Investigating Windows Systems - PDF
Скачать полную версию книги "Investigating Windows Systems - PDF"
I am not an expert. I have never claimed to be an expert, particularly at analyzing Windows systems. As I have done before, got to a point where I looked around at the materials I had written into blog posts, into various documents, and even in a hard copy notebook and on scraps of paper, and saw that I had reached a critical mass. At that point, once I had “stacked” everything up, I felt that I likely had too much for a blog post (definitely too much for Twitter), and should just put everything into a book.
Looking back, I really feel like I decided to write this book for a couple of reasons. First, all of my earlier books have included lists of artifacts to be analyzed and tools for parsing various data sources, but little in the way of the thought process and analysis decisions that go into the actual analysis. This thought process is something I follow pretty much every time I perform analysis of an acquired image, and I thought that, taking a different approach with this book would be beneficial to someone. This is also due to the fact that when I have attended training courses and conference presentations, something I have asked a number of times is, “what is the analysis decision that led you to this point?” I thought that since I have had that question, is it possible that others might have had the same or similar questions? What was different about someone else’s experiences such that they chose to follow one path of analysis over another? My thinking has been that by engaging with each other and understanding different viewpoints, we all grow, develop, and get better at analysis.
Another reason for writing this book is that there are a number of sites you can visit online that describe the use of open source and freely available tools for parsing data sources. However, rather than listing the tools and providing suggestions regarding how those tools might be used, I thought it would be a good idea to provide example analyses, from start to finish, and include the thought processes and analysis decisions along the way with respect to what tool to use, why, and what the analysis of the output of the tool provided, or led to.
In this book, I relied upon the kindness of others who have posted images of Windows systems online as part of forensic challenges. To each and everyone of them, I am grateful. In some cases, these online challenges have links to analysis performed by others, but what is often missing is the decision the analyst made as to “why” they did something. Why did you start there, or why did you choose one direction, or one data source, in your analysis over another?
Throughout this book, I have tried to remain true to a couple of base tenants and concepts. First, documentation is everything. As is often said on the Internet, “picture, or it did not happen.” That is to say, unless you have documentation of your actions (in this case, a picture), it did not really happen. The same thing applies to forensic analysis; over the years, many of us have shared the euphemism of having to explain what actions we took and decisions we made during analysis 6 months ago. Well, it was all a euphemism, until it was not. I have worked with analysts who have had to go back to an engagement that was 12 months old, and try to explain what they did to their boss, or to legal counsel, without any documentation whatsoever. Furthermore, too many times, we miss the opportunity to share findings with other analysts, or even simply use what we learned on future engagements because we did not document what we did, nor what we found. We cannot remember everything, and “baking” our findings back into our analysis tools and processes means that we do not have to.
Second, all of the images analyzed throughout the course of this book are available online, and regardless of the images used and the challenges from which they originated, I have tried to present the analysis scenario in a manner more aligned to my own experience. For example, the website for the one of the images referenced in this book includes a list of 31 questions to be answered as part of the forensic challenge; in my two decades in the information security industry, I have never had an engagement where a client had a list of 31 questions they want answered. More often, there has been a short list of three or four questions. . .I think the most I ever encountered was maybe half a dozen. . .that we had worked with the client to develop, in part because their initial question was simply too vague. As such, what I have done is attempted to provide a more “real world” approach to the analysis questions and goals, and then pursued the analysis in relation to those goals.
Finally, thanks to the efforts of several generous individuals who have developed and shared forensic challenges, I have been able to illustrate analysis on a variety of versions of Windows. This is extremely valuable, as it allows me to illustrate that there are, in fact, significant differences between the various versions. Recognizing and understanding these differences can serve to make analysis of Windows systems significantly more effective.
Again, I am not an expert. Is it possible that through the course of this book that I missed something during analysis, perhaps missing an artifact or data source that someone else may have examined? Or did I not take as close a look at an artifact as someone else may have? Yes, definitely. If that is the case, I apologize for the oversight, and will strive to do better next time.