on July 5, 2007
I loved Windows Forensic Analysis (WFA). It's the first five star book from Syngress I've read since early 2006. WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA.
Let me name three aspects of WFA that really sold me. First, the subject matter is exactly what I wanted to read. The book does not repeat basic or fundamental material you can (and should) read elsewhere, like working "crime scenes," hard drive image acquisition, and the like. I recommend the recent book Windows Forensics by Chad Steel (4 stars) as a great first book to read before WFA. The two are sufficiently different yet complementary to warrant reading both, in fact. In addition to not repeating material, WFA covers very recent (late 2006, early 2007) activity in Windows forensics that are not addressed by other books. The chapter on Windows memory analysis (ch 3) was even better than the Registry chapter that everyone likes. WFA cites plenty of outside sources in a way that doesn't confuse the reader and enriches the learning process.
Second, WFA introduces a vast number of tools to help investigators implement the concepts author Harlan Carvey explains. Many of the tools are Harlan's own work and are included on the book's DVD. The DVD even contains movies showing how to use some of the tools, like Harlan's Forensic Server Project. Many tools that were new to me appear in the book, but well-known commercial suites like EnCase do not. This is great; if you want to know EnCase, read the (3 star) book on it I reviewed last year. I intend to integrate many of these tools into my own CIRT's response processes.
Third, Harlan brings a lot of experience to WFA. He cites plenty of examples and niche topics that I haven't seen elsewhere. I had never heard of using multiple OLE streams to hide entire Word files in Excel spreadsheets and vice-versa. Better yet, Harlan describes how to find these techniques, along with other issues like alternate data streams. Many times multiple ways to approach a problem appear in WFA. Furthermore, Harlan continuously emphasizes implementing repeatable, automated processes to improve the accuracy and scalability of forensic investigations.
There really is no excuse to not read WFA. I think it would be interesting to try some of Harlan's tools and techniques on the images and evidence collected by myself and my Real Digital Forensics co-authors Keith Jones and Curtis Rose. Bravo to Harlan for writing WFA.
on June 11, 2007
There are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a "forensic" track in it's training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor.
This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locard's Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few.
Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing).
On the cover of the book the author has a quote by Troy Larson, Senior Forensic Investigator of Microsoft's IT Security Group which states:
"The Registry Analysis chapter alone is worth the price of the book."
When I first received the book I thought "Wow, that's a glowing recommendation" and upon reading the book cover to cover I couldn't agree more. I have yet to see a book which takes you through the intricacies of the Windows Registry in such a way that I, being a Linux person, could easily relate to.
The rootkit chapter was a little light on content but the rest of the book makes up for it. There are books out there dedicated to rootkits and I wouldn't expect the author to provide a book that explains everything about everything and still expect people to be able to carry it with them.
The accompanying DVD contains the scripts mentioned in the book, some videos explaining the use of some tools, as well as a bonus folder that contains ... well I'll let you buy the book to find out what cool tools are provided.
This book should be on every analysts shelf whether they perform Windows forensic analysis as part of their role, or think that they might be called upon to do so in a pinch. I also think that this book is a fantastic supplement to any Microsoft training and any security training you may receive in the future.
I give this book 4.5 stars as it is easy to read and kept my interest throughout the entire book.
Do yourself a favor and pick up this book today.
on September 13, 2007
Imagine that you are a computer forensic analyst, and have to answer a question like "is it possible to find out which commands user John Doe ran, and when?", or "is it possible to prove that user X connected the same USB device to these two machines?" (and many others of the same type). Up to a few months ago, your best bet was to knock your head on the monitor, googling on a huge number of sometimes not-always-so-useful computer forensics websites and forums (they seem to sprout like mushrooms, these days), and crossing your fingers hoping to find an answer in the short time left to conclude your investigation.
Fortunately, after the publication of "Windows Forensic Analysis" by Harlan Carvey, you will find answers to these questions (and many more) in a single place, much handier that wandering around the Internet. This book is really a must for everybody working in computer forensics (or planning to do so) -- not necessarily just for windows systems. As a matter of fact, what this book teaches you, besides specific techniques working on Windows, is a methdology by which you can set up experiments that enable you to find answers to your own questions and that can be used also for other operating systems.
The book covers both live response (Chap. 1 and Chap. 2 describe collection and analysis of volatile data, respectively), and post-mortem analysis (Chap. 4, 5, and 6). In addition, two topics not covered by other computer forensics books are Memory Analysis (Chap. 3) and Rootkits Detection (Chap. 7).
The style of the book is a nice mixture of both methodology and practice, and contains the description of many techniques and tools that can be used to properly extract and analyze various type of digital evidence.
The accompanying DVD contains a large number of Perl scripts, written by Harlan Carvey, that implement most of the techniques described in the book.
The book assumes that the reader has a basic knowledge of computer forensics, and as such it does not cover computer forensic techniques (like mass storage imaging and file system analysis), but focuses on the analysis of artifacts produced either by the Windows OS or by its typical applications when operated by a user. This makes it unique in the computer forensics book arena, and an invaluable tool in the computer forensic bag of any specialist working in the area (much more valuable than your favourite computer forensic software, since no tool can ever substitute knowledge).
In summary, I totally agree with Troy Larons's quote reported on the book cover ("The Registry Analysis chapter alone is worth the price of the book"), but be assured that also all the other chapters are at the same level of the Registry Analysis one.
on August 26, 2007
I bought this book after reading Richard Bejtlichs review and can say I am not disappointed at all. Clearly this book is well worth the time and the money. After reading just half of the first chapter I was so engrossed I couldn't put the book down. I worked through the entire book, trying most of the tools, advice and experiments/labs that were included. The inclusion of the tools (on the included DVD) not only in Pearl but in .exe format was really a great touch. I'd consider this one of the best books written, not just for forensics but for a deeper understanding of Windows itself.
on March 13, 2008
Harlan poured his clear love of incident response and of the forensic profession into this book. Windows Forensic Analysis dives into many exceptional topics that are routinely overlooked in similar material. The entire book covers many novel analysis techniques and topics, the registry analysis chapter and the file analysis chapter discusses many detailed artifacts and areas of examination during forensics that up until this was published was only discussed deep inside forensic circles or discovered through hard earned on-the-ground experience. The book's only drawback is that it covers too many topics and the chapters do not flow together as well as I would have hoped. A single chapter is excellent, but in many cases it doesn't lead you to the next one. I also found that the entire book could have been written on just registry forensics. However, in order to create broad appeal, the registry section was probably shortened. You can tell Harlan has a lot more to tell. Finally, the CDROM companion could have had more polish to the file layout as finding some of the tools is slightly confusing upon initial glance. Even with these minor drawbacks, the information in each chapter is phenomenal. I recommend this book to anyone looking to advance their understanding of the Windows analysis environment.
on April 23, 2008
I purchased this book a few days ago, and as soon as I read the first chapter, I realized that I needed to read the entire book as quickly as possible. This is a wonderful book, and parts of it truely invoked a state of "nerdvana" in me!
First, I will say that the information in this book is tightly packed. There is no unnecessary verbage, and the writing is direct, to the point and understandable. There is a high ratio of technical content to noise, and this greatly contributed to my enjoyment of the book. Even in the technical areas that I was already familiar with, I found the summary of the information to be precise, accurate and helpful. I can see keeping the book around as a reference guide for years to come. The general structure of the book, for example the sections in grey boxes with the [!] annotation, works well, and the end-of-chapter summary and review (particularly the Q&A) are good.
There were several sections, ones that I was personally weak in to start with, that I found particularly helpful, such as the sections on analyzing packed or compressed executables and malware. I had just never gotten around to reading the whitepapers on these, and I'm glad I didn't as those chapters of the book summarized in a few pages what would have taken many more to pick up by reading other original sources. I personally thought that the chapter-to-chapter flow of the narrative was fine for anyone who does incident response on a regular basis.
Through the years, Harlan Carvey has developed and made available his tools in an open (perl) format with no need for compensation. The tools on the DVD alone are worth the money of the book, and are a great addition to any IR toolkit. The references to third party tools, many of which I hadn't heard of, were also particularly helpful.
If you are not very technical, or not very familiar with the Windows operating system, you may be overwhelmed by the level of technical detail. If you are an experienced administrator, however, you should be able to adapt what you know about other operating systems (e.g. file structures, process execution, etc.) fairly easily. There were a few typographical errors in the book that didn't detract from its readability or technical accuracy.
All in all, and excellent book, and a must-have for ANY windows incident responder.
on March 16, 2008
Harlan Carvey's book, Windows Forensic Analyisis, is an invaluable resource in any computer forensic examination of a Windows based computer. In real-life experience, I had a case where I had to determine file use by a former employee. The company never took the computer out of service and continued to use the machine after the employee left the company. By using the information in Windows Forensic Analysis on system restore points and MRU registry entries, I was able to determine not only what files were used but on what days. This book is one of the first I look to when I have questions on examining Windows systems. If you only have one reference book for Windows examinations, this should be the one. A must-have for any computer forensic examiners library!!
on October 5, 2007
This book is essential for understanding how to analyze memory dumps, albeit many forensic investigators will usually turnoff a computer instead of getting a memory capture to do a more traditional analysis.
The included scripts are very helpful. This book unlike many other books in this genera is designed for the technical professional. Forensic analysis is often like a who done it mystery, and having some more tools in your toolkit will assist you in thinking outside the box. The registry analysis was thorough and essential for a recent project. The memory dump analysis scripts were helpful in a recent Defcon Capture the Flag Competition. A sample chapter is avaliable online.
on December 2, 2007
Once again Harlan Carvey has provided a resource worth every penny. The chapters detailing registry and memory analysis alone were extremely valuable to me. The accompanying DVD provides countless Perl scripts to assist in the collection and sorting of data.
on April 4, 2010
This book is a great book for both professionals and beginners in Cyber Forensic Investigation. It is obvious that the author had an extensive research about Windows Forensic Analysis with many cross references in the book and to the online resources.
The Windows Registry chapter is one of the best chapters; rarely you can find such a detail information about Windows Registry Analysis.
You must have it if you are dealing with computer crime investigation!