Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Windows Forensics Cookbook
Windows Forensics Cookbook

Windows Forensics Cookbook: Over 60 practical recipes to acquire memory data and analyze systems with the latest Windows forensic tools

Arrow left icon
Profile Icon de Courcier Profile Icon Oleg Skulkin
Arrow right icon
$48.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (2 Ratings)
Paperback Aug 2017 274 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon de Courcier Profile Icon Oleg Skulkin
Arrow right icon
$48.99
Full star icon Full star icon Full star icon Full star icon Full star icon 5 (2 Ratings)
Paperback Aug 2017 274 pages 1st Edition
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$9.99 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Windows Forensics Cookbook

Digital Forensics and Evidence Acquisition

In this chapter, well cover the following recipes:

  • Identifying evidence sources
  • Acquiring digital evidence
  • Ensuring evidence is forensically sound
  • Writing reports
  • Digital forensic investigation: an international field
  • Challenges of acquiring digital evidence from Windows systems

Introduction

Digital forensics is an expansive term that can cover a multitude of subject areas. Broadly speaking, it refers to the investigation of crimes committed on, or with the use of, a computing device. Several years ago, this may have only been applicable to cases in which an investigator was looking at financial fraud, intellectual property theft, or similar cases where computers are, by definition, necessary in order to commit the crime.

In today's world however, the proliferation of digital devices is such that even a crime that seems to be unrelated to computing—a house burglary where jewellery is stolen, for example, or the abduction of a child walking home from school—can involve a whole host of digital evidence.

Digital evidence refers to anything relevant to an investigation that can be found on a digital device. Increasingly, digital devices can refer to almost anything around us - not only computers and phones, but also cars, televisions, refrigerators, and heating systems.

Digital forensics as a discipline does not deal solely with solving crimes. HR matters in companies, private or civil cases, as well as day-to-day data recovery, can all fall under the digital forensics bracket. It is reasonable to state, therefore, that not only is digital forensics a huge field, it is also expanding. For this reason, in this book, we have decided to focus on one particular aspect of digital forensics: the forensic analysis of Windows operating systems.

Why Windows?

We could have chosen any number of operating systems as the subject of this book, not to mention the myriad smartphones and other connected devices that crop up in digital forensic investigations. Windows is, however, a popular choice of operating system for the average computer user, and for businesses — recent figures from NetMarketShare indicate that Windows takes up over 88% of the market. The following diagram demonstrates the market share of Windows as opposed to Mac, Linux, and other operating systems.

Regardless of whether you're working in law enforcement, in a digital forensics corporation, as an academic researcher in the field, or for yourself as a freelance investigator, the chances are that at some point you will come up against Windows systems.

Our goal in writing this book is to create a kind of cookbook, allowing you to dip in and out and use the recipes to aid in your investigations.

The range of available operating systems and programs that are frequently run on Windows machines makes it difficult to provide a full guide. This is particularly when we take into consideration the recent overhaul resulting in Windows 8, Windows 8.1, and Windows 10, which refer to programs as applications and look somewhat different from earlier versions both forensically and from a user experience point of view. To the best of our ability, we have tried throughout this book to highlight the most salient points in investigation and to discuss the broad implications of the changes in more recent versions.

Windows file system

Windows machines use NTFS, which used to stand for New Technology filesystem, although the acronym has now become obsolete. All versions of Windows run on NTFS as default.

The main thing to remember about NTFS is that everything is a file. The idea behind the filesystems creation was that it would be easily scalable, as well as being secure and reliable at all levels. This does present some unique challenges for forensic investigation and administrative usage, however knowing that any file can be located anywhere on the system makes it challenging to understand precisely what one is looking at when analyzing a machine.

The Master File Table (MFT) is the basis of the filesystem. In here, we find all the relevant information concerning files. It is worth noting that the first entry in the MFT is an entry that refers to the MFT itself, which can confuse people who are new to Windows filesystem analysis.

One of the most important elements in Windows investigations is the registry, where keys containing information regarding the configuration of the system, along with other forensic gems are stored. Tools such as RegEdit and RegRipper can be very useful in registry analysis, as can many of the more widely used general forensic programs, such as EnCase and BlackLight.

We will discuss the specifics of various investigative elements within the Windows NT filesystem throughout the book. For the moment, the most pertinent points to remember are that everything in NTFS is a file; that the master file table forms the base of the filesystem; and that the registry contains useful system configuration information.

Identifying evidence sources

As any digital forensic investigator will know, one of the main challenges posed by almost any case is the sheer amount of data and number of sources available to be worked through. A useful skill to have is the ability to look through the sources of evidence involved with a case and make a value judgement as to which will probably be the most useful.

From the beginning of the case, this can take the form of ascertaining which physical items to remove from a crime scene—computers and mobile phones are almost always seized, but what about USB sticks, smart televisions, and satellite navigation systems? How do you even get a WiFi connected refrigerator into a Faraday bag?

Jokes aside, once an investigator has identified the items from which they are going to attempt to extract evidence, the next hurdle is to work out which bits of evidence will be the most relevant, and where those can be found.

In Windows systems, there are several elements that will prove to be useful across many different types of investigations. While some will vary from case to case—looking for evidence of intellectual property theft or financial fraud will differ hugely from the sources you'd be locating in a child protection investigation, for instance on the whole, the following sources of evidence can generally provide useful information from which you can then extrapolate further.

In older Windows versions (around the time of XP and 2000), there were fewer programs to deal with, and therefore fewer sources of potential evidence, but there was also less room for confusion. XP was when Windows began to support the NT filesystem, which gave a boost to the previous FAT setup and allowed for more in—depth analysis of the system.

Prefetch files were introduced in XP, and swiftly became one of the most pertinent sources of evidence, which is still the case today. The aim from a user experience perspective was essentially to speed things up. Prefetch files take note of which programs are used most frequently and make sure that those programs are pre-loaded into the memory, so that when a user boots up a machine and then tries to access one of the programs, it will load more quickly. From a forensic point of view, this means that prefetch files provide a wealth of information regarding a user's general computer habits—which programs they use most often, and to some extent, how they are being used. Prefetch files are stored in the %SystemRoot%Prefetch directory and will be discussed in more depth in Chapter 7, Main Windows System Artifacts.

Subsequent Windows updates introduced increasingly complex elements, one of the most pertinent of which is BitLocker.

BitLocker provides full volume encryption and also includes a version for portable devices, called BitLocker To Go. Provided that the password is known, decryption of BitLocker information is relatively straightforward and can be performed using a range of forensic software, some of which will be detailed later in this book. The simplest way to ascertain whether a volume has been encrypted using BitLocker is to look for -FVE-FS- in the volume header. Once this has been determined and the password has been found or recovered, tools such as FTK or EnCase can be used to decrypt the information.

Around the same time BitLocker was introduced, with the release of Windows Vista, the way in which user accounts are structured within Windows also changed. This is mainly noticeable from the perspective of the user themselves, in that the main change is that many system-wide modifications that could previously be made by any user can now only be made by an administrator. This can also be an important point forensically, particularly in cases where a computer has multiple users, only one of whom has access to the administrative password.

Internet Explorer and its successor, Microsoft Edge, have been overhauled repeatedly throughout the years. We will take a much closer look at Edge later on in this book, however, for the moment, it is possible to say that there is a wealth of information to be found within internet browsers. Arguably one of the most important elements within Internet Explorer is the cache, which contains information regarding the pages a user has visited and any content that has been downloaded.

Private browsing is one of the most commonly misconceived options by the end users of Windows systems: while this may prevent other people in the household from uncovering a users secret internet habits, it is of course still open to forensic investigation.

Increasingly, we are seeing users becoming more aware of the level of information that can be gleaned using digital forensic methods, and in recent years, privacy options within operating systems, applications, and programs have become a growing concern for many computer users. This has led to a gradual yet steady rise in the installation and usage of alternative software such as the Tor browser, which purports to be able to prevent others from uncovering the true location of the end user. However, even these methods are not impervious to forensic investigation, as demonstrated at the Digital Forensics Research Workshop 2015 by Epifani et al.

Any attempt at obfuscation or extensive deletion of data should spark a level of suspicion in the mind of an investigator; anti-forensic methods are becoming more and more widespread, but so in turn are the methods forensic analysts can use to uncover the elements users were trying to hide.

Ensuring evidence is forensically sound

The chain of custody in digital investigations is of paramount importance. Not only does it demonstrate who had access to the evidence at any given time, it also - at least in theory - shows what was done with the evidence after it was seized, and the measures that were taken to ensure its preservation and integrity.

For investigators who work in a team, for example in law enforcement agencies or within a corporation, there will generally be an already established process to follow, in line with the guidelines provided by the agency or company. For freelance and individual investigators (or for those who believe their company's acquisition procedure may need a bit of an overhaul), it is important to bear a few basic principles in mind.

The level of forensic soundness that you as an investigator will be required to demonstrate will probably depend, at least in part, on the nature of the case on which you are working. Civil cases, for example, will generally not require such a high level of evidential integrity as criminal investigations, since civil cases are less likely to end up in court. It is good practice, however, to get used to maintaining as high a level of forensic soundness as possible;"doing so means that, if in the future you specialize in more in-depth investigations, you will already you will already be used to setting the right level of groundwork for your forensic examinations.

Generally, it is sufficient when gathering evidence to image a device—that is, to create an exact copy of the data contained therein—and then to use this forensic image as the basis for your analysis, rather than conducting analysis on the physical device you have seized from the scene. Sometimes, you may also be required to verify both that the copy is authentic, and that the process you used to copy the data did not alter it in any way. Audit trails are a large part of this—if you can demonstrate where the data sources have been stored, in which devices, for how long, and who has had access to them, this should suffice.

Removing the source of digital evidence from the scene of the investigation is the first step in this process and must be done with care. Switching off or unplugging a machine, typing in a password, moving a mouse, or performing any other kind of interaction with an object encountered in the course of a crime scene investigation can have unpredictable effects on the outcome of the investigation. Sometimes, devices are set up to be wiped automatically when turned off; some will encrypt all data when a password is entered incorrectly.

In most cases, investigators will be encouraged to leave the source of evidence in the state in which it is found. For example, if a mobile phone is recovered from a scene, it may be placed in a Faraday bag, which will block electric fields and therefore prevent signals from coming through while the phone is being transported.

If there is no way to remove an item from a scene without somehow tampering with it—for example, if a desktop PC is plugged in and turned on, but needs to be taken away for analysis—the person tasked with the removal of the item should be expertly qualified to ensure that no changes happen except the ones that are absolutely necessary, and that any actions that take place are detailed within the audit trail.

It may sound like this is a relatively straightforward process—don't change anything unless you absolutely have to; if you do have to, ensure the person who is making the changes is qualified to do so; and keep a record of everything that happens. However, this is a broad overview of the basic general requirements for the sound preservation of evidence, and these will differ—sometimes quite widely—depending on local or national legislation. One of the most challenging things about being a specialist in computer forensics is that computer crimes often have an international flavor, and it is not unheard of for an investigation to span several continents, let alone states within a given country.

For this reason, it is of the utmost importance to verify the local legislative requirements when it comes to the identification, collection, preservation, and analysis of digital forensic evidence, particularly if the case on which you are working is likely to end up in court.

Writing reports

As with the chain of custody/audit trail mentioned in the preceding section, the style of report writing will no doubt vary based on legislative demands, company or agency guidelines, and individual investigator style. Once again, it makes sense to have a good grounding in the basics of digital forensic report writing, so that you have a flexible skill set within which to work.

Reports may also differ significantly depending on who is going to end up reading them. If you are investigating a civil dispute, your final report will probably not be written in highly technical language and may just include an overview in layperson terms of the methodology used and what was uncovered. If you are going to be called into court as an expert witness however, then a higher level of technical detail and a more in-depth demonstration of your investigative processes will no doubt be needed.

Broadly speaking, most digital evidence reports should include the following:

  • Name, job title, and company of the senior investigating officer.
  • Name, job title, and company of the digital forensics examiner (if different from the preceding one).
  • A brief description of the case, including the nature of the activities under investigation.
  • Name of the person or persons whose devices or data are under investigation.
  • Start and end date of the investigation.
  • Methodology used throughout the investigation, including but not limited to how evidence was identified, collected, preserved, and analyzed. This may also include details of any tools and processes used, as well as a copy of the chain of custody.
  • An overview of the results of the investigation in line with the original activities specified at the beginning of the report, as well as any other relevant information that was uncovered in the course of the investigation.
  • Screenshots, printouts, or other evidential items that demonstrate the results of the case.
  • An analysis of the results, including any conclusions regarding guilt or innocence of the accused party.
  • Any appendices, glossaries, or other information that may prove useful to the reader of the report.

Many forensic tools will generate their own reports in either digital or printable formats, in a number of different styles such as PDFs, Excel documents, or Word files. Some software packages, such as Nuix's Investigator Suite, include add-ons like Web Review and Analytics, which allow for multiple users to view or work on the same case. This can be very useful during an investigation, as it allows an administrator or senior investigator to allocate certain roles within a case, but it can also come in handy when compiling reports. Some users can be given access only to the final report, which they can enter into and look at the results that have been found and compiled into user-friendly graphs; if they have the correct permissions, they can then also take a further look at the evidence from this. The following diagram shows the dashboard of the Nuix Web Review and Analytics interface, which allows users to view and manage evidence in a forensic investigation.

Digital forensic investigation - an international field

As we have briefly discussed, one of the biggest challenges encountered by digital forensic investigators, whether in criminal or civil cases is the international nature of their investigative scope.

When investigating cases such as DDoS attacks (where a person or group of people flood a website or machine with requests in order to stop it from functioning), online credit card details theft, or bank fraud for example, it is likely that an investigator may find their suspects scattered all around the world. In a recent case involving the live streaming of child abuse from the Philippines, one of the main problems the investigators ran into was that the people who were watching the live streamed content were also subjects for investigation, but they were spread internationally and were difficult to track down due to so many of them using various methods of obfuscation. Laws around the world differ too: legislation in one country may create a legal loophole that causes havoc for a case and has implications on whether it is eventually brought to a conclusion or shelved.

The increasingly globalised nature of crime means that this is a problem we cannot ignore - it is not something that is going to go away. On the contrary, it looks set to only grow further with each passing year. Nowadays, our data is stored in the cloud—Nowadays, our data is stored in the cloud; people we interact with aren't just those we have met in real life, but instead people we would have previously termed strangers now increasingly form the basis of our social interactions; our bank accounts are accessible from almost anywhere in the world, often in multiple currencies. It is difficult enough to trace the actions and data trail of a single individual who is merely living life in the 21st century, let alone to attempt to investigate a large group of people, spread across diverse physical locations, who are making deliberate and sustained attempts to obfuscate data and hide themselves from view.

Strides ahead are being made, however. Various projects have sprung up over recent years which aim to address the specific challenges brought up by international investigations. One example is the EVIDENCE Project coordinated by Maria Angela Biasotti, an Italian lawyer who, in collaboration with colleagues across Europe, is seeking to develop a common understanding of electronic evidence and a more globally viable way of collaborating between territories, as well as a more standardized criminal investigation procedure around the world.

A laudable goal, and one that the EVIDENCE Project at least is moving swiftly towards; at the time of writing, a test implementation between several member countries is on the cards. However, at the moment, investigators are still faced with having to work on cases that have international data sources and implications.

What can we do to make things easier for ourselves in the meantime?

Scoping out a case before taking it on is good practice regardless of its size or relative importance, but this becomes even more pertinent when international factors might be involved. These may have an impact on the time it takes to acquire evidence: for example, if you are looking to extract data from a server in another country, or even another state, you will need at least a basic understanding of the requirements necessary to gain access to it, and indeed whether this is even possible in the first place.

It is, of course, impossible to have an in-depth understanding of the various bits of legislation that are relevant to digital forensic investigations around the world. In reality, the best an investigator can do is to verse themselves as fully as possible in the laws of their own local area, and then seek advice when the need arises to work across borders.

Beyond the legislative elements, however, there are also the more mundane aspects of international investigation, such as linguistic analysis. Keyword searches are often where an investigation starts, or at least fall somewhere near the beginning—but if your case spans a multitude of countries, you may well end up at a loss for keywords.

Most of the larger digital forensics solutions, such as EnCase and Nuix Investigator, have multilingual keyword abilities built in, which is a huge help. Some can even scan the evidence you enter for you, and then bring back an analysis of the languages used within the case. You can then use this to form the basis of your investigation and to inform future searches. Slang is still a problem for many though, and criminals are increasingly becoming wise to this. While a thesaurus can bring back a number of synonyms for a given term relating to drug abuse, the exploitation of children, or financial fraud, it may not be able to include all the less formal terms people are using in their discussions.

Progress is being made, however, and much of the air time at digital forensics conferences and research groups is devoted to how we as investigators can increase collaboration and make it easier to investigate global cases.

Challenges of acquiring digital evidence from Windows systems

One of the challenges of investigating Windows machines is the way that NTFS is set up. This means that it can be difficult to work out whether what you're looking at refers to a general property of the file system, or to a property that is specific to an application. The further along in your investigative career you are of course, the more adept you will become at making such distinctions, however, it is worth bearing in mind particularly for early career investigators.

Beyond the basic filesystem challenges, the way in which Windows systems are constantly updating can bring up further obstacles to digital forensic investigations. What worked on a machine running Windows 7 may not work on one that's running Windows 8.1; Windows 10 is a minefield of new and intriguing forensic elements (not to mention the increased privacy concerns it has brought up, leading to a rise in the number of users who are implementing their own data obfuscation and personal privacy measures). And heaven forbid you end up with a machine so old that modern forensic software has forgotten how to analyze it!

The way Windows 10 runs is of particular interest to forensic examiners, not just because it is being forcibly rolled out to users everywhere, but also because the structure of how things are organised has changed significantly. We will look at this in more detail towards the end of this book, where a full chapter will be devoted to the forensic analysis of machines running Windows 10, but broadly speaking, the difference from a forensic perspective comes from the fact that applications and programs don't just have different names; they work in a slightly different way. End users are increasingly looking for more lightweight, quick to run devices that make their work and personal lives easier, which means that, in turn, technology companies such as Microsoft are turning to collaborations with other entities and making the personal computer less of a single, standalone piece of equipment and more of a portal to data stored elsewhere. It is quite possible to seize a device where the documents are stored on Google Drive; voice and video call communications on Skype; Instagram is an application accessed on the PC rather than - or as well as - on a smartphone; Facebook isn't a website visited via an internet browser but an application in its own right.

Notwithstanding the legal challenges concerning international cloud data storage that we have already discussed, having such a wealth of separate applications to analyze makes cases much more complex. The fact that users can also add or create their own programs makes for an increasingly complex and often labyrinthine investigative methodology.

For this reason, it is becoming more and more necessary to narrow down an investigation as quickly as possible, working out which kinds of applications and services a user may require to perform the activity for which they are being investigated. Again, this is not always easy to do; we can but try!

Triage, international collaboration, and the technical understanding of investigators are all of paramount importance to digital forensic investigations, now more than ever before. In the Windows Forensics Cookbook, we hope to give you a base upon which you can build your own investigative techniques.

Left arrow icon Right arrow icon

Key benefits

  • Prepare and perform investigations using powerful tools for Windows,
  • Collect and validate evidence from suspects and computers and uncover clues that are otherwise difficult
  • Packed with powerful recipes to perform highly effective field investigations

Description

Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations. You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations. By the end of the book, you will be able to carry out forensics investigations efficiently.

Who is this book for?

If you are a forensic analyst or incident response professional who wants to perform computer forensics investigations for the Windows platform and expand your took kit, then this book is for you.

What you will learn

  • Understand the challenges of acquiring evidence from Windows systems and overcome them
  • Acquire and analyze Windows memory and drive data with modern forensic tools.
  • Extract and analyze data from Windows file systems, shadow copies and the registry
  • Understand the main Windows system artifacts and learn how to parse data from them using forensic tools
  • See a forensic analysis of common web browsers, mailboxes, and instant messenger services
  • Discover how Windows 10 differs from previous versions and how to overcome the specific challenges it presents
  • Create a graphical timeline and visualize data, which can then be incorporated into the final report
  • Troubleshoot issues that arise while performing Windows forensics
Estimated delivery fee Deliver to Taiwan

Standard delivery 10 - 13 business days

$12.95

Premium delivery 5 - 8 business days

$45.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 04, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781784390495
Vendor :
Microsoft
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Taiwan

Standard delivery 10 - 13 business days

$12.95

Premium delivery 5 - 8 business days

$45.95
(Includes tracking information)

Product Details

Publication date : Aug 04, 2017
Length: 274 pages
Edition : 1st
Language : English
ISBN-13 : 9781784390495
Vendor :
Microsoft
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 141.97
Mobile Forensics Cookbook
$43.99
Windows Forensics Cookbook
$48.99
Digital Forensics and Incident Response
$48.99
Total $ 141.97 Stars icon
Banner background image

Table of Contents

12 Chapters
Digital Forensics and Evidence Acquisition Chevron down icon Chevron up icon
Windows Memory Acquisition and Analysis Chevron down icon Chevron up icon
Windows Drive Acquisition Chevron down icon Chevron up icon
Windows File System Analysis Chevron down icon Chevron up icon
Windows Shadow Copies Analysis Chevron down icon Chevron up icon
Windows Registry Analysis Chevron down icon Chevron up icon
Main Windows Operating System Artifacts Chevron down icon Chevron up icon
Web Browser Forensics Chevron down icon Chevron up icon
Email and Instant Messaging Forensics Chevron down icon Chevron up icon
Windows 10 Forensics Chevron down icon Chevron up icon
Data Visualization Chevron down icon Chevron up icon
Troubleshooting in Windows Forensic Analysis Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(2 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Andrew R. Singleton Jun 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book will quickly guide you on how to do forensics on each piece of windows. Both open source and commercial software examples are provided.
Amazon Verified review Amazon
Semper_PatsFan Sep 20, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book for entry level professionals.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela