Investigating Windows Systems
It’s the time of year again when folks are looking for stocking stuffers for the DFIR nerd in their lives, and my recommendation is a copy of Investigating Windows Systems! The form factor for the book makes it a great stocking stuffer, and the content is well worth it!
Yes, I know that book was published in 2018, but when I set out to write the book, I wanted to do something different from the recipe of most DFIR books to that point, including my own. I wanted to write something that addressed the analysis process, so the book is full of pivot and decision points, etc. So, while artifacts may change over time…some come and go, others become new and change in format over time, others suddenly appear…it’s the analysis process that doesn’t change.
For example, chapter 4 addresses the analysis of a compromised web server, one that includes a memory dump. One of the issues I’ve run into over the past couple of years, since well after the book was published, is that there more than a few DFIR analysts who seem to believe that running a text search of a memory dump for IP addresses is “sufficient”; it’s not. IP addresses are not often stored in ASCII format; as such, you’d likely want to use Volatility and bulk_extractor to locate the specific structures that include the binary representation of the IP address. As each tool looks for different structures, I recommend using them both…just look at ch 4 of IWS and see how different the information is between the two tools.
There’s a lot of really good content in the book, such as “file system tunneling”, covered beginning on pg 101.
While some of the images used as the basis of analysis in the book are no longer available online, several are still available, and the overall analysis process applies regardless of the image.
Analysis
Speaking of analysis processes, I ran across this blog post recently, and it touched on a couple of very important concepts, particularly:
This highlights the risk of interpreting single artefacts (such as an event record, MFT entry, etc) in isolation, as it doesn’
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: