3 This Book's Structure

and countertactics as they emerged in the field. Specifically, this book is

organized into four parts:

■ Part I; Foundations

■ Part II: Postmortem

■ Part III: Live Response

■ Part IV: Summation

Once we've gotten the foundations out of the way I'm going to start by

looking at the process of postmortem analysis, which is where anti-forensic

techniques originally focused their attention. Then the book will branch out

into more recent techniques that strive to undermine a live response.

Part I: Foundations

Part I lays the groundwork for everything that follows. I begin by offering a

synopsis of the current state of affairs in computer security and how anti-

forcnsics fits into this picturc. Then I present an overview of the investiga¬

tive process and the strategies that anti-forensic technology uses to subvert

this process. Part I establishes a core framework, leaving specific tactics and

implementation details for later chapters.

Part II: Postmortem

The second part of the book covers the analysis of secondary storage (e.g.,

disk analysis, volume analysis, file system analysis, and analysis of an un¬

known binary). These tools arc extremely effective against an adversary who

has modified existing files or left artifacts of his own behind. Even in this day

and age, a solid postmortem examination can yield useful information.

Attackers have responded by going memory resident and relying on multi¬

stage droppers. Hence, another area that I explore in Part II is the idea of the

Userland Exec, the development of a mechanism that receives executable

code over a network connection and doesn't rely on the native OS loader.

Part III: Live Response

The quandary of live response is that the investigator is operating in the same

environment that he or she is investigating. This means that a knowledge¬

able intruder can interfere with the process of data collection and can feed