Automotive Holiday Deals Books Gift Guide Books Gift Guide Shop Men's Athletic Shoes Learn more nav_sap_SWP_6M_fly_beacon Indie for the Holidays egg_2015 All-New Amazon Fire TV Beauty Gifts Gifts Under $50 Amazon Gift Card Offer bf15 bf15 bf15 $30 Off Amazon Echo $30 Off Fire HD 6 Kindle Black Friday Deals Outdoor Deals on HTL

Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your email address or mobile phone number.

Windows Forensic Analysis Including DVD Toolkit Pap/DVD Edition

16 customer reviews
ISBN-13: 978-1597491563
ISBN-10: 159749156X
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used
Condition: Used - Good
In Stock. Sold by greener_books_london
Condition: Used: Good
Comment: **SHIPPED FROM UK** We believe you will be completely satisfied with our quick and reliable service. All orders are dispatched as swiftly as possible! Buy with confidence!
Access codes and supplements are not guaranteed with used items.
24 Used from $0.98
+ $3.99 shipping
More Buying Choices
11 New from $24.12 24 Used from $0.98

Deals in Books

Special Offers and Product Promotions

  • Take an Extra 30% Off Any Book: Use promo code HOLIDAY30 at checkout to get an extra 30% off any book for a limited time. Excludes Kindle eBooks and Audible Audiobooks. Restrictions apply. Learn more

Editorial Reviews

About the Author

Harlan Carvey developed an interest in computer security while in the military. After leaving active duty, he began working in the area of penetration testing and vulnerability assessments, leading teams of engineers, and developing his own tools to optimize his ability to collect and analyze data. As most clients employed Windows to some degree, Harlan began to see a disparity in knowledge and support for these operating systems, and decided to seize the opportunity and focus on Windows as an area of interest and research. This led him to address topics in incident response and forensic analysis, and to his position as a forensic analyst. Harlan has been a prolific author and presenter, beginning with the Usenix LISA-NT conference in 2000. He has also presented at Black Hat, DefCon 9, MISTI, and HTCIA/GMU conferences. Harlan has had articles published in the Information Security Bulletin as well as on the SecurityFocus web site, and is the author of "Windows Forensics and Incident Recovery."


Hero Quick Promo
Holiday Deals in Kindle Books
Save up to 85% on more than 1,000 Kindle Books. These deals are valid until November 30, 2015. Learn more

Product Details

  • Paperback: 416 pages
  • Publisher: Syngress; Pap/DVD edition (May 8, 2007)
  • Language: English
  • ISBN-10: 159749156X
  • ISBN-13: 978-1597491563
  • Product Dimensions: 8.9 x 7.1 x 1 inches
  • Shipping Weight: 1.7 pounds
  • Average Customer Review: 4.9 out of 5 stars  See all reviews (16 customer reviews)
  • Amazon Best Sellers Rank: #1,261,681 in Books (See Top 100 in Books)

More About the Author

Harlan Carvey's interest in computer and information security began while he was an officer in the U.S. military, and a student at the Naval Postgraduate School, earning his MSEE. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information (i.e., Registry entries, file information, configuration settings, etc.) from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also done considerable work in the area of incident response and forensics, performing internal and external investigations. He has also written a number of proof-of-concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of file formats. Harlan's experience with computers began in the early '80s, with a Timex-Sinclair 1000. Around that time, he was learning to program BASIC on an Apple IIe. From there, he moved on to computers such as the Epson QX-10 and the TRS-80, on which he programmed BASIC and learned some rudimentary PASCAL, using the TurboPASCAL compiler. Since then, he's worked with SunOS and Solaris systems, as well as various versions of DOS and Windows, OS/2, and Linux. Harlan has presented at a variety of computer security conferences, including Usenix, DefCon9, Black Hat, GMU2003/HTCIA/RCFG, WACCI, and PFIC2010. He has discussed various topics specific to issues on Windows platforms, such as data hiding, incident response, and forensic analysis. He has had articles published in the Information Security Bulletin, on the SecurityFocus web site, and in the Hakin9 magazine. Finally, Harlan has written a number of open source programs (including RegRipper), which have been made available online and via CDs/DVDs in his books.

Customer Reviews

5 star
4 star
3 star
2 star
1 star
See all 16 customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

25 of 26 people found the following review helpful By Richard Bejtlich on July 5, 2007
Format: Paperback
I loved Windows Forensic Analysis (WFA). It's the first five star book from Syngress I've read since early 2006. WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA.

Let me name three aspects of WFA that really sold me. First, the subject matter is exactly what I wanted to read. The book does not repeat basic or fundamental material you can (and should) read elsewhere, like working "crime scenes," hard drive image acquisition, and the like. I recommend the recent book Windows Forensics by Chad Steel (4 stars) as a great first book to read before WFA. The two are sufficiently different yet complementary to warrant reading both, in fact. In addition to not repeating material, WFA covers very recent (late 2006, early 2007) activity in Windows forensics that are not addressed by other books. The chapter on Windows memory analysis (ch 3) was even better than the Registry chapter that everyone likes. WFA cites plenty of outside sources in a way that doesn't confuse the reader and enriches the learning process.

Second, WFA introduces a vast number of tools to help investigators implement the concepts author Harlan Carvey explains. Many of the tools are Harlan's own work and are included on the book's DVD. The DVD even contains movies showing how to use some of the tools, like Harlan's Forensic Server Project. Many tools that were new to me appear in the book, but well-known commercial suites like EnCase do not. This is great; if you want to know EnCase, read the (3 star) book on it I reviewed last year. I intend to integrate many of these tools into my own CIRT's response processes.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
12 of 13 people found the following review helpful By Andrew Hay on June 11, 2007
Format: Paperback
There are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a "forensic" track in it's training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor.

This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locard's Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few.

Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing).
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
8 of 8 people found the following review helpful By Cosimo Anglano on September 13, 2007
Format: Paperback
Imagine that you are a computer forensic analyst, and have to answer a question like "is it possible to find out which commands user John Doe ran, and when?", or "is it possible to prove that user X connected the same USB device to these two machines?" (and many others of the same type). Up to a few months ago, your best bet was to knock your head on the monitor, googling on a huge number of sometimes not-always-so-useful computer forensics websites and forums (they seem to sprout like mushrooms, these days), and crossing your fingers hoping to find an answer in the short time left to conclude your investigation.
Fortunately, after the publication of "Windows Forensic Analysis" by Harlan Carvey, you will find answers to these questions (and many more) in a single place, much handier that wandering around the Internet. This book is really a must for everybody working in computer forensics (or planning to do so) -- not necessarily just for windows systems. As a matter of fact, what this book teaches you, besides specific techniques working on Windows, is a methdology by which you can set up experiments that enable you to find answers to your own questions and that can be used also for other operating systems.
The book covers both live response (Chap. 1 and Chap. 2 describe collection and analysis of volatile data, respectively), and post-mortem analysis (Chap. 4, 5, and 6). In addition, two topics not covered by other computer forensics books are Memory Analysis (Chap. 3) and Rootkits Detection (Chap. 7).
The style of the book is a nice mixture of both methodology and practice, and contains the description of many techniques and tools that can be used to properly extract and analyze various type of digital evidence.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews