Perl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring [Paperback]

Harlan Carvey (Author), Jeremy Faircloth (Author), Dave Kleiman (Technical Editor)

Book Description

ISBN-10: 159749173X | ISBN-13: 978-1597491730 | Publication Date: December 26, 2007 | Edition: 1

I decided to write this book for a couple of reasons. One was that I've now written a couple of books that have to do with incident response and forensic analysis on Windows systems, and I used a lot of Perl in both books. Okay.I'll come clean.I used nothing but Perl in both books! What I've seen as a result of this is that many readers want to use the tools, but don't know how.they simply aren't familiar with Perl, with interpreted (or scripting) languages in general, and may not be entirely comfortable with running tools at the command line. This book is intended for anyone who has an interest in useful Perl scripting, in particular on the Windows platform, for the purpose of incident response, and forensic analysis, and application monitoring. While a thorough grounding in scripting languages (or in Perl specifically) is not required, it helpful in fully and more completely understanding the material and code presented in this book. This book contains information that is useful to consultants who perform incident response and computer forensics, specifically as those activities pertain to MS Windows systems (Windows 2000, XP, 2003, and some Vista). My hope is that not only will consultants (such as myself) find this material valuable, but so will system administrators, law enforcement officers, and students in undergraduate and graduate programs focusing on computer forensics.

 

Code can be found at: http://www.elsevierdirect.com/companion.jsp?ISBN=9781597491730

*Perl Scripting for Live Response

Using Perl, there's a great deal of information you can retrieve from systems, locally or remotely, as part of troubleshooting or investigating an issue. Perl scripts can be run from a central management point, reaching out to remote systems in order to collect information, or they can be "compiled" into standalone executables using PAR, PerlApp, or Perl2Exe so that they can be run on systems that do not have ActiveState's Perl distribution (or any other Perl distribution) installed.

*Perl Scripting for Computer Forensic Analysis

Perl is an extremely useful and powerful tool for performing computer forensic analysis. While there are applications available that let an examiner access acquired images and perform some modicum of visualization, there are relatively few tools that meet the specific needs of a specific examiner working on a specific case. This is where the use of Perl really shines through and becomes apparent.

*Perl Scripting for Application Monitoring

Working with enterprise-level Windows applications requires a great deal of analysis and constant monitoring. Automating the monitoring portion of this effort can save a great deal of time, reduce system downtimes, and improve the reliability of your overall application. By utilizing Perl scripts and integrating them with the application technology, you can easily build a simple monitoring framework that can alert you to current or future application issues.

Editorial Reviews

About the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and "cloud computing" services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan's primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Product Details

• Paperback: 232 pages
• Publisher: Elsevier Inc.; 1 edition (December 26, 2007)
• Language: English
• ISBN-10: 159749173X
• ISBN-13: 978-1597491730
• Product Dimensions: 9.2 x 7.6 x 0.5 inches
• Shipping Weight: 1 pounds (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars  See all reviews (2 customer reviews)
• Amazon Best Sellers Rank: #1,414,418 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

1 of 1 people found the following review helpful:

5.0 out of 5 stars Excellent teaching manual on using Perl in live incident response and forensics, August 30, 2009

By 

Jerry Saperstein (Evanston, IL USA) - See all my reviews
(HALL OF FAME REVIEWER)    (TOP 500 REVIEWER)    (VINE VOICE)   

Amazon Verified Purchase

This review is from: Perl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring (Paperback)

This a highly specialized book that will not find a wide audience. The author states the narrow purpose of his work: "[t]he purpose of this book is to show what can be (and has been) done, using Perl, to perform incident response, computer forensic analysis, and application monitoring on Windows system".

At least an elementary understanding of Perl (or a related scripting language, such as Python) is required to make full use of the book.

Carvey covers some live response subjects and some registry and log analysis situations.

As Carvey points out, this book will not teach you how to perform live incident response or computer forensics.

Its value is as a tool to teach you how to use Perl as a tool in your work.

The book, as you might expect, is loaded with examples that will teach you much about Windows and using Perl to extract information. For instance, one script entitled "Lslink.pl" has much to teach about the structure of Windows shortcut or link files (which are encoded in binary) and how to extract that structure using a Perl script. The script runs about se ven printed pages. It is not overly complex, but following its logic is very informative.

By the way, one of the first things the author does is to brief the reader on the capabilities of several commonly available Perl modules, which can be extremely handy.

Harlan Carvey is very well known in the community for his writings on the Windows Registry and his Perl script RegRipper. Carvey not only demonstrates his masterly understanding of the Registry, but provides several scripts for the student reader to review and implement.

The book is actually rather broadly based and covers a number of areas, some of which the reader may have no immediate interest in or need for, such as live incident response in my case. But as Carvey points out, his goal here is to inspire, not to provide tools and answers for specific needs.

As an inspirational and teaching tool, Carvey achieves his objectives. For the person who is already familiar with Perl, the book serves as a goad for rolling your own code to meet specific needs that are not met in the omnibus commercial programs on the market.

Jerry

1 of 2 people found the following review helpful:

5.0 out of 5 stars Perl Scripting for Windows Security Review, June 7, 2009

By 

Larry E. Daniel "Guardian Digital Forensics" (Raleigh, NC) - See all my reviews
(REAL NAME)   

This review is from: Perl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring (Paperback)

Syngress was kind enough to give me a copy of Harlan Carvey's book, "Perl Scripting for Windows Security" while I was visiting the Syngress booth at Techno-Security this week. After reading the book, I have to say that I was really pleased with the content.

This is not a Perl tutorial. However, if you happen to be using any of Harlan's tools that he has written in Perl to perform live response, post-mortem forensics or network security administration, the book gives good insight into exactly what the scripts are doing and why.
While I am not a Perl programmer, I have over 25 years of experience programming in various computer languages. Based on what I saw in the book, anyone with fairly basic programming knowledge can understand what Harlan is doing with the scripts and if they want to learn Perl, could use them as an excellent method for advancing their knowledge into writing specific scripts later on.

For someone who is an experienced programmer who wants to dive into Perl scripting, once you have gained an understanding of the Perl syntax and coding rules, Harlan's scripts and advice in the book for additional resources are an excellent way to get deeper into coding Perl for specific security tasks.

The foundation of programming is basically the same, no matter what language you choose to use. What differs between the different languages is primarily features and syntax. In other words, how you have to structure your coding for the interpreter or compiler to understand what you are trying to do.
The book is organized into three parts, with Part 1 covering how to use Perl for incident response and troubleshooting live systems. Part 2 covers post-mortem forensics and Part 3 covers monitoring application processes, Web services and log files.

While it is not a huge tome like many programming books, it is important to bear in mind that this is not a programming book. This is a book that demonstrates specific scripts for specific tasks. If you are a long time coder like me, you will appreciate a book that deals with a specific subject matter without trying to teach you everything and nothing about a programming language.

If you are interested in coding your own security or forensic tools, I would highly recommend this book.