Looking for a Windows Forensics book
Results 1 to 10 of 15

Thread: Looking for a Windows Forensics book

Hybrid View

  1. #1
    Junior Member
    Join Date
    Nov 2002
    Posts
    21

    Looking for a Windows Forensics book

    Hi, I am looking to get a Windows Forensics book, as I am totally new to the subject (other than being a windows tech who sometimes gets asked to recover files and get rid of viruses on someone elses comp).

    I looked on Amazon, and there are a bunch of books. The ones that had the highest ratings were from people whom I never heard of, and neither did Wikipedia. So I figure a place like AO would know better than amazon reviews which book to recommend. Basically, I would like a book that starts with some basics, but goes into great deal of.. depth?

    Thanks,
    RMSe17

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi. it's a pretty big subject so I doubt if you will find a single source.

    http://en.wikipedia.org/wiki/Computer_forensics

    There are some references there.

    There are two major forks:

    Criminal investigation
    Civil investigation & data recovery

    I would not restrict myself to Windows as there are quite a few forensics tools that are not Windows based, and in some circumstances it is best not to use Windows to work on a Windows system

    I would be inclined to use a search engine first rather than go straight to an online bookstore, who are after all, only interested in selling you books?

    Also, make sure that what you get is current and relevant to the laws in your part of the World.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    If you are in the U.S. you may get lucky. Try sending a PM to THEHorse here on AO.

    Not sure if he hangs around here any more, but it can't hurt to try.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Junior Member EC_gh0's Avatar
    Join Date
    Mar 2010
    Posts
    9
    COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC forensics.

    With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

    COFEE can be used to locate parts of a computer's hard drive that criminals could use for identity theft, online fraud, child pornography and other such crimes. It is designed to be easy to use and quick for law enforcement officials. The small program contains 150 commands which simplify and speed up the process of data retrieval. According to a Microsoft spokesperson "an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

    COFEE requires Windows XP for configuration however, it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE which will be released next year that fully supports Windows Vista and Windows 7.

    There is also an anti-COFEE forensics page called Decaf available from http://www.decafme.org/

    If your looking for a bootable copy of Linux preloaded with plenty of Forensics tools check out DEFT http://www.deftlinux.net/

    I tend to lean more towards Open Source as in my humble opinion it is far superior to a Microsoft solution that knocks around on a tiny USB pen.. Also a device that accesses the Memory and reads and writes to the suspects hard-disk drive is a questionable forensics practice which in itself is a far cry from mirror imaging the actual hard-disk then working with the mirror image thereby not tampering with the evidence in anyway!

    Also using a USB forensics solution opens up the possibility of contaminating evidence with Viruses!

    Other forensics tools include things like OCFA & Automated Image & Restore, if your going to do forensics, I humbly suggest you ditch Windows, invest in an external mountable Hard-Disk bay.. Like this one.. http://www.maplin.co.uk/module.aspx?moduleno=226653 and consider using Linux related forensics tools.

    If you would like to participate in an online digital forensics challenge which takes place every year then a visit to http://www.dc3.mil might be just what your looking for.

    As for reading a book, hands on is always better, get some hard-disk images from the DC3 for free then get your hands dirty by recovering the evidence. (if you can)

    There are various articles posted all over the Internet about how to be proceed in the field of Digital Forensics, including an article that was published recently by Cryptome about Windows Drive Locker Encryption and how to reverse it completely without a suspects password, so if you thought your documents where safe with a Microsoft Solution think again... http://www.wired.com/threatlevel/201...soft-cryptome/

    The document was made freely available to law enforcement by the Microshaft Corporation, just not the rest of the general public it would seem... (I really can't imagine why!)

    Microsoft got off lightly with them calling it Decaf, if it had been up to me I would have called it, Fuc'ofee!

    Steve Ballmer once described GNU/Linux as a Cancer, yet it is without a doubt Microsoft & Windows that is a Cancer opposing standards where-ever it goes!

    Next time you meet a digital forensics expert, ask them what they prefer to use, Windows!?! or Linux!?!
    Last edited by EC_gh0; May 12th, 2010 at 04:28 PM.

  5. #5
    Banned
    Join Date
    Jan 2008
    Posts
    605
    People are given a million dallors by the government to weaken encryption and encryption standards. The thing about Drive Locker was they didn't play ball at first. It was infact, never broken intil the feds payed off the media to create buzz about it protecting pedophiles.

    They where told to backdoor it or else the government would create a law, to which they'd have something to sue them for.

    Next time you meet a digital forensics expert, ask them what they prefer to use, Windows!?! or Linux!?!
    99.9% of the problems stem from the fact that users set themselves up as admin and disable UAC. Whereas linux has so many kernal flaws to date that I compair it more towards erectile dysfunction than cancer.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    We have discussed COFEE before:

    http://www.antionline.com/showthread...hreadid=278648

    It is not a forensics tool as such, but a preconfigured preliminary potential evidence gathering tool. Someone using it is the computer forensics equivalent of a script kiddie

    Hell, if a cop can learn how to use it in 10 minutes?...............

    Also a device that accesses the Memory and reads and writes to the suspects hard-disk drive is a questionable forensics practice which in itself is a far cry from mirror imaging the actual hard-disk then working with the mirror image thereby not tampering with the evidence in anyway!
    Exactly my question in the previous thread! I believe that in quite a few countries you would not be complying with evidence gathering regulations as you haven't secured it first.

    Provided that accepted evidence preservation practices are adhered to, I can see it speeding up due process, as the preliminary investigation can be carried out by non-skilled personnel. It should also keep costs down.

    There is also an anti-COFEE forensics page called Decaf available from http://www.decafme.org/
    I wouldn't bother as it is pretty lame, and the original version at least, surreptitiously phoned home and could be remotely disabled by its authors. I cannot see any legitimate reason for those "features"

    My conclusion is that whilst "hands on" can be a useful way of learning, COFEE isn't.I have never seen a scipt kiddie make it into a hacker
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Junior Member EC_gh0's Avatar
    Join Date
    Mar 2010
    Posts
    9
    Another thing to consider is if they throw in ZuneFS with all those NTFS boxes running off an Open Solaris Server, they can use and abuse the desktop rollback feature when-ever they want to see exactly what you've been doing on your workstation.

    @nihil I can see how you might want to use a dial home feature if you where a shadowy agency that wanted to see who was downloading and using Decaf!

    It's also a handy feature if your a bot-herder LoL, skipt kidz muh!!

    Boss: "Henderson?" Dude: "Yes, Sir!" Boss: "Are you working hard or hardly working!?" Dude: "Working hard, Sir!" Boss: "Strange, I've just had I.T on the phone swearing blind you've been surfing porn!"
    Last edited by EC_gh0; May 12th, 2010 at 07:18 PM.

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Boss: "Henderson?" Dude: "Yes, Sir!" Boss: "Are you working hard or hardly working!?" Dude: "Working hard, Sir!" Boss: "Strange, I've just had I.T on the phone swearing blind you've been surfing porn!"
    Dude: "But that is hard work Sir!.............and I love my work!"

    @nihil I can see how you might want to use a dial home feature if you where a shadowy agency that wanted to see who was downloading and using Decaf!
    That's a very good point, and using an anonymous proxy outside of your Country's jurisdiction wouldn't help. In fact it would be doubly damning?

    The strange thing (to me at any rate) is that you hear of very few court cases that actually hinge on digital forensic evidence?

    In the UK we have the "Misuse of Computers Act 1989" in all the time it has been in force there have been less than 200 prosecutions under it. I don't know how many convictions that resulted in.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Junior Member EC_gh0's Avatar
    Join Date
    Mar 2010
    Posts
    9

    Exclamation

    @nihil:

    As far as I was aware one of the case's handed out by the DC3 back as a challenge in 2008 was based on a real court case heard in front of none other than Judge Judy, the Challenge involved a guy who suffered from paranoid delusions and a conviction that the government where out to get him, lost his Job his wife, his kids, in essence a guy with nothing to loose so his answer was to stock pile alarm clocks, explosives and convert his semi-fire AK47 to fully automatic. People could argue that he was right, because shortly after that according to the Law Enforcement Report he was arrested on Terrorism Charges so in a sense the man was out to get him..

    All of the evidence on the disk images had to be extracted, stenographic images, encrypted e-Mails, the occasional virus or two thrown in for good measure etc...

    It was all very interesting, but as to weather it was real or just fictional, I have no idea, but it strikes me as a well concocted storyline as youd think a circuit judge would be far to busy with marital disputes and something of that nature would be referred straight to the criminal courts!



    But thats a valid point about people never hearing much about it, but then again depending on the nature of the material and evidence involved you might be forbidden to mention it.

    We all have bad days but plotting to blow up your employer because he's given you the sack is a little far fetched, take a chill pill, relax.. If all that doesn't work, goto the quickie mart and buy some toe nail clippers, his break fluid lines are under the drivers side on the car body work, give those a snip and you'll feel much better!
    Last edited by EC_gh0; May 12th, 2010 at 10:44 PM.

  10. #10
    Junior Member EC_gh0's Avatar
    Join Date
    Mar 2010
    Posts
    9
    @The-Spec, the government don't have to pay people to weaken standards, the human link in the chain is often the /root/ cause of the problem. Look what happened when Geohot announced hacking the PS3, sony promptly announced its next generation of consoles would be Linux unfriendly.

    As for them being threatened and bowing to pressure I doubt that, one of there primary customers are Government departments, it's all Windows (TM) Networking behind those firewalls.

    They would have done it more to win over decision makers with money! It's a cute anti-feature.

    I would hazard a guess they need to sway the big contracts worth $'000'000 with how neat there product is, complete with all that DRM. It's what makes them all that Money.
    Last edited by EC_gh0; May 12th, 2010 at 06:44 PM.

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  2. suse is crap on finding cdrom
    By rajunpl in forum Operating Systems
    Replies: 43
    Last Post: July 1st, 2004, 07:30 AM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  4. Operating System Selection
    By TheFiend in forum Miscellaneous Security Discussions
    Replies: 30
    Last Post: June 14th, 2003, 11:08 PM
  5. OS History and other info.
    By Remote_Access_ in forum Security Archives
    Replies: 9
    Last Post: January 12th, 2002, 02:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides