Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Windows Forensics Cookbook
Windows Forensics Cookbook

Windows Forensics Cookbook: Over 60 practical recipes to acquire memory data and analyze systems with the latest Windows forensic tools

Arrow left icon
Profile Icon de Courcier Profile Icon Oleg Skulkin
Arrow right icon
€8.99 €29.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (2 Ratings)
eBook Aug 2017 274 pages 1st Edition
eBook
€8.99 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon de Courcier Profile Icon Oleg Skulkin
Arrow right icon
€8.99 €29.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (2 Ratings)
eBook Aug 2017 274 pages 1st Edition
eBook
€8.99 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€8.99 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Windows Forensics Cookbook

Digital Forensics and Evidence Acquisition

In this chapter, well cover the following recipes:

  • Identifying evidence sources
  • Acquiring digital evidence
  • Ensuring evidence is forensically sound
  • Writing reports
  • Digital forensic investigation: an international field
  • Challenges of acquiring digital evidence from Windows systems

Introduction

Digital forensics is an expansive term that can cover a multitude of subject areas. Broadly speaking, it refers to the investigation of crimes committed on, or with the use of, a computing device. Several years ago, this may have only been applicable to cases in which an investigator was looking at financial fraud, intellectual property theft, or similar cases where computers are, by definition, necessary in order to commit the crime.

In today's world however, the proliferation of digital devices is such that even a crime that seems to be unrelated to computing—a house burglary where jewellery is stolen, for example, or the abduction of a child walking home from school—can involve a whole host of digital evidence.

Digital evidence refers to anything relevant to an investigation that can be found on a digital device. Increasingly, digital devices can refer to almost anything around us - not only computers and phones, but also cars, televisions, refrigerators, and heating systems.

Digital forensics as a discipline does not deal solely with solving crimes. HR matters in companies, private or civil cases, as well as day-to-day data recovery, can all fall under the digital forensics bracket. It is reasonable to state, therefore, that not only is digital forensics a huge field, it is also expanding. For this reason, in this book, we have decided to focus on one particular aspect of digital forensics: the forensic analysis of Windows operating systems.

Why Windows?

We could have chosen any number of operating systems as the subject of this book, not to mention the myriad smartphones and other connected devices that crop up in digital forensic investigations. Windows is, however, a popular choice of operating system for the average computer user, and for businesses — recent figures from NetMarketShare indicate that Windows takes up over 88% of the market. The following diagram demonstrates the market share of Windows as opposed to Mac, Linux, and other operating systems.

Regardless of whether you're working in law enforcement, in a digital forensics corporation, as an academic researcher in the field, or for yourself as a freelance investigator, the chances are that at some point you will come up against Windows systems.

Our goal in writing this book is to create a kind of cookbook, allowing you to dip in and out and use the recipes to aid in your investigations.

The range of available operating systems and programs that are frequently run on Windows machines makes it difficult to provide a full guide. This is particularly when we take into consideration the recent overhaul resulting in Windows 8, Windows 8.1, and Windows 10, which refer to programs as applications and look somewhat different from earlier versions both forensically and from a user experience point of view. To the best of our ability, we have tried throughout this book to highlight the most salient points in investigation and to discuss the broad implications of the changes in more recent versions.

Windows file system

Windows machines use NTFS, which used to stand for New Technology filesystem, although the acronym has now become obsolete. All versions of Windows run on NTFS as default.

The main thing to remember about NTFS is that everything is a file. The idea behind the filesystems creation was that it would be easily scalable, as well as being secure and reliable at all levels. This does present some unique challenges for forensic investigation and administrative usage, however knowing that any file can be located anywhere on the system makes it challenging to understand precisely what one is looking at when analyzing a machine.

The Master File Table (MFT) is the basis of the filesystem. In here, we find all the relevant information concerning files. It is worth noting that the first entry in the MFT is an entry that refers to the MFT itself, which can confuse people who are new to Windows filesystem analysis.

One of the most important elements in Windows investigations is the registry, where keys containing information regarding the configuration of the system, along with other forensic gems are stored. Tools such as RegEdit and RegRipper can be very useful in registry analysis, as can many of the more widely used general forensic programs, such as EnCase and BlackLight.

We will discuss the specifics of various investigative elements within the Windows NT filesystem throughout the book. For the moment, the most pertinent points to remember are that everything in NTFS is a file; that the master file table forms the base of the filesystem; and that the registry contains useful system configuration information.

Identifying evidence sources

As any digital forensic investigator will know, one of the main challenges posed by almost any case is the sheer amount of data and number of sources available to be worked through. A useful skill to have is the ability to look through the sources of evidence involved with a case and make a value judgement as to which will probably be the most useful.

From the beginning of the case, this can take the form of ascertaining which physical items to remove from a crime scene—computers and mobile phones are almost always seized, but what about USB sticks, smart televisions, and satellite navigation systems? How do you even get a WiFi connected refrigerator into a Faraday bag?

Jokes aside, once an investigator has identified the items from which they are going to attempt to extract evidence, the next hurdle is to work out which bits of evidence will be the most relevant, and where those can be found.

In Windows systems, there are several elements that will prove to be useful across many different types of investigations. While some will vary from case to case—looking for evidence of intellectual property theft or financial fraud will differ hugely from the sources you'd be locating in a child protection investigation, for instance on the whole, the following sources of evidence can generally provide useful information from which you can then extrapolate further.

In older Windows versions (around the time of XP and 2000), there were fewer programs to deal with, and therefore fewer sources of potential evidence, but there was also less room for confusion. XP was when Windows began to support the NT filesystem, which gave a boost to the previous FAT setup and allowed for more in—depth analysis of the system.

Prefetch files were introduced in XP, and swiftly became one of the most pertinent sources of evidence, which is still the case today. The aim from a user experience perspective was essentially to speed things up. Prefetch files take note of which programs are used most frequently and make sure that those programs are pre-loaded into the memory, so that when a user boots up a machine and then tries to access one of the programs, it will load more quickly. From a forensic point of view, this means that prefetch files provide a wealth of information regarding a user's general computer habits—which programs they use most often, and to some extent, how they are being used. Prefetch files are stored in the %SystemRoot%Prefetch directory and will be discussed in more depth in Chapter 7, Main Windows System Artifacts.

Subsequent Windows updates introduced increasingly complex elements, one of the most pertinent of which is BitLocker.

BitLocker provides full volume encryption and also includes a version for portable devices, called BitLocker To Go. Provided that the password is known, decryption of BitLocker information is relatively straightforward and can be performed using a range of forensic software, some of which will be detailed later in this book. The simplest way to ascertain whether a volume has been encrypted using BitLocker is to look for -FVE-FS- in the volume header. Once this has been determined and the password has been found or recovered, tools such as FTK or EnCase can be used to decrypt the information.

Around the same time BitLocker was introduced, with the release of Windows Vista, the way in which user accounts are structured within Windows also changed. This is mainly noticeable from the perspective of the user themselves, in that the main change is that many system-wide modifications that could previously be made by any user can now only be made by an administrator. This can also be an important point forensically, particularly in cases where a computer has multiple users, only one of whom has access to the administrative password.

Internet Explorer and its successor, Microsoft Edge, have been overhauled repeatedly throughout the years. We will take a much closer look at Edge later on in this book, however, for the moment, it is possible to say that there is a wealth of information to be found within internet browsers. Arguably one of the most important elements within Internet Explorer is the cache, which contains information regarding the pages a user has visited and any content that has been downloaded.

Private browsing is one of the most commonly misconceived options by the end users of Windows systems: while this may prevent other people in the household from uncovering a users secret internet habits, it is of course still open to forensic investigation.

Increasingly, we are seeing users becoming more aware of the level of information that can be gleaned using digital forensic methods, and in recent years, privacy options within operating systems, applications, and programs have become a growing concern for many computer users. This has led to a gradual yet steady rise in the installation and usage of alternative software such as the Tor browser, which purports to be able to prevent others from uncovering the true location of the end user. However, even these methods are not impervious to forensic investigation, as demonstrated at the Digital Forensics Research Workshop 2015 by Epifani et al.

Any attempt at obfuscation or extensive deletion of data should spark a level of suspicion in the mind of an investigator; anti-forensic methods are becoming more and more widespread, but so in turn are the methods forensic analysts can use to uncover the elements users were trying to hide.

Ensuring evidence is forensically sound

The chain of custody in digital investigations is of paramount importance. Not only does it demonstrate who had access to the evidence at any given time, it also - at least in theory - shows what was done with the evidence after it was seized, and the measures that were taken to ensure its preservation and integrity.

For investigators who work in a team, for example in law enforcement agencies or within a corporation, there will generally be an already established process to follow, in line with the guidelines provided by the agency or company. For freelance and individual investigators (or for those who believe their company's acquisition procedure may need a bit of an overhaul), it is important to bear a few basic principles in mind.

The level of forensic soundness that you as an investigator will be required to demonstrate will probably depend, at least in part, on the nature of the case on which you are working. Civil cases, for example, will generally not require such a high level of evidential integrity as criminal investigations, since civil cases are less likely to end up in court. It is good practice, however, to get used to maintaining as high a level of forensic soundness as possible;"doing so means that, if in the future you specialize in more in-depth investigations, you will already you will already be used to setting the right level of groundwork for your forensic examinations.

Generally, it is sufficient when gathering evidence to image a device—that is, to create an exact copy of the data contained therein—and then to use this forensic image as the basis for your analysis, rather than conducting analysis on the physical device you have seized from the scene. Sometimes, you may also be required to verify both that the copy is authentic, and that the process you used to copy the data did not alter it in any way. Audit trails are a large part of this—if you can demonstrate where the data sources have been stored, in which devices, for how long, and who has had access to them, this should suffice.

Removing the source of digital evidence from the scene of the investigation is the first step in this process and must be done with care. Switching off or unplugging a machine, typing in a password, moving a mouse, or performing any other kind of interaction with an object encountered in the course of a crime scene investigation can have unpredictable effects on the outcome of the investigation. Sometimes, devices are set up to be wiped automatically when turned off; some will encrypt all data when a password is entered incorrectly.

In most cases, investigators will be encouraged to leave the source of evidence in the state in which it is found. For example, if a mobile phone is recovered from a scene, it may be placed in a Faraday bag, which will block electric fields and therefore prevent signals from coming through while the phone is being transported.

If there is no way to remove an item from a scene without somehow tampering with it—for example, if a desktop PC is plugged in and turned on, but needs to be taken away for analysis—the person tasked with the removal of the item should be expertly qualified to ensure that no changes happen except the ones that are absolutely necessary, and that any actions that take place are detailed within the audit trail.

It may sound like this is a relatively straightforward process—don't change anything unless you absolutely have to; if you do have to, ensure the person who is making the changes is qualified to do so; and keep a record of everything that happens. However, this is a broad overview of the basic general requirements for the sound preservation of evidence, and these will differ—sometimes quite widely—depending on local or national legislation. One of the most challenging things about being a specialist in computer forensics is that computer crimes often have an international flavor, and it is not unheard of for an investigation to span several continents, let alone states within a given country.

For this reason, it is of the utmost importance to verify the local legislative requirements when it comes to the identification, collection, preservation, and analysis of digital forensic evidence, particularly if the case on which you are working is likely to end up in court.

Writing reports

As with the chain of custody/audit trail mentioned in the preceding section, the style of report writing will no doubt vary based on legislative demands, company or agency guidelines, and individual investigator style. Once again, it makes sense to have a good grounding in the basics of digital forensic report writing, so that you have a flexible skill set within which to work.

Reports may also differ significantly depending on who is going to end up reading them. If you are investigating a civil dispute, your final report will probably not be written in highly technical language and may just include an overview in layperson terms of the methodology used and what was uncovered. If you are going to be called into court as an expert witness however, then a higher level of technical detail and a more in-depth demonstration of your investigative processes will no doubt be needed.

Broadly speaking, most digital evidence reports should include the following:

  • Name, job title, and company of the senior investigating officer.
  • Name, job title, and company of the digital forensics examiner (if different from the preceding one).
  • A brief description of the case, including the nature of the activities under investigation.
  • Name of the person or persons whose devices or data are under investigation.
  • Start and end date of the investigation.
  • Methodology used throughout the investigation, including but not limited to how evidence was identified, collected, preserved, and analyzed. This may also include details of any tools and processes used, as well as a copy of the chain of custody.
  • An overview of the results of the investigation in line with the original activities specified at the beginning of the report, as well as any other relevant information that was uncovered in the course of the investigation.
  • Screenshots, printouts, or other evidential items that demonstrate the results of the case.
  • An analysis of the results, including any conclusions regarding guilt or innocence of the accused party.
  • Any appendices, glossaries, or other information that may prove useful to the reader of the report.

Many forensic tools will generate their own reports in either digital or printable formats, in a number of different styles such as PDFs, Excel documents, or Word files. Some software packages, such as Nuix's Investigator Suite, include add-ons like Web Review and Analytics, which allow for multiple users to view or work on the same case. This can be very useful during an investigation, as it allows an administrator or senior investigator to allocate certain roles within a case, but it can also come in handy when compiling reports. Some users can be given access only to the final report, which they can enter into and look at the results that have been found and compiled into user-friendly graphs; if they have the correct permissions, they can then also take a further look at the evidence from this. The following diagram shows the dashboard of the Nuix Web Review and Analytics interface, which allows users to view and manage evidence in a forensic investigation.

Digital forensic investigation - an international field

As we have briefly discussed, one of the biggest challenges encountered by digital forensic investigators, whether in criminal or civil cases is the international nature of their investigative scope.

When investigating cases such as DDoS attacks (where a person or group of people flood a website or machine with requests in order to stop it from functioning), online credit card details theft, or bank fraud for example, it is likely that an investigator may find their suspects scattered all around the world. In a recent case involving the live streaming of child abuse from the Philippines, one of the main problems the investigators ran into was that the people who were watching the live streamed content were also subjects for investigation, but they were spread internationally and were difficult to track down due to so many of them using various methods of obfuscation. Laws around the world differ too: legislation in one country may create a legal loophole that causes havoc for a case and has implications on whether it is eventually brought to a conclusion or shelved.

The increasingly globalised nature of crime means that this is a problem we cannot ignore - it is not something that is going to go away. On the contrary, it looks set to only grow further with each passing year. Nowadays, our data is stored in the cloud—Nowadays, our data is stored in the cloud; people we interact with aren't just those we have met in real life, but instead people we would have previously termed strangers now increasingly form the basis of our social interactions; our bank accounts are accessible from almost anywhere in the world, often in multiple currencies. It is difficult enough to trace the actions and data trail of a single individual who is merely living life in the 21st century, let alone to attempt to investigate a large group of people, spread across diverse physical locations, who are making deliberate and sustained attempts to obfuscate data and hide themselves from view.

Strides ahead are being made, however. Various projects have sprung up over recent years which aim to address the specific challenges brought up by international investigations. One example is the EVIDENCE Project coordinated by Maria Angela Biasotti, an Italian lawyer who, in collaboration with colleagues across Europe, is seeking to develop a common understanding of electronic evidence and a more globally viable way of collaborating between territories, as well as a more standardized criminal investigation procedure around the world.

A laudable goal, and one that the EVIDENCE Project at least is moving swiftly towards; at the time of writing, a test implementation between several member countries is on the cards. However, at the moment, investigators are still faced with having to work on cases that have international data sources and implications.

What can we do to make things easier for ourselves in the meantime?

Scoping out a case before taking it on is good practice regardless of its size or relative importance, but this becomes even more pertinent when international factors might be involved. These may have an impact on the time it takes to acquire evidence: for example, if you are looking to extract data from a server in another country, or even another state, you will need at least a basic understanding of the requirements necessary to gain access to it, and indeed whether this is even possible in the first place.

It is, of course, impossible to have an in-depth understanding of the various bits of legislation that are relevant to digital forensic investigations around the world. In reality, the best an investigator can do is to verse themselves as fully as possible in the laws of their own local area, and then seek advice when the need arises to work across borders.

Beyond the legislative elements, however, there are also the more mundane aspects of international investigation, such as linguistic analysis. Keyword searches are often where an investigation starts, or at least fall somewhere near the beginning—but if your case spans a multitude of countries, you may well end up at a loss for keywords.

Most of the larger digital forensics solutions, such as EnCase and Nuix Investigator, have multilingual keyword abilities built in, which is a huge help. Some can even scan the evidence you enter for you, and then bring back an analysis of the languages used within the case. You can then use this to form the basis of your investigation and to inform future searches. Slang is still a problem for many though, and criminals are increasingly becoming wise to this. While a thesaurus can bring back a number of synonyms for a given term relating to drug abuse, the exploitation of children, or financial fraud, it may not be able to include all the less formal terms people are using in their discussions.

Progress is being made, however, and much of the air time at digital forensics conferences and research groups is devoted to how we as investigators can increase collaboration and make it easier to investigate global cases.

Challenges of acquiring digital evidence from Windows systems

One of the challenges of investigating Windows machines is the way that NTFS is set up. This means that it can be difficult to work out whether what you're looking at refers to a general property of the file system, or to a property that is specific to an application. The further along in your investigative career you are of course, the more adept you will become at making such distinctions, however, it is worth bearing in mind particularly for early career investigators.

Beyond the basic filesystem challenges, the way in which Windows systems are constantly updating can bring up further obstacles to digital forensic investigations. What worked on a machine running Windows 7 may not work on one that's running Windows 8.1; Windows 10 is a minefield of new and intriguing forensic elements (not to mention the increased privacy concerns it has brought up, leading to a rise in the number of users who are implementing their own data obfuscation and personal privacy measures). And heaven forbid you end up with a machine so old that modern forensic software has forgotten how to analyze it!

The way Windows 10 runs is of particular interest to forensic examiners, not just because it is being forcibly rolled out to users everywhere, but also because the structure of how things are organised has changed significantly. We will look at this in more detail towards the end of this book, where a full chapter will be devoted to the forensic analysis of machines running Windows 10, but broadly speaking, the difference from a forensic perspective comes from the fact that applications and programs don't just have different names; they work in a slightly different way. End users are increasingly looking for more lightweight, quick to run devices that make their work and personal lives easier, which means that, in turn, technology companies such as Microsoft are turning to collaborations with other entities and making the personal computer less of a single, standalone piece of equipment and more of a portal to data stored elsewhere. It is quite possible to seize a device where the documents are stored on Google Drive; voice and video call communications on Skype; Instagram is an application accessed on the PC rather than - or as well as - on a smartphone; Facebook isn't a website visited via an internet browser but an application in its own right.

Notwithstanding the legal challenges concerning international cloud data storage that we have already discussed, having such a wealth of separate applications to analyze makes cases much more complex. The fact that users can also add or create their own programs makes for an increasingly complex and often labyrinthine investigative methodology.

For this reason, it is becoming more and more necessary to narrow down an investigation as quickly as possible, working out which kinds of applications and services a user may require to perform the activity for which they are being investigated. Again, this is not always easy to do; we can but try!

Triage, international collaboration, and the technical understanding of investigators are all of paramount importance to digital forensic investigations, now more than ever before. In the Windows Forensics Cookbook, we hope to give you a base upon which you can build your own investigative techniques.

Left arrow icon Right arrow icon

Key benefits

  • Prepare and perform investigations using powerful tools for Windows,
  • Collect and validate evidence from suspects and computers and uncover clues that are otherwise difficult
  • Packed with powerful recipes to perform highly effective field investigations

Description

Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations. You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations. By the end of the book, you will be able to carry out forensics investigations efficiently.

Who is this book for?

If you are a forensic analyst or incident response professional who wants to perform computer forensics investigations for the Windows platform and expand your took kit, then this book is for you.

What you will learn

  • Understand the challenges of acquiring evidence from Windows systems and overcome them
  • Acquire and analyze Windows memory and drive data with modern forensic tools.
  • Extract and analyze data from Windows file systems, shadow copies and the registry
  • Understand the main Windows system artifacts and learn how to parse data from them using forensic tools
  • See a forensic analysis of common web browsers, mailboxes, and instant messenger services
  • Discover how Windows 10 differs from previous versions and how to overcome the specific challenges it presents
  • Create a graphical timeline and visualize data, which can then be incorporated into the final report
  • Troubleshoot issues that arise while performing Windows forensics

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 04, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781784391270
Vendor :
Microsoft
Category :
Concepts :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Aug 04, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781784391270
Vendor :
Microsoft
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 106.97
Mobile Forensics Cookbook
€32.99
Windows Forensics Cookbook
€36.99
Digital Forensics and Incident Response
€36.99
Total 106.97 Stars icon
Banner background image

Table of Contents

12 Chapters
Digital Forensics and Evidence Acquisition Chevron down icon Chevron up icon
Windows Memory Acquisition and Analysis Chevron down icon Chevron up icon
Windows Drive Acquisition Chevron down icon Chevron up icon
Windows File System Analysis Chevron down icon Chevron up icon
Windows Shadow Copies Analysis Chevron down icon Chevron up icon
Windows Registry Analysis Chevron down icon Chevron up icon
Main Windows Operating System Artifacts Chevron down icon Chevron up icon
Web Browser Forensics Chevron down icon Chevron up icon
Email and Instant Messaging Forensics Chevron down icon Chevron up icon
Windows 10 Forensics Chevron down icon Chevron up icon
Data Visualization Chevron down icon Chevron up icon
Troubleshooting in Windows Forensic Analysis Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(2 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Andrew R. Singleton Jun 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book will quickly guide you on how to do forensics on each piece of windows. Both open source and commercial software examples are provided.
Amazon Verified review Amazon
Semper_PatsFan Sep 20, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book for entry level professionals.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.