Executing Windows Command Line Investigations targets cyber security practitioners that focus on digital forensics and incident response. These are the individuals that are ultimately responsible for executing critical tasks such as incident response; forensic analysis and triage; damage assessments; espionage or other criminal investigations; malware analysis; and responding to human resource violations.
The authors lead readers through the importance of Windows CLI, as well as optimal configuration and usage. Readers will then learn the importance of maintaining evidentiary integrity, evidence volatility, and appropriate insight into methodologies that limit the potential of inadvertently destroying or otherwise altering evidence. Next, readers will be given an overview on how to use the proprietary software that accompanies the book as a download from the companion website. This software, called Proactive Incident Response Command Shell (PIRCS), developed by Harris Corporation provides an interface similar to that of a Windows CLI that automates evidentiary chain of custody and reduces human error and documentation gaps during incident response.
- Includes free download of Proactive Incident Response Command Shell (PIRCS) software
- Learn about the technical details of Windows CLI so you can directly manage every aspect of incident response evidence acquisition and triage, while maintaining evidentiary integrity.
Arvustused
"Executing Windows Command Line Investigations is a leading edge book that targets digital forensics investigations and incident response. The book clearly lays out the technical details of the Windows CLI so you can directly manage every aspect of cyber evidence acquisition and triage, while maintaining data evidence integrity and chain of custody. This is a must read for cyber security practitioners and students!" --Joe Giordano, Utica College
"This book is an excellent reference for all levels of incident responders and covers essential techniques for responding to modern cyber security threats." --Mark Bilanski, Incident Response Manager
Muu info
The only book that covers Windows Command Line Interface for forensic and incident response evidentiary triage.
| Biography |
|
xi | |
| Foreword |
|
xiii | |
| Preface |
|
xv | |
| Acknowledgments |
|
xvii | |
| Harris Corporation |
|
xix | |
|
Chapter 1 The Impact of Windows Command Line Investigations |
|
|
1 | (10) |
|
|
|
1 | (6) |
|
Cybercrime Methods and Vulnerabilities |
|
|
2 | (1) |
|
|
|
3 | (2) |
|
Cyber Criminals Use the Windows Command Line |
|
|
5 | (2) |
|
|
|
7 | (1) |
|
|
|
7 | (2) |
|
|
|
9 | (1) |
|
Chapter 1 Summary Questions |
|
|
9 | (1) |
|
|
|
9 | (2) |
|
Chapter 2 Importance of Digital Evidence Integrity |
|
|
11 | (18) |
|
|
|
11 | (15) |
|
The Importance of Digital Evidence Integrity |
|
|
11 | (2) |
|
Digital Integrity Mechanisms |
|
|
13 | (13) |
|
|
|
26 | (1) |
|
|
|
26 | (1) |
|
Chapter 2 Summary Questions |
|
|
26 | (1) |
|
|
|
27 | (2) |
|
Chapter 3 Windows Command Line Interface |
|
|
29 | (66) |
|
|
|
29 | (63) |
|
What is the Windows Command Line Interface? |
|
|
30 | (8) |
|
Breaking Down Windows Commands by Investigation Processes |
|
|
38 | (54) |
|
|
|
92 | (1) |
|
Chapter 3 Summary Questions |
|
|
92 | (1) |
|
|
|
93 | (2) |
|
Chapter 4 Operating the Proactive Incident Response Command Shell |
|
|
95 | (26) |
|
|
|
95 | (23) |
|
PIRCS Operational Considerations |
|
|
97 | (2) |
|
Preparing PIRCS for Portable Media |
|
|
99 | (6) |
|
|
|
105 | (8) |
|
PIRCS Advanced Capabilities |
|
|
113 | (5) |
|
|
|
118 | (1) |
|
Chapter 4 Summary Questions |
|
|
118 | (1) |
|
|
|
119 | (2) |
|
|
|
121 | (48) |
|
|
|
121 | (2) |
|
General Evidence Collection Guidelines |
|
|
123 | (3) |
|
|
|
124 | (1) |
|
|
|
124 | (1) |
|
|
|
125 | (1) |
|
Fundamental Digital Evidence Categories |
|
|
126 | (31) |
|
|
|
127 | (2) |
|
|
|
129 | (7) |
|
|
|
136 | (6) |
|
Active Process, Services, and Scheduled Tasks Details |
|
|
142 | (5) |
|
|
|
147 | (2) |
|
|
|
149 | (1) |
|
Windows Registry Data Collection |
|
|
150 | (4) |
|
|
|
154 | (2) |
|
|
|
156 | (1) |
|
|
|
157 | (8) |
|
Spear Phishing Attack Scenario |
|
|
158 | (5) |
|
Insider Data Exfiltration Scenario |
|
|
163 | (2) |
|
|
|
165 | (1) |
|
|
|
165 | (1) |
|
Chapter 5 Summary Questions |
|
|
166 | (1) |
|
|
|
166 | (3) |
|
Chapter 6 Future Considerations |
|
|
169 | (8) |
|
|
|
169 | (7) |
|
|
|
170 | (1) |
|
|
|
170 | (1) |
|
Advanced Automotive Technology |
|
|
171 | (1) |
|
|
|
172 | (2) |
|
|
|
174 | (1) |
|
New Command Line Applications |
|
|
174 | (2) |
|
|
|
176 | (1) |
|
|
|
176 | (1) |
| Appendix A Third-Party Windows CLI Tools |
|
177 | (14) |
| Appendix B Windows CLI Reference Synopsis |
|
191 | (14) |
| Index |
|
205 | |
Chet Hosmer serves as an Assistant Professor of Practice at the University of Arizona in the Cyber Operations program, where he is teaching and researching the application of Python and Machine Learning to advanced cybersecurity challenges. Chet is also the founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using Python and other popular scripting languages. Chet has made numerous appearances to discuss emerging cyber threats including NPR, ABC News, Forbes, IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com, and Wired Magazine. He has 7 published books with Elsevier and Apress that focus on data hiding, passive network defense strategies, Python Forensics, PowerShell, and IoT. Joshua Bartolomie (CISSP, CRISC, DFCP, CEECS, CFCE) has 20 years of technical and management experience within the information technology and cyber security domains. Joshua has contributed to and managed programs that range from teaching digital forensics to designing, implementing, and managing cutting edge Security Operations Centers and Incident Response Teams. Mr. Bartolomie is an active participant in multiple information sharing and collaborative consortiums and has presented at numerous cyber security forums, conferences, and venues. In his current role, Joshua is responsible for translating corporate business strategies, environmental conditions, infrastructure requirements, and industry best practices into strategic cyber security designs and architectural roadmaps. Joshua holds a Masters Degree in Information Assurance from Norwich University and a Bachelors of Science in Digital and Computer Forensics from Champlain College. Ms. Rosanne Pelli, is a certified Project Management Professional (PMP) through the Project Management Institute (PMI) and CompTIA Security+ professional with Harris Corporation. She has over ten years of experience in the coordination, programmatic oversight and management of US government contracts as well as Harris Secure-U Training Program. During her years of experience, Ms. Pelli has assisted in the management and coordination of various government contracts that focused on the identification and analysis of emerging cyber threats; evaluation and transition of cyber security technologies for tactical use by the cyber security community; technical assistance to federal, state and local law enforcement communities; development and maintenance of a virtual cyber security training portal; and the development, coordination and execution of various national and international cyber security training initiatives.
