Windows Forensic Analysis Including DVD Toolkit (Paperback)

by Harlan Carvey (Author), Dave Kleiman (Technical Editor)
Key Phrases: registry analysis, collecting volatile data, memory challenge, Live Response, File Analysis, Event Log (more...)

Editorial Reviews

Product Description
The only book available on the market that addresses and discusses in-depth forensic analysis of Windows systems. Windows Forensic Analysis DVD Toolkit takes the reader to a whole new, undiscovered level of forensic analysis for Windows systems, providing unique information and resources not available anywhere else. This book covers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. This book also brings this material to the doorstep of system administrators, who are often the front line troops when an incident occurs, but due to staffing and budgets do not have the necessary knowledge to effectively respond. The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else, as they were created by the author.

About the Author
Harlan Carvey developed an interest in computer security while in the military. After leaving active duty, he began working in the area of penetration testing and vulnerability assessments, leading teams of engineers, and developing his own tools to optimize his ability to collect and analyze data. As most clients employed Windows to some degree, Harlan began to see a disparity in knowledge and support for these operating systems, and decided to seize the opportunity and focus on Windows as an area of interest and research. This led him to address topics in incident response and forensic analysis, and to his position as a forensic analyst.
Harlan has been a prolific author and presenter, beginning with the Usenix LISA-NT conference in 2000. He has also presented at Black Hat, DefCon 9, MISTI, and HTCIA/GMU conferences. Harlan has had articles published in the Information Security Bulletin as well as on the SecurityFocus web site, and is the author of Windows Forensics and Incident Recovery.

Product Details

• Paperback: 416 pages
• Publisher: Syngress; Pap/DVD edition (April 24, 2007)
• Language: English
• ISBN-10: 159749156X
• ISBN-13: 978-1597491563
• Product Dimensions: 8.9 x 7 x 1.1 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.9 out of 5 stars See all reviews (14 customer reviews)
• Amazon.com Sales Rank: #161,020 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #19 in	Books > Computers & Internet > Security & Encryption > Forensics
  #23 in	Books > Computers & Internet > Security & Encryption > Windows Security

Customer Reviews

Most Helpful Customer Reviews

24 of 24 people found the following review helpful:

5.0 out of 5 stars Wow -- what a great forensics book -- a must read for investigators, July 5, 2007

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I loved Windows Forensic Analysis (WFA). It's the first five star book from Syngress I've read since early 2006. WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA.

Let me name three aspects of WFA that really sold me. First, the subject matter is exactly what I wanted to read. The book does not repeat basic or fundamental material you can (and should) read elsewhere, like working "crime scenes," hard drive image acquisition, and the like. I recommend the recent book Windows Forensics by Chad Steel (4 stars) as a great first book to read before WFA. The two are sufficiently different yet complementary to warrant reading both, in fact. In addition to not repeating material, WFA covers very recent (late 2006, early 2007) activity in Windows forensics that are not addressed by other books. The chapter on Windows memory analysis (ch 3) was even better than the Registry chapter that everyone likes. WFA cites plenty of outside sources in a way that doesn't confuse the reader and enriches the learning process.

Second, WFA introduces a vast number of tools to help investigators implement the concepts author Harlan Carvey explains. Many of the tools are Harlan's own work and are included on the book's DVD. The DVD even contains movies showing how to use some of the tools, like Harlan's Forensic Server Project. Many tools that were new to me appear in the book, but well-known commercial suites like EnCase do not. This is great; if you want to know EnCase, read the (3 star) book on it I reviewed last year. I intend to integrate many of these tools into my own CIRT's response processes.

Third, Harlan brings a lot of experience to WFA. He cites plenty of examples and niche topics that I haven't seen elsewhere. I had never heard of using multiple OLE streams to hide entire Word files in Excel spreadsheets and vice-versa. Better yet, Harlan describes how to find these techniques, along with other issues like alternate data streams. Many times multiple ways to approach a problem appear in WFA. Furthermore, Harlan continuously emphasizes implementing repeatable, automated processes to improve the accuracy and scalability of forensic investigations.

There really is no excuse to not read WFA. I think it would be interesting to try some of Harlan's tools and techniques on the images and evidence collected by myself and my Real Digital Forensics co-authors Keith Jones and Curtis Rose. Bravo to Harlan for writing WFA.

9 of 9 people found the following review helpful:

5.0 out of 5 stars Not just for forensics, but for a deeper understanding of Windows itself., August 26, 2007

By	Nikk Gilbert (Paris, France) - See all my reviews

I bought this book after reading Richard Bejtlichs review and can say I am not disappointed at all. Clearly this book is well worth the time and the money. After reading just half of the first chapter I was so engrossed I couldn't put the book down. I worked through the entire book, trying most of the tools, advice and experiments/labs that were included. The inclusion of the tools (on the included DVD) not only in Pearl but in .exe format was really a great touch. I'd consider this one of the best books written, not just for forensics but for a deeper understanding of Windows itself.

12 of 13 people found the following review helpful:

4.0 out of 5 stars Book Review: Windows Forensic Analysis, June 11, 2007

By	Andrew Hay "RHCE, Security+, GSEC, GCIA, GCIH... (Fredericton, New Brunswick, Canada) - See all my reviews (REAL NAME)

There are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a "forensic" track in it's training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor.

This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locard's Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few.

Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing).

On the cover of the book the author has a quote by Troy Larson, Senior Forensic Investigator of Microsoft's IT Security Group which states:

"The Registry Analysis chapter alone is worth the price of the book."

When I first received the book I thought "Wow, that's a glowing recommendation" and upon reading the book cover to cover I couldn't agree more. I have yet to see a book which takes you through the intricacies of the Windows Registry in such a way that I, being a Linux person, could easily relate to.

The rootkit chapter was a little light on content but the rest of the book makes up for it. There are books out there dedicated to rootkits and I wouldn't expect the author to provide a book that explains everything about everything and still expect people to be able to carry it with them.

The accompanying DVD contains the scripts mentioned in the book, some videos explaining the use of some tools, as well as a bonus folder that contains ... well I'll let you buy the book to find out what cool tools are provided.

This book should be on every analysts shelf whether they perform Windows forensic analysis as part of their role, or think that they might be called upon to do so in a pinch. I also think that this book is a fantastic supplement to any Microsoft training and any security training you may receive in the future.

I give this book 4.5 stars as it is easy to read and kept my interest throughout the entire book.

Do yourself a favor and pick up this book today.