Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide: Engage in proactive cyber defense using digital forensics techniques

eBook
$27.98 $39.99
Paperback
$49.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Windows Forensics Analyst Field Guide

Introducing the Windows OS and Filesystems and Getting Prepared for the Labs

In our work and personal lives, we use multiple operating systems (OSs) on different devices, including our desktops, laptops, and smartphones, on a daily basis. To understand more about this concept, we will cover in-depth knowledge about what an OS is and then focus on the Windows OS, which is the most popular OS by far for personal and corporate needs.

In the world of technology, Windows has become the leading OS for PCs and other devices. Thus, having a comprehensive understanding of this OS and the insights it can provide during digital forensic investigations is crucial. This chapter aims to provide an overview of the fundamental concepts of digital forensics and incident response in the context of Windows OS. Moreover, the chapter also explores the concept of Volume Shadow Copy Service (VSS) and its significance in digital forensics. VSS is a crucial feature of Windows OSs that enables the creation of shadow copies of files and folders at a particular point in time. As a result, VSS serves as an essential source of information for forensic investigators, allowing them to reconstruct events and gather evidence from a particular moment in time.

Understanding the basic concept of OSs will significantly aid in gaining knowledge of what we are investigating as forensic examiners and what value we get from these artifacts.

In this chapter, we will cover the following topics:

  • What is a Microsoft OS?
  • The modern Windows OS and filesystems
  • Digital forensics and common terminology
  • Windows VSS
  • Preparing a lab environment

Technical requirements

In this chapter, we are going to prepare our environment for labs, so we need to be able to install a trial version of VMware or Oracle VirtualBox and an ISO file for Windows 10.

VMware is available here: https://www.vmware.com/mena/products/workstation-pro/workstation-pro-evaluation.html.

VirtualBox is available here: https://www.oracle.com/sa/virtualization/technologies/vm/downloads/virtualbox-downloads.html.

The Windows OS ISO is available here: https://www.microsoft.com/en-gb/software-download/windows10.

Important note

For lab preparation, if you are proceeding with the VMware product, please use the free 30-day trial or a legitimate product key.

What is a Microsoft OS?

As a forensic examiner, understanding the concept of an OS is crucial. Microsoft announced Windows for the first time on November 10, 1983, as a graphical user interface (GUI) that provided users with a friendly interface and layer to interact with the command-line-based MS-DOS code that was released previously. This started a new era for user interfaces and made it easy for people who did not know how to interact with a disk operating system (DOS) to work and learn with computers.

According to the latest articles and research, a Windows OS is installed on almost 76% of devices across the globe (desktop and laptop). The desktop OS market share is illustrated in Figure 1.1:

Figure 1.1 – Desktop OS market share

Figure 1.1 – Desktop OS market share

As we can see in the preceding chart, Microsoft OSs dominate the market for desktops and laptops. Microsoft developed multiple versions of the Windows OS including Windows NT, Windows NT 3.1, and most famously, Windows XP, to name a few.

We now know that the Windows OS is one of the most widely used OSs in the world, providing an interface between the user and the computer hardware. The main components of the Windows OS are the kernel, drivers, system utilities, and user-mode components. In this part of the book, we will take a closer look at each of these components and their roles in how the Windows OS functions:

  • Kernel: The kernel is the core component of a Windows OS. It is responsible for managing the system’s resources, such as memory, process scheduling, and input/output operations. The kernel also provides an interface between the user-mode components and the hardware. The Windows OS uses a hybrid kernel that combines the features of a microkernel and a monolithic kernel. The microkernel approach provides a small, secure, and stable kernel that is responsible for managing the basic system resources. The monolithic kernel approach provides a single, large, and complex kernel that is responsible for managing both basic system resources and more advanced features, such as device drivers.
  • Drivers: Drivers are software components that allow an OS to interact with a computer’s hardware. They act as intermediaries between the OS and the hardware, translating the requests from the OS into instructions that the hardware can understand. A Windows OS includes a wide range of drivers, including device drivers, filesystem drivers, and network drivers.
  • System utilities: System utilities are software components that provide basic functionality to an OS. They are responsible for tasks such as disk defragmentation, disk cleanup, and system backup and restore. Some of the most commonly used system utilities in a Windows OS include Task Manager, Control Panel, and File Explorer.
  • User-mode components: User-mode components are software components that provide a user interface to an OS. They allow users to interact with the OS and perform tasks such as creating, editing, and deleting files, launching applications, and accessing system settings. Some of the most commonly used user-mode components in the Windows OS include the Start menu, the desktop, and the taskbar.
  • Security component: A Windows OS plays a critical role in protecting a user’s data and the system itself from various threats such as viruses, malware, and hacking attacks. There are several security components and functionalities in the Windows OS that work together to provide a secure environment for users, such as the following:
    • User Account Control (UAC): UAC is a feature in Windows OSs that helps prevent users from making unauthorized changes to the system by requiring them to enter their credentials beforehand. This helps prevent malicious software from making unauthorized changes to the system, such as installing malware or modifying system settings.
    • Windows Defender: Windows Defender is a built-in antivirus software that provides real-time protection against malware and other threats. It uses a combination of signature-based detection and heuristics-based detection to identify and remove malware, and it also provides regular updates to keep its threat definitions up-to-date.
    • Windows Firewall: The Windows Firewall is a network security system that helps protect a system from unauthorized access by controlling incoming and outgoing network traffic. It provides a range of configuration options, including the ability to block incoming traffic, allow outgoing traffic, and create rules to allow or block specific traffic.
    • BitLocker: BitLocker is a full-disk encryption feature that helps protect user data by encrypting an entire hard drive. It provides a secure environment for sensitive data and helps prevent unauthorized access to data if a system is lost or stolen. This is one of the challenges we face as forensic investigators; if an acquired image is encrypted, then a decryption key is needed to perform memory forensics.
    • Security Accounts Manager (SAM): SAM is a component of a Windows OS that manages user accounts and security policies. It is responsible for maintaining a database of user accounts and their associated security policies, such as password policies, account lockout policies, and access control lists.
    • Internet Explorer Security: Internet Explorer is the default web browser in a Windows OS, and it includes several security features to help protect users while browsing the web. These features include security zones, which allow users to specify the level of security for different websites, and ActiveX controls, which help prevent malicious software from being installed on the system.
    • SmartScreen Filter: SmartScreen Filter is a feature in a Windows OS that helps protect users from downloading and running malicious software by analyzing the contents of downloaded files and warning the user if the software is known to be malicious.
    • Windows Management Instrumentation (WMI): WMI is a set of tools and technologies that allow you to manage Windows-based computers. WMI can be used to automate administrative tasks, collect data about computers, and monitor computer health.

In addition to these main components, a Windows OS also includes a number of additional features and components such as the registry, the filesystem, and the security model. The registry is a database that stores information about the system configuration and the installed applications. The filesystem is responsible for organizing and managing files and directories on a computer’s hard drive. The security model is responsible for enforcing the system’s security policies and controlling access to the system’s resources.

One of the key strengths of a Windows OS is its compatibility with a wide range of hardware and software. This is achieved through the use of device drivers, which allow the OS to interact with a wide range of hardware devices such as printers, scanners, and digital cameras. The Windows OS also includes support for a wide range of filesystems, including New Technology File System (NTFS), File Allocation Table (FAT), Extensible File Allocation Table (exFAT), and Resilient File System (ReFS), making it easy for users to access their files and data on different types of storage media.

Another important feature of a Windows OS is its user-friendly interface. The OS includes a range of GUI elements such as icons, windows, and menus that make it easy for users to navigate and interact with the system. The Start menu provides a central location to access system utilities and installed applications, while the desktop provides a convenient workspace for performing tasks and accessing files and folders.

Understanding the Windows OS and its filesystem is crucial for forensic investigators. With the knowledge gained from this chapter, investigators will be able to effectively collect and analyze digital evidence.

In the next main section, we will delve into the history of the Windows OS, exploring its various versions and features and how they have evolved over time. This knowledge will provide a solid foundation for understanding the inner workings of the OS, which is essential for conducting thorough digital investigations.

The modern Windows OS and filesystems

In this section, we will cover multiple OSs introduced by Microsoft, as previously mentioned.

Windows XP

Windows XP is a widely used and well-known OS developed by Microsoft Corporation. It was first released on August 24, 2001, and was available in both Home and Professional editions. Windows XP was the successor to the popular Windows 98 and Windows 2000 OSs and was the first OS to feature the now-iconic Windows Start button and taskbar.

One of the most significant changes in Windows XP was its user interface. The new user interface was designed to be more user friendly and intuitive, making it easier for users to access and use their applications and files. The new interface included a Start button and taskbar that allowed users to quickly access their applications and files without having to navigate through complex menus. The Start menu was also redesigned to be more efficient and organized, with the ability to be customized by adding and removing items.

A significant additional feature of Windows XP was its improved support for hardware and software. Windows XP was designed to work well with new hardware technologies such as USB devices, digital cameras, and other multimedia devices. It also supported new software technologies such as .NET Framework, which allowed developers to create more powerful and sophisticated applications.

One more major change in Windows XP was its security features. Windows XP was designed to be more secure than previous versions of Windows, with improved support for firewalls, encryption, and other security features. It also included a built-in antivirus software called Windows Defender that helped protect users from malware and other security threats.

Another key feature of Windows XP was its networking capabilities. Windows XP was designed to be a more reliable and efficient network OS, making it easier for users to connect to the internet, networks, and other devices. It also included improved support for wireless networks, allowing users to easily connect to Wi-Fi networks and other wireless devices.

One of the most popular features of Windows XP was its multimedia capabilities. Windows XP was designed to be a more multimedia-friendly OS, with improved support for digital music and video, digital cameras, and other multimedia devices. It also included Windows Media Player, which allowed users to play music and videos, and Windows Movie Maker, which allowed users to create and edit their own videos.

Windows XP was also designed to be a more stable and reliable OS, with improved support for hardware and software. It included a number of performance improvements, such as faster boot times and improved system resource management, which helped make the OS more responsive and efficient.

Despite its many features and improvements, Windows XP was not without its flaws. Some users reported compatibility issues with older hardware and software, and the OS was also criticized for its security vulnerabilities, which were exploited by hackers and malware authors.

Despite these issues, Windows XP remained a popular OS for many years, with millions of users around the world relying on it for their daily computing needs. Microsoft continued to release updates and security patches for Windows XP, helping to address its security vulnerabilities and improve its performance.

We can say that Windows XP was a major milestone in the history of OSs, and its impact on the computing industry is still felt today. Its user friendly interface, improved hardware and software support, and multimedia capabilities helped make it one of the most widely used and well-loved OSs of all time. Although it has since been replaced by newer and more advanced OSs, Windows XP remains an important part of the computing world, and its legacy will continue to influence the future of OSs for years to come.

Windows Vista

Windows Vista, also known as Windows NT 6.0, was an advanced OS developed by Microsoft Corporation and released on January 30, 2007. It aimed to enhance the user experience, support newer hardware and software technologies, improve security and networking capabilities, and provide multimedia-friendly features to users.

One of the major changes in Windows Vista was its visually appealing user interface, which included the new Aero style with transparency and other visual effects. Additionally, Windows Vista improved support for new hardware and software technologies such as high-definition displays, multi-core processors, and the .NET Framework.

Moreover, Windows Vista was designed to be more secure than its predecessors, with enhanced support for firewalls, encryption, and security features such as UAC. UAC was a security feature introduced in Windows Vista. It was designed to help prevent unauthorized changes to the system by requiring user approval for any action that could potentially affect the system’s configuration or security.

It also boasted efficient networking capabilities, making it easier for users to connect to the internet, networks, and wireless devices.

Furthermore, Windows Vista was a more multimedia-friendly OS, with improved support for digital music, videos, cameras, and other multimedia devices. It included Windows Media Player and Windows Movie Maker, which enabled users to play and edit music and videos.

Despite its many features and improvements, Windows Vista was not without its flaws. Some users reported compatibility issues with older hardware and software, and the OS was also criticized for its performance and resource requirements that were often higher than those of its predecessor, Windows XP.

Despite these issues, Windows Vista remained a popular OS for many years, with millions of users around the world relying on it for their daily computing needs. Microsoft continued to release updates and security patches for Windows Vista, helping to address its performance and security issues.

It was an important milestone in the history of OSs, and its impact on the computing industry is still felt today. Its user friendly interface, improved hardware and software support, and multimedia capabilities helped make it one of the most advanced and sophisticated OSs of its time. Although it has since been replaced by newer and more advanced OSs, Windows Vista remains an important part of the computing world, and its legacy will continue to influence the future of OSs for years to come.

Windows 7, 8 and 8.1

Windows 7 was a widely used OS developed by Microsoft Corporation, and it was released to the public on October 22, 2009. Windows 7 was designed to be an improvement on its predecessor, Windows Vista, with a number of new features and improvements designed to make it easier and more efficient to use.

One of the most significant changes in Windows 7 was its improved performance. Windows 7 was designed to be faster and more responsive than Windows Vista, with a more streamlined and efficient design. This improved performance was achieved through a number of changes, including the use of a new filesystem, improved memory management, better support for hardware and software, and an improved user interface. Windows 7 was designed to be more user friendly and intuitive than Windows Vista, with a more refined and polished look and feel. The new interface included a new taskbar that made it easier to switch between applications and access frequently used files and folders. Moreover, Microsoft enhanced security on Windows 7; it was designed to be more secure than Windows Vista, with improved support for firewalls, encryption, and other security features, which helped protect users from malicious software and other security threats by requiring them to confirm any actions that could potentially harm the system.

One of the most popular features of Windows 7 was its improved networking capabilities. Windows 7 was designed to be a more reliable and efficient network OS, making it easier for users to connect to the internet, networks, and other devices. It also included improved support for wireless networks, allowing users to easily connect to Wi-Fi networks and other wireless devices.

Another key feature of Windows 7 was its multimedia capabilities. Windows 7 was designed to be a more multimedia-friendly OS, with improved support for digital music and video, digital cameras, and other multimedia devices. It also included Windows Media Player, which allowed users to play music and videos, and Windows Movie Maker, which allowed users to create and edit their own videos.

Windows 7 also had important implications for forensic investigations. The OS created various forensic artifacts including registry hives, system files, and event logs, which could be used by forensic investigators to uncover valuable information and evidence. By examining these artifacts, forensic investigators could gain insights into a user’s activities, identify any malicious software or security threats, and recover lost or deleted data.

The Windows 8 and 8.1 versions were released on October 26, 2012, with significant changes, including a Metro-designed user interface and optimization of touch-based devices such as tablets, also start screen that display all of the app as titles, and more.

Windows 10

Windows 10 was introduced to users on September 30, 2014. This was one of the best OSs and received positive feedback from end users, and it brought back a desktop-oriented interface. It also introduced multiple system security features such as multi-factor authentication (MFA).

This was a brief and general discussion about Windows OSs. We will not cover all aspects and features of OSs; however, you can check out Microsoft’s documentation for further details.

Important note

In this book, we will focus on Windows 10 artifacts; however, the same analysis steps can be applied to artifacts of previous Windows OS versions.

Figure 1.2 shows the start menu and apps in the GUI of Windows 10.

Figure 1.2 – Windows 10 interface and Start menu

Figure 1.2 – Windows 10 interface and Start menu

In the upcoming section, we will delve into the world of digital forensics and explore why this field is crucial for investigating and analyzing digital evidence.

Digital forensics and common terminology

In this section, we will delve into the basics of digital forensics by discussing the common terminology, types of investigations, and the overall process involved. This will deepen your understanding of a digital forensics life cycle and offer insights into each stage of the process. We will also take a closer look at how typical casework is carried out.

What is digital forensics?

Digital forensics, also known as computer forensics, is the branch of forensic science that deals with the preservation, collection, examination, and analysis of electronic data to investigate digital-related crimes and incidents. The goal of digital forensics is to uncover and recover evidence from digital devices such as computers, smartphones, and other electronic devices, and use this evidence in criminal and civil investigations.

Digital forensics is a multidisciplinary field that draws on expertise from various areas such as computer science, information technology, and law enforcement. Digital forensics experts use a variety of tools and techniques to perform their investigations including data acquisition, data analysis, and data visualization. They must be familiar with a wide range of OSs, software applications, and file formats, and must be able to navigate the intricacies of digital data storage and retrieval.

Digital forensics is used in a variety of contexts including cybercrime investigations, intellectual property disputes, civil litigation, and other legal proceedings. Digital evidence is often critical to the outcome of these cases, and digital forensics plays a key role in uncovering and preserving this evidence. Digital forensics is also used to determine the cause of security breaches and system failures, and to identify potential vulnerabilities in digital systems. In the modern era of technology, digital forensics is an important part of analyzing suspicious cybercriminal attacks with the objective of identifying them. The mitigation and eradication of threat actors is a critical aspect of the work performed by digital forensics and incident response engineers and consultants.

There are several types of computer forensics, each of which is used for specific purposes and requires different techniques and approaches. Some of the most common types of computer forensics include the following:

  • Criminal forensics: Criminal forensics is a type of computer forensics that is used in the investigation of criminal activities such as cybercrime, hacking, identity theft, and other digital-related crimes. Criminal forensics focuses on uncovering and preserving evidence that can be used to prosecute the individuals responsible for these crimes.
  • Civil forensics: Civil forensics is a type of computer forensics that is used in civil litigation such as intellectual property disputes, contract disputes, and other civil proceedings. Civil forensics focuses on uncovering and preserving evidence that can be used to support or refute a party’s claims in a legal case.
  • Incident response forensics: Incident response forensics is a type of computer forensics that is used to investigate and respond to security breaches and other incidents that impact the security and integrity of digital systems. Incident response forensics focuses on identifying the cause of the incident, assessing the extent of the damage, and developing a plan of action to prevent future incidents.
  • Network forensics: Network forensics is a type of computer forensics that focuses on the examination of network traffic and system logs in order to uncover evidence of security breaches, cyberattacks, and other network-related incidents. Network forensics involves the use of specialized tools and techniques to capture and analyze network traffic, and to identify and track the source of the incident.
  • Mobile forensics: Mobile forensics is a type of computer forensics that focuses on the preservation, collection, examination, and analysis of data stored on mobile devices such as smartphones and tablets. Mobile forensics is often used in criminal investigations but can also be used in civil and incident response forensics.
  • Live forensics: Live forensics is a type of computer forensics that involves the collection and analysis of data from a live computer system while it is still running. Live forensics is often used in incident response forensics, and it is considered a critical component of the incident response process because it can provide valuable insight into the state of a system at the time of an incident.
  • Memory forensics: Memory forensics is the branch of digital forensics that focuses on the examination of a computer’s volatile memory, or RAM. The goal of memory forensics is to uncover information that is stored in memory and to use this information to assist in the investigation of digital crimes and incidents. Memory forensics can be used to uncover information about system processes, network connections, and malicious activity, and is considered a critical component of the digital forensics process because it can provide valuable evidence that would otherwise be lost if a system were shut down. Memory forensics requires specialized tools and techniques to capture and analyze data stored in memory, and it is often used in conjunction with other forms of digital forensics to provide a comprehensive understanding of a digital incident.

Regardless of the type of computer forensics, the process typically involves several key phases, including the following:

  1. Preservation: The preservation phase involves the collection and preservation of evidence in a manner that ensures its authenticity and integrity. This often involves making a forensic image of the evidence and storing it in a secure location.
  2. Collection: The collection phase involves the acquisition of evidence, which may involve the use of specialized tools and techniques to capture data from the source. The collection phase is critical to the success of the investigation, as it is important to collect as much evidence as possible in order to ensure a comprehensive examination.
  3. Examination: The examination phase involves the analysis of evidence to uncover relevant information and identify potential sources.

The future of digital forensics is promising. The increasing reliance on digital technology in all aspects of our lives will continue to drive the need for forensics experts who can investigate and resolve digital crimes and incidents.

As technology continues to evolve, digital forensics will also need to adapt to new and emerging technologies. For example, cloud computing, the Internet of Things (IoT), and blockchain will all present new challenges and opportunities for digital forensics experts.

Artificial intelligence and machine learning are also expected to play a major role in the future of digital forensics. These technologies can be used to automate the process of data collection and analysis, making it faster, more efficient, and more effective.

With the increasing number of digital crimes and incidents, the demand for digital forensics experts is expected to continue to grow in the coming years. This provides a bright outlook for those interested in pursuing a career in this field.

A forensic analyst/examiner should have a great detailed understanding of the operating system to be able to identify the proper evidence related to incident or case he is working on, and document his finding based on analyzed evidence.

While we are conducting an examination of forensic artifacts, the main goal is to investigate digital crime, which is an illegal activity committed using a digital device such as a PC or mobile device, and extract the evidence via a proper forensic process to present it. Also, the evidence extracted needs to be preserved with integrity; in some cases, the examiner might need to recover evidence such as deleted files to justify an action or point to a suspected criminal.

As a forensic examiner or analyst, it is important to have a comprehensive understanding of various aspects of digital forensics, including the following:

  • Technical knowledge: A strong understanding of computer systems, software, and hardware is essential for a forensic examiner or analyst. This includes knowledge of OSs, filesystems, data storage, and networking concepts.
  • Legal knowledge: Forensic examiners need to be familiar with the laws and regulations that govern digital forensics, including privacy laws, data protection laws, and intellectual property laws. They also need to understand how to preserve the chain of custody of digital evidence and how to present evidence in a court of law.
  • Investigative techniques: Digital forensics is an investigative process, so it is important for forensic examiners to have a thorough understanding of the methods and techniques used in conducting a digital investigation. This includes knowledge of data collection, analysis, and preservation techniques, as well as the use of specialized tools and software.
  • Communication skills: Digital forensics is a complex and technical field, so it is important for forensic examiners to have strong communication skills in order to effectively explain their findings to others. This includes the ability to translate complex technical information into layman’s terms and to present findings clearly and concisely.
  • Professional ethics: Digital forensics involves access to sensitive and confidential information, so it is important for forensic examiners to understand and adhere to professional ethics and standards. This includes being impartial and unbiased in their analysis, maintaining confidentiality, and protecting the privacy of individuals.
  • Continuing education: Technology is constantly evolving, so it is important for forensic examiners to stay up-to-date with the latest developments and techniques in the field. This requires a commitment to ongoing learning and professional development.

By developing a deep understanding of these key areas, forensic examiners and analysts can become effective and professional in their work, contributing to the advancement of the field of digital forensics and providing valuable support to law enforcement and organizations in the fight against cybercrime.

Cybercriminals

Cybercriminals are individuals or groups who engage in illegal activities using digital technology. They use the internet, computer systems, and other digital technologies to carry out a variety of crimes including hacking, identity theft, fraud, extortion, and intellectual property theft. These individuals often operate in secret, making it difficult to detect and prevent their criminal activities. They can target individuals, organizations, and even entire governments, and can cause significant harm by stealing sensitive information, disrupting critical systems, or causing financial losses.

Digital forensic terminology

When working as a forensic examiner, you will, on a daily basis, encounter people talking about certain terms when it comes to investigation. Understanding the terminology helps us as examiners to communicate properly – for example, when we talk about a forensic image, what do we mean? Do we need a full image or a triage image? What are SSD and HDD?

In this section of the book, we will cover most of these terms. The following table lists some useful keywords for a digital forensic analyst:

Keyword

Description

Acquisition

The stage in a computer forensics investigation where the data involved is collected

Allocated space

The logical area on a hard disk or other media assigned to a file by the OS

Bit

The smallest unit of measurement used to quantify digital data

Bit-by-bit copy

A copy of every consecutive sector on a hard disk or other media, without regard to the allocation of data

Chain of custody

A detailed record of the handling and control of digital evidence from the time it is collected until it is presented in court; used to demonstrate the authenticity and integrity of the evidence and to establish the credibility of the investigation

Disk mirroring

When data is copied to another hard disk or another area on the same hard disk in order to have a complete, identical copy of the original

File carving

A process used to recover files and data from unallocated disk space or damaged filesystems; involves identifying and extracting complete files based on their unique file headers and footers

File format

The structure by which data is organized in a file

Forensic image

A forensically sound and complete copy of a hard drive or other digital media

Hash value

The numerical value of a fixed length that uniquely identifies data

Live analysis

The process of performing an on-the-spot analysis of digital media, rather than switching it off and shutting it down

Metadata

Data that is stored in a filesystem or the header of a file, and provides information about the file

Registry hives

Subfiles that make up a Windows registry; individual Windows user settings and some histories of usage are kept in various hives and can be updated as a computer is used

Steganography

Hiding information within a seemingly ordinary message so that only the intended recipient knows of its existence

Unallocated space

The free space on a hard drive that can be used to store data

Write block

Hardware and/or software methods to prevent the modification of content on a media storage unit, such as a CD or thumb drive

Table 1.1 – Terminologies for digital forensics

Important note

We will cover forensic artifacts of Windows separately in upcoming chapters. Each artifact will be explained and analyzed, so be prepared to be amazed by how rich Windows is when it comes to artifacts.

To become a great digital forensics examiner, you need to have a strong foundation in informatics and computer science. Many people, like me, started their careers on helpdesks, as computer technicians, or in IT security, where they gained familiarity with some of the tools needed to recover data. If you have similar experience, this book will help you prepare for your dream career as a digital forensics investigator.

The process of digital forensics

Like any other science branch, digital forensics has its own processes and procedures to follow. The following is a brief explanation of each step:

  1. Identification: This is the first step in the digital forensics process and involves identifying the need for a digital forensics investigation. This may be the result of cybercrime, such as hacking or data theft, or it may be part of a larger investigation, such as an internal audit or compliance review.
  2. Preparation and preservation: Before conducting any type of digital forensics investigation, it is important to prepare and plan for the process. This includes identifying the goals of the investigation, determining the scope of the investigation, and obtaining the necessary resources and equipment. It is also important to preserve evidence in its original form. This includes making copies of data and storing it in a secure and tamper-proof manner.
  3. Collection and evidence seizure: This is the first step in the actual investigation process. The goal of this phase is to preserve the evidence and prevent any potential modification or destruction of data. This can involve seizing physical devices, such as computers and storage media, or collecting data from a remote source, such as a cloud service.
  4. Examination and analysis: In this phase, the forensic examiner will examine the collected data in detail in order to identify relevant information and evidence. This may involve the use of various tools and techniques, including file carving, data extraction, and data analysis.
  5. Documentation and presentation: In some cases, a forensic examiner may be required to present their findings in a court of law or other legal proceedings. This requires clear and concise communication skills and the ability to explain complex technical information in a way that is easily understandable to non-technical audiences.

When conducting an investigation using the aforementioned process, taking detailed notes of each step and action is critical to ensuring that the evidence is not tampered with. Additionally, if another examiner is collaborating with you during the investigation, having detailed notes can facilitate effective communication and ensure that everyone is on the same page.

The five key steps of this process are illustrated in Figure 1.3:

Figure 1.3 – Digital forensics process steps

Figure 1.3 – Digital forensics process steps

Digital evidence

Digital evidence can be any form or type of digitalized file or media from an electronic source, including logs, files, social media posts, and much more.

Conducting a forensic examination requires knowledge of the technical concepts of digital evidence, such as computers. You need to know the main components and how they are structured, as well as the type of digital media to handle the evidence. In this book, we will cover some technical theory before jumping into practical analysis for each evidence type.

Some of the digital evidence types are as follows:

  • User activity generated in an endpoint
  • Documents and text files
  • Audio and video files, including CCTV
  • Digitalized images
  • Security control logs, such as IDS and PCAP
  • Digital file metadata

For example, let’s take metadata, which is data about data. Most digital files hold valuable information that adds forensic value to an investigation, such as who created a file, owner information, and creation time, as we can see in the following screenshot, which illustrates the use of ExifTool, which displays metadata for a file:

Figure 1.4 – ExifTool output for an executable Kroll Artifact Parser and Extractor (KAPE)

Figure 1.4 – ExifTool output for an executable Kroll Artifact Parser and Extractor (KAPE)

With the fast growth in technology and types of digital evidence, when dealing with different types of incidents and cases, we need to focus on the most important type of evidence. When collecting digital evidence, an examiner needs to know that they can lose data once a system is shut down – in the case of a computer, for example. When responding to an incident, the most immediate priority should be collecting volatile data.

Volatile data refers to information that is stored in temporary memory and lost when a system is powered off. This includes data stored in a system’s random-access memory (RAM) and any data that is being processed or temporarily stored in a cache.

Figure 1.5 – RAM sample image

Figure 1.5 – RAM sample image

Volatile data can include active system processes, network connections, and open files and applications. In a digital forensics investigation, capturing volatile data can provide valuable information about the state of a system at a specific point in time.

On the other hand, non-volatile data refers to information that is stored on a persistent storage device, such as a hard drive, which remains intact even when a system is powered off. Non-volatile data can include files, documents, images, and system configurations. In a digital forensics investigation, non-volatile data can provide a more comprehensive view of the system’s history and activity.

It is important to note that while volatile data can be lost when a system is powered off, it can still be captured and analyzed through a process known as live analysis. This involves collecting data directly from a live system, without first creating a forensic image of the data. Live analysis is typically used in time-sensitive investigations or when it is not possible to obtain a forensic image of the data.

In digital forensics, it is critical to preserve and analyze both volatile and non-volatile data in order to obtain a complete picture of a system’s activity and state. Volatile data can provide insight into the current state of the system, while non-volatile data can provide a historical view of the system’s activity. By combining these two types of data, forensic examiners can build a more comprehensive and accurate picture of the system’s behavior and any potential digital evidence.

In the upcoming chapters, we will talk about the acquisition of a memory image and how to perform analysis of a memory image.

In the next section, we will explore the concept of Windows Shadow Copy and its significance in digital forensics and incident response.

Windows VSS

VSS is a feature of Windows OSs that allows users to take snapshots of the state of their hard drive at a specific point in time. These snapshots, known as shadow copies, can be used to restore previous versions of files and directories in the event of data loss or corruption.

From a digital forensics perspective, volume shadow copies can be a valuable source of evidence. They provide a historical record of the state of the hard drive, including deleted and altered files. This information can be used to reconstruct the chain of events that occurred on the system and to identify any suspicious activity.

Volume shadow copies are stored as part of the VSS, which is a component of Windows that provides the functionality to create and manage shadow copies. VSS maintains a list of all shadow copies on a particular volume, allowing a user to select and restore the desired shadow copy.

One of the key benefits of volume shadow copies is that they are created automatically in the background, without the user’s intervention. This means that even if a user is unaware of the feature, it can still contain valuable evidence. In addition, the shadow copies are stored in a hidden and protected area of the hard drive, making it difficult for attackers to tamper with or destroy them.

When conducting a digital forensics examination, it is important to capture and preserve shadow copies to ensure that evidence remains intact. This can be done by creating a forensic image of a hard drive, which can then be analyzed for the presence of shadow copies. Once the shadow copies have been identified, the forensic examiner can extract and analyze the contents to identify any relevant information.

By using VSS, we can track changes in an New Technology File System (NTFS) filesystem. However, it does not store data every time a user changes a file; instead, it typically stores data once a week or as configured by a user on the machine.

When conducting a digital forensic investigation and searching for any suspicious or malicious activity, such as file deletion, we can utilize the VSS to obtain valuable forensic evidence. By comparing the original content of the hard drive with that stored in VSS, we can determine whether any changes or tampering have occurred.

To check VSS on your local machine, you can run CMD.exe with admin privileges and use the following command to list the shadow copies:

Vssadmin list shadows

The following screenshot shows the output of the preceding command:

Figure 1.6 – Vssadmin command output

Figure 1.6 – Vssadmin command output

Another useful trick is mounting a shadow copy using a Windows command line. On a live machine, we can manually mount and browse VSS data using the following mklink command, which creates a symbolic link to VSS. To do this, we need to invoke cmd.exe to use the mklink utility, as powershell.exe will not work:

mklink /d C:\shadow_copy_test \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Create a symbolic link to VSS by using the following command line:

Figure 1.7 – Mounting a volume shadow using mklink

Figure 1.7 – Mounting a volume shadow using mklink

Now, in the C drive, we can see a new symbolic link has been created and linked to the shadow copy, and we can browse it as a normal file:

Figure 1.8 – Mapped shadow copy in the C drive

Figure 1.8 – Mapped shadow copy in the C drive

There are other utilities and tools that help to mount VSS, such as Arsenal Image Mounter and VSCMount; however, we will leave the option to you to explore more tools and test them within the labs.

In the next section, we will discuss and prepare the lab environment for digital forensic investigations.

Preparing a lab environment

To prepare for this book’s exercises, we will work now on deploying a forensics lab with tools that we will utilize during our investigation of each artifact. In this section, we will show you how to install a VMware workstation to deploy our Windows OS (Windows 10).

Note that to prepare labs for this book, I will proceed and deploy a lab virtual machine on a VMware product; if you prefer to use VirtualBox, you can apply the same steps when installing Windows OS.

Let’s start with installing Workstation 17 Pro:

  1. Visit the following link to download the trial version of Workstation 17 Pro for Windows (this is the latest version available as of December 2022):

    https://www.vmware.com/mena/products/workstation-pro/workstation-pro-evaluation.html

  1. Click on DOWNLOAD NOW; it will prompt you to save the executable file, as shown here:
Figure 1.9 – VMware Workstation download page

Figure 1.9 – VMware Workstation download page

  1. Now, double-click on the executable file and then click Next:
Figure 1.10 – VMware Workstation installation process – part 1

Figure 1.10 – VMware Workstation installation process – part 1

  1. Once prompted for an end user license, accept it by checking the free trial option and then click Next. It will prompt you to select the path to install Workstation 17 Pro; click on Next once you have selected it:
Figure 1.11 – VMware Workstation installation process – part 2

Figure 1.11 – VMware Workstation installation process – part 2

  1. Select the Desktop and Start Menu Programs Folder options to create a shortcut or add a VMware workstation application to the Start menu:
Figure 1.12 – VMware Workstation installation process – part 3

Figure 1.12 – VMware Workstation installation process – part 3

  1. Now, once we click on Next, it will start installing the application. The process might take a couple of minutes, depending on your system specifications:
Figure 1.13 – VMware Workstation installation process – part 4

Figure 1.13 – VMware Workstation installation process – part 4

  1. The last step for this process is to either select the I want to try VMware Workstation 17 for 30 days option or use a legitimate key to activate your product, and then click on Continue:
Figure 1.14 – VMware Workstation installation process – part 5

Figure 1.14 – VMware Workstation installation process – part 5

Once Workstation 17 Pro is installed, you can see the Library pane and the Home tab, which shows your virtual machines:

Figure 1.15 – VMware Workstation interface

Figure 1.15 – VMware Workstation interface

For the next exercise, let’s start making a Windows ISO file to install on a virtual machine:

  1. Visit the following link and click on Download Now; it will download media creation tools for us to use:

    https://www.microsoft.com/en-us/software-download/windows10

  1. Double-click on the Windows 10 Setup executable and accept the license (the tools will take some time to download, depending on your network speed):
Figure 1.16 – Preparing Windows 10 ISO – part 1

Figure 1.16 – Preparing Windows 10 ISO – part 1

  1. Select the Create installation media (USB flash drive, DVD, or ISO file) for another PC option:
Figure 1.17 – Preparing Windows 10 ISO – part 2

Figure 1.17 – Preparing Windows 10 ISO – part 2

  1. Select the architecture that you want (in our case, we will proceed with 64-bit (x64)):
Figure 1.18 – Preparing Windows 10 ISO – part 3

Figure 1.18 – Preparing Windows 10 ISO – part 3

  1. Now, we will select the ISO file option and the saving path on your local machine to download and create a Windows 10 image:
Figure 1.19 – Preparing Windows 10 ISO – part 4

Figure 1.19 – Preparing Windows 10 ISO – part 4

The next exercise is to install Windows 10 as a virtual machine on Workstation 17 Pro:

  1. Click on Click Virtual Machines > Create VM and select the Typical installation option:
Figure 1.20 – Windows 10 installation process – part 1

Figure 1.20 – Windows 10 installation process – part 1

  1. Click on the Installer disc image file (iso) option, as shown in the following screenshot, and select the path for the Windows 10 ISO file:
Figure 1.21 – Windows 10 installation process – part 2

Figure 1.21 – Windows 10 installation process – part 2

  1. Click Next and name the virtual machine DFIR Labs, assign 60 GB as the virtual HDD, and select a minimum of 4 GB of RAM:
Figure 1.22 – Virtual machine settings

Figure 1.22 – Virtual machine settings

  1. The last step is to follow the Windows installation guide and run the virtual machine, for which we are all set up now.

During the exercises in the next chapters, we will start downloading and setting up the tools to use for our investigation and artifact analysis each tool will be presented with link to download.

Now we have completed setting up our virtual machine. Let’s take a snapshot of it just in case we need to revert and avoid re-installing it.

Figure 1.23 – Windows 10 ready for a lab

Figure 1.23 – Windows 10 ready for a lab

In conclusion, setting up a forensic lab is a critical step toward conducting effective digital forensics investigations. A properly configured forensic lab can help ensure the integrity of evidence, streamline the investigation process, and increase the chances of successful investigations. By following the guidelines and best practices outlined in this chapter, forensic analysts can establish a reliable and efficient forensic lab that can meet the demands of modern digital investigations.

Summary

In this chapter, we covered the fundamental concepts and principles of digital forensics, including the importance of a chain of custody, the authenticity and reliability of evidence, and the need for a thorough and systematic approach to the examination of digital evidence. We also discussed the ethical considerations involved in digital forensics and the importance of following established legal and professional standards.

We learned how to set up a virtual environment that simulates a real-world scenario. This allows us to safely and securely test and practice digital forensic techniques without risking damage to real systems. We also learned how to take snapshots of virtual machines and revert to previous states, which is an essential tool for creating controlled testing environments and preserving evidence.

This chapter also provided an overview of the tools and techniques used in digital forensics, including forensic imaging, data recovery, and analysis tools. The goal of this fundamental chapter on digital forensics was to provide a comprehensive understanding of the field and its various components, as well as to provide a foundation for further study and specialization.

In the upcoming chapter, we will be covering the important topic of memory forensics and acquisition. We will explore the significance of memory analysis in digital forensics and how it can help in identifying and investigating potential security breaches. Additionally, we will discuss the different methods of acquiring memory images and their importance in conducting effective digital investigations. Stay tuned for an in-depth discussion on this critical aspect of digital forensics.

Questions

Before ending this chapter, I would encourage you to answer the following questions based on your understanding and research:

  1. What is operating system forensics?
  2. What type of evidence can we collect?
  3. Why did digital forensics become an important science?
  4. What are the investigative procedures involved in computer forensics?
  5. What is VSS?
Left arrow icon Right arrow icon

Key benefits

  • Gain hands-on experience with reputable and reliable tools such as KAPE and FTK Imager
  • Explore artifacts and techniques for successful cybercrime investigation in Microsoft Teams, email, and memory forensics
  • Understand advanced browser forensics by investigating Chrome, Edge, Firefox, and IE intricacies
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

In this digitally driven era, safeguarding against relentless cyber threats is non-negotiable. This guide will enable you to enhance your skills as a digital forensic examiner by introducing you to cyber challenges that besiege modern entities. It will help you to understand the indispensable role adept digital forensic experts play in preventing these threats and equip you with proactive tools to defend against ever-evolving cyber onslaughts. The book begins by unveiling the intricacies of Windows operating systems and their foundational forensic artifacts, helping you master the art of streamlined investigative processes. From harnessing opensource tools for artifact collection to delving into advanced analysis, you’ll develop the skills needed to excel as a seasoned forensic examiner. As you advance, you’ll be able to effortlessly amass and dissect evidence to pinpoint the crux of issues. You’ll also delve into memory forensics tailored for Windows OS, decipher patterns within user data, and log and untangle intricate artifacts such as emails and browser data. By the end of this book, you’ll be able to robustly counter computer intrusions and breaches, untangle digital complexities with unwavering assurance, and stride confidently in the realm of digital forensics.

Who is this book for?

This book is for forensic investigators with basic experience in the field, cybersecurity professionals, SOC analysts, DFIR analysts, and anyone interested in gaining deeper knowledge of Windows forensics. It's also a valuable resource for students and beginners in the field of IT who’re thinking of pursuing a career in digital forensics and incident response.

What you will learn

  • Master the step-by-step investigation of efficient evidence analysis
  • Explore Windows artifacts and leverage them to gain crucial insights
  • Acquire evidence using specialized tools such as FTK Imager to maximize retrieval
  • Gain a clear understanding of Windows memory forensics to extract key insights
  • Experience the benefits of registry keys and registry tools in user profiling by analyzing Windows registry hives
  • Decode artifacts such as emails, applications execution, and Windows browsers for pivotal insights
Estimated delivery fee Deliver to Japan

Standard delivery 10 - 13 business days

$8.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 27, 2023
Length: 318 pages
Edition : 1st
Language : English
ISBN-13 : 9781803248479
Vendor :
Microsoft
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Japan

Standard delivery 10 - 13 business days

$8.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Publication date : Oct 27, 2023
Length: 318 pages
Edition : 1st
Language : English
ISBN-13 : 9781803248479
Vendor :
Microsoft
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 142.97 159.97 17.00 saved
Effective Threat Investigation for SOC Analysts
$37.99 $54.99
Digital Forensics and Incident Response
$54.99
Windows Forensics Analyst Field Guide
$49.99
Total $ 142.97 159.97 17.00 saved Stars icon
Banner background image

Table of Contents

13 Chapters
Part 1:Windows OS Forensics and Lab Preparation Chevron down icon Chevron up icon
Chapter 1: Introducing the Windows OS and Filesystems and Getting Prepared for the Labs Chevron down icon Chevron up icon
Chapter 2: Evidence Acquisition Chevron down icon Chevron up icon
Chapter 3: Memory Forensics for the Windows OS Chevron down icon Chevron up icon
Chapter 4: The Windows Registry Chevron down icon Chevron up icon
Chapter 5: User Profiling Using the Windows Registry Chevron down icon Chevron up icon
Part 2:Windows OS Additional Artifacts Chevron down icon Chevron up icon
Chapter 6: Application Execution Artifacts Chevron down icon Chevron up icon
Chapter 7: Forensic Analysis of USB Artifacts Chevron down icon Chevron up icon
Chapter 8: Forensic Analysis of Browser Artifacts Chevron down icon Chevron up icon
Chapter 9: Exploring Additional Artifacts Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6
(9 Ratings)
5 star 88.9%
4 star 0%
3 star 0%
2 star 0%
1 star 11.1%
Filter icon Filter
Top Reviews

Filter reviews by




Caine Pavlosky Feb 05, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Terryn (ChocolateCoat4n6) Aug 16, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book does a great job of introducing several important concepts of Digital Forensics and Incident Response (DFIR). It talks about tools and procedures that are relevant for anyone who may perform some level of DFIR within their job.I appreciate that the author takes the time to show realistic and practical tools, rather than paid solutions. It provides an easy to follow guide for someone that is new to the field or needs a refresher on specific topics. The book does not go into great detail outside of DFIR which I believe helps keep the focus. It does not follow the newest forensic artifacts specific to Windows 11, however it does cover all the relevant artifacts that would be required for any level of analysis.This book would be perfect for someone learning DFIR for the first time as well as someone who needs reference material if they are not repeatedly performing this level of analysis.
Amazon Verified review Amazon
Michael Gates Oct 30, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
One of the things that most "entry level" analysts lack is knowledge about the Windows Registry and artifact collection. This book does a very good job at explaining the Windows Registry and going into the different types of artifacts that can be retrieved from it. It is also a very good refresher for using FTK Imager.This book is good for someone relatively new to security or if you have only triaged level 1 type of alerts and do not have hands-on experience in a security team.
Amazon Verified review Amazon
MrMiller Oct 29, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Muhiballah Mohammed's "Windows Forensics Analyst Field Guide" offers a structured exploration of Windows OS forensics. Part 1 lays a robust foundation, detailing the Windows OS, its file systems, and lab preparation essentials. The guide's emphasis on evidence acquisition for Windows OS is commendably detailed. Next is a dive into user profiling via the Windows Registry is both insightful and comprehensive. In Part 2, the focus shifts to 'Additional Artifacts', where topics like 'Application Execution Artifacts' and 'USB Forensics' are covered. The examination of browser artifacts, spanning Firefox to Chrome, is particularly relevant today. Exploration of various additional artifacts, including email and system logs, is thorough. Practical case studies enrich the content, making it more relatable. Overall, Mohammed’s guide serves as a valuable resource for both newcomers and seasoned professionals in digital forensics.
Amazon Verified review Amazon
rahi Nov 06, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The book dives into the Windows operating system and highlights key forensic artifacts that used in investigations. It provides a step-by-step approach to evidence collection using various tools and offers an in-depth analysis of each artifact.Key learning points include understanding the investigation process, learning about memory forensics for Windows OS, performing a deep-dive analysis of user data, and understanding various artifacts such as evidence of execution, files written to disk, and more,The book is highly recommended for individuals with basic experience in digital forensics, cybersecurity professionals, SOC analysts, or anyone interested in gaining a deeper understanding of Windows forensics. It also serves as a valuable resource for students and IT beginners considering a career in the digital forensics and incident response field.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact [email protected] with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at [email protected] using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on [email protected] with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on [email protected] within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on [email protected] who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on [email protected] within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela