Mastering Windows Network Forensics and Investigations fills an interesting niche not well addressed in the pantheon of digital forensics resources. The material is well suited for beginning and intermediate forensic examiners looking to better understand network artifacts and go beyond single-system forensics. I highly recommend it for system administrators looking for a different perspective on network security or those interested in designing networks to be forensics-friendly. That said, the topics covered do not fit within the classical definition of network forensics. A more apt title might be Mastering Incident Response Forensics and Investigations.
This is the first book I have read in the Sybex Mastering series, and I was impressed with the writing, research, and editing. The authors blended dense material with relevant examples and insightful and engaging text boxes. Some of my favorite “side” topics were:
- “Cross-platform Forensic Artifacts”
- “Registry Research”, illustrating the use of Procmon for application footprinting
- “Time is of the Essence”, explaining fast forensics using event logs and the registry
The book begins with four chapters familiarizing the reader with Windows networking. While this may slow down those hungry for forensics topics, they are replete with information. Windows domains, hacking methodology, and Windows credentials are all described in these early chapters. Amazingly, this is the first forensics book I have read containing a discussion of the NTDS.DIT Active Directory database file, perhaps the most dangerous file in the enterprise. While there were probably too many pages spent on password sniffing and cracking, I recognize it is beneficial to understand the risks and I commend the authors for also mentioning pass the hash and token stealing attacks. It would have been valuable to see these same attacks identified later in the book via Windows registry and log artifacts. Continue Reading…