Windows Forensics

有關Incident

給個定義囉：
any event that is in violation of implicit or explicit policies
當然，因為event是中性的名詞，所以要給一些形容詞；這裡以policy來定義，有點抽象就是了。

Characteristics（特徵，特性）
Local or Remote; Manual or Automatic

DebPloit這個例子將來可以深入研究

說到底，在Windows上有問題發生的話，就是要去找log就是了。這裡首先提到的是Windows Security Event Log：（舉例，第一個是登入）
On Windows systems, an interactive logon (from the console) appears in the Security Event Log with an event identifier of 528 and a logon type of 2, according to Microsoft KnowledgeBase article 140714.

（舉例，可移除式儲存設備）
System Event Log for entries with event ID 134. Such entries with an event source of "Removable Storage Service" indicate that a removable storage device (such as a USB thumb drive) had been attached to the system.

（舉例，清除記錄）
cleared the Security Event Log, an event ID 517 will be present

==>結論就是，要去看Event Log；而這本書會教下「怎麼」看這件重要的事。天啊，我從三年前就想要研究的東西現在有人寫成書了耶…

防禦手法要教書填空間的時候再看好了。

（舉例，這次連remote的都有了，很有參考價值）
Unsuccessful attempts to log into a Windows system remotely will appear in the Security Event Log with event ID 529, and the description of the event will indicate a logon type 3 event. Should the attacker succeed at logging into a Windows 2000 or above system remotely, the event ID will be 540, and the logon type will remain 3.

==>netcraft可以代替攻擊者找出「What's that site running?...」所以可以達到部分隱蔽性。
總之，remote的不脫 1.收集資訊 2.列出清單及對應表 3.攻擊 這三個步驟就是了。


結論，攻擊是容易的！