Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carv

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey
Date: Mon, 7 Mar 2005 08:28:59 -0800 

BKWNFOIR.RVW   20041224

"Windows Forensics and Incident Recovery", Harlan Carvey, 2005,
0-321-20098-5, U$49.99/C$71.99
%A   Harlan Carvey
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-321-20098-5
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321200985/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321200985/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321200985/robsladesin03-20
%O   tl a rl 1 tc 2 ta 2 tv 1 wq 2
%P   460 p. + CD-ROM
%T   "Windows Forensics and Incident Recovery"

Chapter one is an introduction, both to the book and to the ideas
behind it.  For once, the author does, indeed, try to define what an
incident is.  The definition is broad, but so are the possibilities. 
The intended audience is stated to be anyone interested in the
security of Microsoft Windows, but it is instructive that, in listing
specific groups, forensic specialists and security professionals are
*not* mentioned.  Carvey notes that a great many people would like to
know the information that Windows forensics can provide, since the
platform is nearly ubiquitous, but few have the knowledge of system
internals that is necessary to find the relevant bits.  Based on the
definition of an incident as an event that violates security policy,
chapter two demonstrates some of the ways that policy failures, and
therefore attacks, can occur.  (The rationale behind the inclusion of
eleven pages of Perl source for a program to detect null sessions
escapes me.)

Chapter three reviews a number of places to hide data, but all of
these are at the user interface level, such as setting hidden file
attributes, placing data in unused keys in the Registry, NTFS (NT File
System) alternate data streams (ADS), and the extra information stored
in data files by applications like Microsoft Word.  There is no
mention of the lower level caches: slack space (whether in terms of
zero padding, extra space in sectors, or the timing margins on hard
disks) or page files.  In addition, for those locations that are
mentioned, specific programs for extracting particular data are
listed, but no details of structural internals (for example formats
for NTFS, OLE/COM, or Word) are provided for analysis with more
general utilities.  This is not to say that Carvey does not do a good
job of explaining what he does cover: the tutorial on NTFS ADS is
clear and complete.  The material in chapter four addresses the issue
of preparation by suggesting various means of hardening systems and
networks against attack.  The content is unusual, and deals with
functions and activities that are frequently left out of security
texts.  At the same time, it does not touch on some common suggestions
for system security: this should be seen as a complement to, rather
than a replacement for, other Windows security works.  A wealth of
utilities for deriving all manner of information from Windows systems
are listed and described in chapter five.

Chapter six presents suggestions for the methods and procedures to be
used in responding to a potential incident, but it does so in the form
of a number of fictional examples.  The stories can be instructive,
but it does take a long time to sort through the material to find the
relevant points to use.  Various indications that can be evidence of
the existence of malware (particularly network-based remote access
trojans) are examined in chapter seven.  The author's Forensic Server
Project, a tool for managing forensic data collection, is presented in
chapter eight.  Chapter nine describes an assortment of network
scanning and data capture tools.

Although a number of areas are addressed, the text will be of greatest
use to those who are concerned about network malware, especially of
the remote access type.  The intended audience, of experienced but
non-specialist Windows administrators and law enforcement
professionals with some technical background, will find a number of
valuable indicators that will point out whether a system will reward
further scrutiny.  The professional, and particularly one with
experience in forensic analysis, will find some very useful
information on newer operations of Windows, but may be frustrated at
the lack of detail.  (I'm still not sure who is going to get a lot out
of all the Perl source code ...)

copyright Robert M. Slade, 2004   BKWNFOIR.RVW   20041224


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
Heaven goes by favour.  If it went by merit, you would stay out
and your dog would go in.                               - Mark Twain
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  Re: [CISSP-D] {FW from CISSP-Discuss} CISSP, is it respected?, Christopher Baker
Next by Date:  Re: [CISSP-D] Are these Enough ??, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] Passed, stevepshp
Next by Thread:  [CISSP-D] Re: Perhaps of interest to those in the DC Metro area, Marianne
Indexes:  [Date] [Thread] [Top] [All Lists]