Forensics 101, Network Forensics

Book Review: Mastering Windows Network Forensics & Investigations

Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources.  The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics.  I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly.  That said, the topics covered do not fit within the classical definition of network forensics.  A more apt title might be Mastering Incident Response Forensics and Investigations.

This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing.  The authors blended dense material with relevant examples and insightful and engaging text boxes.  Some of my favorite “side” topics were:

  • “Cross-platform Forensic Artifacts”
  • “Registry Research”, illustrating the use of Procmon for application footprinting
  • “Time is of the Essence”, explaining fast forensics using event logs and the registry

Mastering Windows Network Forensics and InvestigationThe book begins with four chapters familiarizing the reader with Windows networking.  While this may slow down those hungry for forensics topics, they are replete with information.  Windows domains, hacking methodology, and Windows credentials are all described in these early chapters.  Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise.  While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks.  It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts.

My only real complaint is the book tackles a very expansive subject and tries to do it all.  For instance, memory analysis easily deserves its own chapter, but it is lumped together with live response.  In other cases, such as log review and registry analysis, an appropriate number of pages were allotted to give the topics fair coverage.  The event log coverage was excellent; a difficult and prosaic topic was explained in simple terms and with just the right amount of depth.  I enjoyed the coverage of event log internals and Steve Bunting’s contributions were evident in the section on repairing corrupted logs.  One of my favorite sections included the recovery of event log fragments from free space.  This is a critical skill with no “easy button”.  Recovery of both .Evt and .Evtx files was demonstrated, with the .Evtx information representing the state of the art for a difficult problem.

Both free and commercial tools were discussed throughout the book, including those from Splunk, SysInternals, Guidance Software and AccessData.  A pleasant surprise was “Appendix B: Test Environments”, which included a complete listing of tools discussed and a section-by-section overview of system setup requirements to follow along with major examples in the book.

Even with brief coverage of some topics, there was still enough meat in most chapters to benefit nearly any forensic investigator.  The chapters on the Windows registry were excellent and had space for rarely talked about advanced concepts like volatile hives, registry redirection and reflection, and registry virtualization.  The investigative uses of XP Restore Points and Windows 7 Shadow Volumes tied in nicely with other topics.  I also give kudos to the authors for the best overview of Windows auto-run locations I have seen in print.

The new chapter on virtualization and cloud forensics is a good addition.  While I would have liked to see several chapters (or an entire book) on the topic, I was pleased to see the information went beyond the typical cloud-based storage artifacts that often substitute for a real discussion of the inherent challenges.  Live response and data acquisition in virtualized environments like VMWare ESX was covered, and an intelligent discussion on how to prepare for collecting cloud data was started.

In this second edition (released in June 2012), it is obvious the authors took pains to include the most current information available.  Windows 7, Server 2008R2, and their associated artifacts are discussed extensively.  Guidance Software’s EnCase v7 and Volatility 2.0 are both introduced.  There are even references to computer crime cases occurring in 2012.

Overall, I found the book to be a good read with few problems.  It provides an excellent introduction to a broad field.  I plan to recommend it to my digital forensics students.

Chad is currently an independent consultant and member of the SANS Institute forensic faculty where he co-authored the FOR408:Windows Forensics and FOR508:Advanced Forensics and Incident Response courses. You can find Chad at or on Twitter @chadtilbury.

About Chad Tilbury

Chad Tilbury has spent over twelve years responding to computer intrusions and conducting forensic investigations. During his service as a Special Agent with the Air Force Office of Special Investigations, he investigated a variety of computer crimes, including hacking, abduction, espionage, identity theft, and multi-million dollar fraud cases. Chad is currently an independent consultant and member of the SANS Institute forensic faculty where he co-authored the FOR408:Windows Forensics and FOR508:Advanced Forensics and Incident Response courses. You can find Chad at or on Twitter @chadtilbury.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,112 other followers

%d bloggers like this: