ebook img

Winternals. Deframentation, Recovery, and Administration Field Guide PDF

480 Pages·2006·42.904 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Winternals. Deframentation, Recovery, and Administration Field Guide

Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books era now distributed in the United States and Canada by O'Reilly Media, Inc. The enthusiasm and work ethic at O'Reilly era incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market" Tim O'Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, SteveH azelwood, Mark Wilson, Rick Brown, Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger, Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, MariNa Burgess, Annette Scott, Andrew Swaffer, Stephen O'Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji, Tonga, Solomon Islands, and the Cook Islands. Dave Kleiman (CAS, CCE, CIFI, CISM, ISSMP, CISSP, ISSAP, MCSE) has worked in the information technology security sector since 1990. Currently, he si the owner of SecurityBreachResponse.com and si the Chief Information Security Officer for Securit-e-Doc, Inc. Before starting this position, he was Vice President of Technical Operations at Intelliswitch, Inc., where he supervised an international telecommunications and Internet ser- vice provider network. Dave si a recognized security expert. A former Florida Certified Law Enforcement Officer, he specializes in computer forensic investigations, incident response, intrusion anal- ysis, security audits, and secure network infrastructures. He sah written several secure installation and configuration guides about Microsoft technologies that are used by network professionals. He has developed a Windows operating system lockdown tool, S-Lok (www.s=doc.com/products/slok.asp), which surpasses NSA, NIST, and Microsoft Common Criteria Guidelines. Dave was a contributing author tfosorciM goL resraP tiklooT to (Syngress Publishing, ISBN: 1-932266-52-6). He si frequently a speaker at many national security conferences and si a regular con- tributor to many security-related newsletters, Web sites, and Internet forums. Dave si a member of several organizations, including the International Association of Counter Terrorism and Security Professionals (IACSP), International Society of Forensic Computer Examiners(g) (ISFCE), Information Systems Audit and Control Association| (ISACA), High Technology Crime Investigation Association (HTCIA), Network and Systems Professionals Association (NaSPA),Association of Certified Fraud Examiners (ACFE), Anti Terrorism Accreditation Board (ATAB), and ASIS International| He si also a Secure Member and Sector Chief for Information Technology at The FBI's InfraGard(g) and a Member and Director of Education at the International Information Systems Forensics Association (IISFA). vii Lawrence Abrams si the CTO for Thorn Communications, an Internet service provider based in New York City that focuses on managed services for colocation customers at its three data centers. Lawrence manages the technical and security operations sa well sa being involved in the day-to-day operations of the business. He si involved with the deployment and monitoring of intrusion preven- tion systems, intrusion detection systems, and firewall systems throughout Thorn's network to protect Thorn's customers. Lawrence si also the creator of BleepingComputer.com, a Web site designed to provide computer help and security information to people with lla levels of technical skills. With more than a million different visitors each month, it has become a leading resource to find the latest spy- ware removal guides. Lawrence's areas of expertise include malware removal and com- puter forensics. He si active in the various online antimalware com- munities where he researches new malware programs sa they are released and disseminates this information to the public in the form of removal guides. He was awarded a Microsoft Most Valuable Professional (MVP) in Windows security for this activity. Lawrence currently resides in New York City with his wife, Jill, and his twin boys, Alec and Isaac. Nancy Altholz (MSCS, MVP) si a Microsoft MVP in Windows Security. She si a security expert and Wiki Malware Removal Sysop at the CastleCops Security Forum. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention. As a security expert, she helps computer users with various Windows computer security issues. Nancy si currently coauthoring Rootkitsfor Dummies (John Wiley Publishing), which si due for release in August 2006. She was formerly employed by Medelec's viii Vickers Medical Division sa a Software Engineer in New Product Development. Nancy holds a master's degree in Computer Science. She lives with her family in Briarcliff Manor, NY. Kimon Andreou si the Chief Technology Officer at Secure Data Solutions (SDS) in West Palm Beach, .LF SDS develops software solutions for electronic discovery in the legal and accounting indus- tries. SDS si also a provider of computer forensic services. His expertise si in software development, software quality assurance, data warehousing, and data security. Kimon's experience includes posi- tions sa Manager of Support & QA at S-doc, a software security company, and sa Chief Solution Architect for SPSS in the Enabling Technology Division. He also has led projects in Asia, Europe, North America, and South America. Kimon holds a Bachelor of Science in Business Administration from the American College of Greece and a Master of Science in Management Information Systems from Florida International University. Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3, CNA-GW) si coauthor of Syngress Publishing's gnirugifnoC Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring dna gnitoohselbuorT Windows XP lanoisseforP (ISBN: 1-928994-80-6), and two study guides for the MSCE on Windows Server 2003 track (exams 70-296 ISBN: 1-932266-57-7 and 70-297 ISBN: 1- 932266-54-2). He si a Senior Technology Consultant with Sierra Systems Consultants Inc. in Ottawa, Canada. He specializes in IT service management and technical and infrastructure architecture, focusing on systems management, multiplatform integration, direc- tory services, and messaging. In the past he has held the positions of Senior Technical Analyst at MetLife Canada and Senior Technical Coordinator at the LGS Group Inc. (now a part of IBM Global Services). ix Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) si a Fortune 100 security architect and consultant with more than eight years of computer networking and administration experience, focusing the last four years on security. Tony provides design, implementation, and management of security solutions for many Fortune 500 enter- prise networks. Tony si also the writer and editor of the About.com site for Internet/network security. He writes frequently for many technical publications and Web sites. I want ot thank my wife, Nicki, for her support and dedication sa I worked on this project. She si my "Sunshine" and my inspiration. I osla want ot thank Gary Byrne and Dave Kleiman for inviting me ot participate on this project and for their unending patience sa we worked ot put it lla .rehtegot Daniel Covell (CCNA, MCP) si a Senior Systems Analyst at Sharp HealthCare in San Diego. Sharp HealthCare si an integrated regional health-care delivery system that includes four acute-care hospitals, three specialty hospitals, and three medical groups. Sharp has more than 14,000 employees and represents 1$ billion in assets and $1.4 billion in revenue. Daniel si a key team member in sup- porting more than 10,000 desktops and thousands of PDAs, laptops, and tablets. Daniel has more than 31 years of experience in desktop support, network support, and system design. He has worked for government agencies, large outsourcing projects, and several consulting firms. His experience gives him a very broad understanding of technology and its management. Daniel also owns a small computer consultancy business and currently resides in 1E Cajon, CA, with his wife, Dana. Daniel wrote the section of Chapter 5 titled "Advanced Disk Fragmentation Management (Defrag Manager)." Laura E. Hunter (CISSP, MCSE" Security, MCDBA, Microsoft MVP) si an IT Project Leader and Systems Manager at the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university. Her specialties include Windows 2000 and 2003 Active Directory design and implementa- tion, troubleshooting, and security topics. Laura has more than a decade of experience with Windows computers; her previous expe- rience includes a position sa the Director of Computer Services for the Salvation Army and sa the LAN administrator for a medical supply firm. She si a contributor to the TechTarget family of Web sites and to Redmond Magazine (formerly Microsoft Certified lanoisseforP Magazine). Laura has previously contributed to the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series sa a DVD presenter, author, and technical reviewer, and si the author of the Active Directory Consultant's Field Guide (ISBN: 1-59059-492- )4 from APress. Laura si a three-time recipient of the prestigious Microsoft MVP award in the area of Windows Server~ Networking. Laura graduated with honors from the University of Pennsylvania and also works sa a freelance writer, trainer, speaker and consultant. Laura wrote Chapter 3 and saw eht lacinhcet editor for Chapters 5 and .6 Mahesh Satyanarayana is a final-semester electronics and commu- nications engineering student at the Visveswaraiah Technological University in Shimoga, India. He expects to graduate this summer and has currently accepted an offer to work for Caritor Inc., an SEI-CMM Level 5 global consulting and systems integration com- pany headquartered in San Ramon, CA. Caritor provides IT infras- tructure and business solutions to clients in several sectors worldwide. Mahesh will be joining the Architecture and Design domain at Caritor's development center in Bangalore, India, where he will develop software systems for mobile devices. His areas of expertise include Windows security and related Microsoft program- mini technologies. He si also currently working toward adminis- trator-level certification on the Red Hat Linux platform. xi Craig A. Schiller (CISSP-ISSMP, ISSAP) si the President of Hawkeye Security Training, LLC. He si the primary author of the first Generally Accepted System Security Principles. He was a coau- thor of several editions of the koobdnaH of noitamrofnI ytiruceS tnemeganaM and a contributing author to Data ytiruceS .tnemeganaM Craig has cofounded two ISSA U.S. regional chapters: the Central Plains Chapter and the Texas Gulf Coast Chapter. He si a member of the Police Reserve Specialists unit of the HiUsboro Police Department in Oregon. He leads the unit's Police-to-Business- High-Tech speakers' initiative and stsissa with Internet forensics. Darren Windham (CISSP) si the Information Security lead at ViewPoint Bank, where he si responsible for ensuring compliance with GLB, FFIEC, OTS, FDIC, and SOX regulations, sa well sa managing technology risks within the organization. Darren's previous experience in technology includes network design, system configuration, security audits, internal investigations, and regulatory compliance. He has also worked sa a security consul- tant for local companies, including other financial institutions. His background also includes system administration for manufacturing firms and one of the .coms of the late 1990s. Darren was a reviewer for the book gnikcaH :desopxE retupmoC scisneroF (McGraw-Hill Osborne Media, ISBN: 0-07225-675-3). Darren si a member of Information Systems Audit and Control Association| (ISACA), North Texas Electronic Crimes Task Force (N-TEC), and the North Texas Snort User Group. noinapmoC beW etiS Some of the code presented throughout this book si available for download from www.syngress.com/solutions. Look for the Syngress icon in the margins indicating which examples are available from the companion Web site. xii Foreword Six years and seven months ago, Winternals brought forth a set of tools that came to my rescue. It was November of 1999 when I purchased my first Winternals Administrator's Pak. It contained BlueSave Version 1.01, ERD Commander Professional Version 1.06, Monitoring Tools (FileMon and Regmon) Enterprise Editions Version 1.0, NTFSDOS ProfessionalVersion 3.03, NTRecoverVersion 1.0, and Remote Recover Version 1.01.We had a Windows NT 4 server in the dead zone. I spent a few hours reading over the ERD and Remote Recover user guides, created a "client floppy" (yes this was when we still had to use floppies), and began my quest. Thank goodness that version of ERD had the ability to access NT-defined fault-tolerant drives, because within a few hours we had recovered the system and were back up and running. Since my Windows NT administrator experience began in 1996, I thought back on hundreds of incidents that made me wish I had purchased Winternals sooner. We have come a long way since then; the Winternals team has improved upon and added many tools and features to the Administrator's Pak utilities. However, one thing remains the same~in the Microsoft administrator's world, Winternals si a lifesaver. Winternals not only makes excellent products you can purchase for the enterprise but also sponsors the freeware Sysinternals tools (www.sysinternals.com), by far the greatest collection of freeware tools for the Microsoft administrator's toolbox in the market. I spent quite a bit of time speaking with Winternals users with various experience using the utilities and tools for different functions. Many of those users expressed interest in helping with the book, so I gathered a group of security professionals from around the globe, and we formed an outline. We had a great time working together and throwing ideas, and some jokes, around at each other.We set out with a goal of writing about the Winternals and XXIII .~ xxiv Foreword Sysinternals tools in real-world situations administrators can and will face on a daffy basis, with the hope of making your jobs easier. The result was the Winternals ,noitatnemgarfeD ,yrevoceR dna Administration Field Guide.All of the authors have worked extremely hard to put together a book that we hope you will find useful and enjoyable. We begin with ERD Commander 2005 and then step through recovering your computer (what a change from back in 1999 to now).We then give you an overview of utilizing the tools for various tasks, such sa locating and removing malware, troubleshooting, configuring security, recovering data, working with the source code to create useful tools, and working with NT 4.0-only tools.We wrap things up with a chapter about having fun with the Sysinternals tools. Heck, we have to have some fun in our jobs, and what better way then giving your fellow sysadmin gray hair with some fake BSODs! All of us, and I imagine many of you, would like to thank Mark Russinovich, Bryce Cogswell, and the Winternals team for putting together these utilities, giving us the fine selection of freeware tools, and making the lives of Microsoft administrators around the globe that much easier. In addition, we would like to thank Syngress for giving us the opportunity to get this infor- mation out to the community. ~Dave Kleiman Owner of moc.esnopseRhcaerBytiruceS dna Chief ,rotagitsevnI eruceS Data ,snoituloS LLC

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.