Windows Forensics

Windows Forensics is the most comprehensive and up-to-date resource for those wishing to leverage the power of Linux and free software in order to quickly and efficiently perform forensics on Windows systems. It is also a great asset for anyone that would like to better understand Windows internals.

Windows Forensics will guide you step by step through the process of investigating a computer running Windows. Whatever the reason for performing forensics on a Windows system, be it incident response, a criminal investigation, suspected data ex-filtration, or data recovery, this book will tell you what you need to know in order to perform the vast majority of investigations. All of the tools discussed in this book are free and most are also open source.

Dr. Philip Polstra shows how to leverage numerous tools such as Python, shell scripting, and MySQL to quickly, easily, and accurately analyze Windows systems. While readers will have a strong grasp of Python and shell scripting by the time they complete this book, no prior knowledge of either of these scripting languages is assumed. Windows Forensics begins by showing you how to determine if there was an incident with minimally invasive techniques. Once it appears likely that an incident has occurred, Dr. Polstra shows you how to collect data from a live system before shutting it down for the creation of filesystem images.

Windows Forensics contains extensive coverage of Windows FAT and NTFS filesystems. A large collection of Python and shell scripts for creating, mounting, and analyzing filesystem images are presented in this book. The treasure trove of data found in the Windows Registry and other artifacts are discussed in detail. Dr. Polstra introduces readers to the exciting new field of memory analysis using the Volatility framework. Discussion of malware analysis rounds out the book.

Book Highlights

• 554 pages in large, easy-to-read 8.5 x 11 inch format
• Over 11,000 lines of Python scripts with explanations
• Over 500 lines of shell and command scripts with explanations
• A 96 page chapter covering the FAT filesystem in detail
• A 164 page chapter on NTFS filesystems
• Multiple scenarios described in detail with images available from the book website
• All scripts and other support files are available from the book website

《Windows Forensics》是目前最全面且最新的資源，適合希望利用Linux和免費軟體來快速且有效地進行Windows系統取證的人。對於任何想更深入了解Windows內部結構的人來說，這本書也是一個很好的資源。

《Windows Forensics》將逐步引導您進行對運行Windows的電腦進行調查的過程。無論進行Windows系統取證的原因是什麼，無論是事件回應、刑事調查、懷疑的數據外洩還是數據恢復，本書都會告訴您大部分調查所需的知識。本書中討論的所有工具都是免費的，大部分也是開源的。

Philip Polstra博士展示了如何利用Python、shell腳本和MySQL等多種工具來快速、輕鬆且準確地分析Windows系統。讀者在閱讀完本書後將對Python和shell腳本有很好的掌握，但不需要對這兩種腳本語言有任何先備知識。《Windows Forensics》首先向您展示如何使用最小侵入性技術確定是否發生了事件。一旦似乎有事件發生，Polstra博士將向您展示如何在關閉系統以創建檔案系統映像之前，從運行中的系統中收集數據。

《Windows Forensics》詳細介紹了Windows FAT和NTFS檔案系統。本書中介紹了大量用於創建、掛載和分析檔案系統映像的Python和shell腳本。詳細討論了在Windows註冊表和其他證據中發現的寶藏數據。Polstra博士還向讀者介紹了使用Volatility框架進行記憶體分析的新領域。書中還包括了恶意軟體分析的討論。

書籍亮點：
- 554頁，採用易於閱讀的8.5 x 11英寸大尺寸格式
- 超過11,000行帶有解釋的Python腳本
- 超過500行帶有解釋的shell和命令腳本
- 一個96頁的章節詳細介紹了FAT檔案系統
- 一個164頁的章節介紹了NTFS檔案系統
- 詳細描述了多個場景，書中的圖片可從書籍網站上獲取
- 所有腳本和其他支援檔案都可從書籍網站上獲取