Executing windows command line investigations : while ensuring evidentiary integrity / Chet Hosmer, Joshua Bartolomie, Rosanne Pelli ; cover designer, Mark Rogers.

Format:

Book

Author/Creator:

Hosmer, Chet, author.

Bartolomie, Joshua, author.

Pelli, Rosanne, author.

Contributor:

Rogers, Mark, book designer.

Language:

English

Subjects (All):

Microsoft Windows (Computer file)--Handbooks, manuals, etc.

Microsoft Windows (Computer file).

Command languages (Computer science).

Command languages (Computer science)--Handbooks, manuals, etc.

Operating systems (Computers)--Handbooks, manuals, etc.

Operating systems (Computers).

Physical Description:

1 online resource (230 pages) : illustrations (some color), tables, graphs

Edition:

First edition.

Place of Publication:

Amsterdam, [Netherlands] : Syngress, 2016.

System Details:

text file

Summary:

The book Executing Windows Command Line Investigations targets the needs of cyber security practitioners who focus on digital forensics and incident response. These are the individuals who are ultimately responsible for executing critical tasks such as incident response; forensic analysis and triage; damage assessments; espionage or other criminal investigations; malware analysis; and responding to human resource violations. The authors lead readers through the importance of Windows CLI, as well as optimal configuration and usage. Readers will then learn the importance of maintaining evidentiary integrity, evidence volatility, and gain appropriate insight into methodologies that limit the potential of inadvertently destroying or otherwise altering evidence. Next, readers will be given an overview on how to use the proprietary software that accompanies the book as a download from the companion website. This software, called Proactive Incident Response Command Shell (PIRCS), developed by Harris Corporation provides an interface similar to that of a Windows CLI that automates evidentiary chain of custody and reduces human error and documentation gaps during incident response. Includes a free download of the Proactive Incident Response Command Shell (PIRCS) software Learn about the technical details of Windows CLI so you can directly manage every aspect of incident response evidence acquisition and triage, while maintaining evidentiary integrity

Contents:

Front Cover

Executing Windows Command Line Investigations: While Ensuring Evidentiary Integrity

Copyright

Dedication

Contents

Biography

Foreword

Preface

Acknowledgments

Harris Corporation

Chapter 1: The impact of Windows Command Line investigations

Introduction

Cybercrime Methods and Vulnerabilities

Novel Vulnerabilities

Cyber Criminals Use the Windows Command Line

Turning the Tables

Organization of the Book

Chapter 1 Review

Chapter 1 Summary Questions

Additional Resources

Chapter 2: Importance of digital evidence integrity

The Importance of Digital Evidence Integrity

Digital Integrity Mechanisms

One-way cryptographic hashing

Hashing static evidence

Hashing volatile or live evidence

Searching for specific evidence

Hash types and origins

Digital signatures

Signature types and origins

Trusted time stamping

Summary

Chapter 2 Review

Chapter 2 Summary Questions

Chapter 3: Windows Command Line Interface

What is the Windows Command Line Interface?

Breaking Down Windows Commands by Investigation Processes

Windows CLI-starting a live investigation

Windows CLI-collecting vital system information

Capture important system information

Basic disk information

Basic network information

Windows CLI-collecting volatile evidence

Windows CLI-running processes and services

Windows CLI-active network activities

Windows CLI-event logs evidence capture

Windows CLI-collecting static evidence and quick searching

Alternate data streams

Windows CLI-ending a live investigation

Chapter 3 Review

Chapter 3 Summary Questions

Chapter 4: Operating the Proactive Incident Response Command Shell

PIRCS Operational Considerations.

Preparing PIRCS for Portable Media

Step one: wipe the device

Step two: format the device

Step three: install PIRCS

PIRCS Basics

PIRCS Advanced Capabilities

Chapter 4 Review

Chapter 4 Summary Questions

Software Download Instructions

Chapter 5: Use cases

General Evidence Collection Guidelines

Locard's Principle

Order of Volatility

Tool Selection and Usage

Fundamental Digital Evidence Categories

Full Memory Capture

Capturing full RAM contents with Mandiant Memoryze

Initial Host Detail

Host name

Windows OS version

System time

Current network configuration

Currently logged on user

Initial host detail collection recommendation

Network Connections

Active connections

Network connection collection recommendation

Active Process, Services, and Scheduled Tasks Details

Windows Prefetch Files

Web Browser History

Windows Registry Data Collection

Windows Event Logs

File Listings

Use Case Examples

Spear Phishing Attack Scenario

Human resources violation scenario

Insider Data Exfiltration Scenario

Chapter 5 Review

Chapter 5 Summary Questions

Chapter 6: Future considerations

Windows 10.x

Windows Embedded

Advanced Automotive Technology

Raspberry Pi

Wearable Technology

New Command Line Applications

In Closing

Appendix A: Third-party Windows CLI tools

Appendix B: Windows CLI reference synopsis

Microsoft TechNet

Popular Commands for an Examination

Index

Back Cover.

Notes:

Includes bibliographical references at the end of each chapters and index.

Description based on print version record.

ISBN:

9780128092712

0128092718

OCLC:

958459770