Registry Settings -- Exploring Security Identifiers -- Investigating User Activity -- Extracting LSA Secrets -- Discovering IP Addresses -- Compensating for Time Zone Offsets -- Determining the Startup Locations -- The Bottom Line -- Chapter 10: Introduction to Malware -- Understanding the Purpose of Malware Analysis -- Malware Analysis Tools and Techniques -- The Bottom Line -- Part 3: Analyzing the Logs -- Chapter 11: Text-Based Logs -- Parsing IIS Logs -- Parsing FTP Logs -- Parsing DHCP Server Logs -- Parsing Windows Firewall Logs -- Using Splunk -- The Bottom Line -- Chapter 12: Windows Event Logs -- Understanding the Event Logs -- Using Event Viewer -- Searching with Event Viewer -- The Bottom Line -- Chapter 13: Logon and Account Logon Events -- Begin at the Beginning -- The Bottom Line -- Chapter 14: Other Audit Events -- The Exploitation of a Network -- Examining System Log Entries -- Examining Application Log Entries -- Evaluating Account Management Events -- Interpreting File and Other Object Access Events -- Examining Audit Policy Change Events -- The Bottom Line -- Chapter 15: Forensic Analysis of Event Logs -- Windows Event Log Files Internals -- Repairing Windows XP/2003 Corrupted Event Log Databases -- Finding and Recovering Event Logs from Free Space -- The Bottom Line -- Part 4: Results, the Cloud, and Virtualization -- Chapter 16: Presenting the Results -- Report Basics -- Creating a Narrative Report with Hyperlinks -- The Electronic Report Files -- Creating Timelines -- Testifying about Technical Matters.

The Bottom Line -- Chapter 17: The Challenges of Cloud Computing and Virtualization -- What Is Virtualization? -- The Hypervisor -- Preparing for Incident Response in Virtual Space -- Forensic Analysis Techniques -- Cloud Computing -- The Bottom Line -- Part 5: Appendices -- Appendix A: The Bottom Line -- Chapter 1: Network Investigation Overview -- Chapter 2: The Microsoft Network Structure -- Chapter 3: Beyond the Windows GUI -- Chapter 4: Windows Password Issues -- Chapter 5: Windows Ports and Services -- Chapter 6: Live-Analysis Techniques -- Chapter 7: Windows Filesystems -- Chapter 8: The Registry Structure -- Chapter 9: Registry Evidence -- Chapter 10: Introduction to Malware -- Chapter 11: Text-based Logs -- Chapter 12: Windows Event Logs -- Chapter 13: Logon and Account Logon Events -- Chapter 14: Other Audit Events -- Chapter 15: Forensic Analysis of Event Logs -- Chapter 16: Presenting the Results -- Chapter 17: The Challenges of Cloud Computing and Virtualization -- Appendix B: Test Environments -- Software -- Hardware -- Setting Up Test Environments in Training Laboratories -- Index.