Your rating(Clear)Rate this item
Share your thoughts with other customers

There was a problem filtering reviews right now. Please try again later.

21 of 22 people found the following review helpful
on June 7, 2009
Format: PaperbackVerified Purchase
The second edition of Harlan's book nicely complements the first and is essential reading for practitioners at all levels. For those of us who primarily engage in exams of acquired images, the chapters on Registry Analysis, File Analysis, Executable Analysis, and Rootkit Detection provide and build upon basic concepts that go beyond what is taught in beginning and intermediate computer forensics courses.

The registry analysis chapter is particularly valuable and one that I draw on repeatedly. The accompanying DVD, with its scripts, not only provides tools to gather the data that Harlan describes, but provides a means to learn while you read by taking a hands on approach to registry analysis.

The chapter on file analysis teaches fundamentals of system files and logs that can provide key evidence in an exam. It explains not only what may be found, but how to get it and why it got there. These are the types of issues that can aid immeasurably when it comes to report writing and courtroom testimony. Similarly, the discussions on malware, rootkits, and executables provide guidance and solutions to considerations of whether an uninvited influence played a role in data arriving on, or departing from, a system.

For those who don't engage in incident or live response at the moment, the time is fast approaching when that aspect forensics is going to be vital to us all. Harlan explains what information is available, and he describes the methods and tools with which we can acquire volatile data and access information that's gone once the plug is pulled. Harlan brings together this area of his book with a discussion of analyzing the data.

In sum, this is a great work that is suited to those who have had basic computer forensics training as well as examiners who have been practicing for a long time. Things change every day, and WFA II provides a means to keep pace.
11 commentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
16 of 19 people found the following review helpful
on June 21, 2009
Format: Paperback
In ancient times, when philosophers and scientists gathered to discuss and debate important topics, people would travel for weeks and months to arrive, just to hear the debates. To listen to the great minds of the time, to learn from them, and on occasion ask questions. In 2009 that trend continues though in a different fashion.

In the case of Windows Forensic Analysis we are fortunate enough to have Harlan Carvey. He has a deep well of knowledge to pull from and he continues to pull buckets of information out of the well to keep us all well hydrated. I was honored to read this book, and it's my privilege to write a review. It's the least I could do.

It's a text book, it's a field manual, it's reference material. This is Windows Forensic Analysis Second Edition and it's the best damn book on the planet for Windows Forensics. I thought I liked the first edition and then I read the second.

It's been updated to be sure, but it's also been expanded. There's current information contained in the over 400 pages of content. There are case studies, there are details you won't find elsewhere.

Want to know how to dump memory and collect volatile data? It's in the book.
Can't recall which tool has certain limitations or what the tool can do? It's in the book.
Want to know how to analyze volatile data? It's in the book.
Want to learn how to registry works? It's in the book.
Want to know how to do Windows Forensic Analysis? Read this book.

I've watched the forums and mailing lists since the first edition of the book was released two years ago. Time after time I read the questions being asked and went to the book. In an overwhelming majority of cases, the answer was there. To those of you that asked these questions, do yourself a favor. Go to the bookstore, or online store and buy the book, read it, highlight it, dog ear pages for reference. Make use of the knowledge that has been shared, your clients deserve it.

In ancient times, people would travel for weeks or months to listen and learn from the greats..all you have to do is spend a little money and open the book.
11 commentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
7 of 7 people found the following review helpful
on July 23, 2009
Format: Paperback
For several years, Harlan Carvey has led the field in sharing and publishing his extensive knowledge of Windows forensics. The latest edition of Harlan's book does not disappoint, and this updated and revised copy remains THE Windows forensics reference book to have on your shelf. Harlan draws on both his in-depth knowledge of the Windows operating system and his extensive experience in real-world incident response to successfully bridge what is often a gap between the world of the first responder and the world of the forensic analyst. This is particularly appropriate at a time when those roles continue to converge. If there is information to be found on a Windows system (and I think Harlan knows and has documented the Windows registry better than anyone at Microsoft), Harlan will tell you not only where, but also how to find it. But he doesn't stop there; Harlan also provides several open-source (Perl-based) tools on the accompanying DVD to allow you to extract a variety of useful data from a Windows computer to aid you in your investigation. If you want to do two things to aid your incident response / forensics capabilities, then 1. buy this book, and 2. learn Perl!
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
8 of 9 people found the following review helpful
on September 7, 2009
Format: Paperback
I read and reviewed the 1st Ed of this book in July 2007, and I just finished reading Windows Forensic Analysis 2nd Ed (WFA2E) this weekend. If your job involves investigating Windows systems, you must read this book. It's as simple as that. There is no substitute for this book. It also perfectly complements other solid forensics works already published.

The three main reasons why I liked the 1st Ed hold for the 2nd Ed. The subject matter is exactly what I wanted to read. WFA2E introduces a vast number of tools to help investigators implement the concepts explained by the author. Harlan brings a lot of experience to WFA. Of these three, I really appreciate Harlan's experience. He is constantly "in the fight" so he knows what works and what doesn't. He's been around so long that he knows what he's talking about. If he encounters a problem, he can either try fixing it himself or he is friends with someone who can work the issue. All of these characteristics shine in WFA2E.

I expect to see a 3rd Ed of this book in a few years, incorporating more Windows Vista and Windows 7 material. It might also be helpful to consider techniques for Windows Server and Mobile platforms in the 3rd Ed. Regardless, I will look forward to that book when it arrives because I enjoyed WFA1E and WFA2E so much.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
4 of 4 people found the following review helpful
on September 1, 2009
Format: Paperback
I've started reading or read a number of forensic books in the past two years. Though I have yet to read a specific Operating System forensic book, most have generally focused on Windows as the choice for forensic analysis. Of all the books that I have read, I would have to say that by far Windows Forensic Analysis DVD Toolkit second edition is the best.
The author is very thorough without beating a single tool to death. The author covers numerous tools, but continues to stress that having information from one tool does not give the investigator the `smoking gun' to solving the case. He stresses repeatedly that this is just adding another tool to the investigator's toolbox.
Many books are simply an attempt to sell their book by declaring that if you follow: step one, followed by step two, followed by step three etc. that you will suddenly be a master forensic investigator or incident handler. Harlan Carvery never says that reading this book will make you an expert, only that he hopes to enlighten the reader to new tools and techniques. The author makes it very clear that each tool is valuable, but the reader should find the tools that suite their own need and get the experience necessary to analyze the output.
The book jumps straight into the discussion of volatile data and the importance of capturing it as close to the instance of compromise as possible. I was pleased to see that the author made a point of emphasizing this. There is still a mindset in many situations that pulling the plug is the first thing to accomplish.
The first three chapters are a statement to the importance placed on collecting and analyzing the volatile portion of the incident. Though technically the first two chapters also cover information to tie in the remaining chapters there is always that focus of maintaining data as close to the point of compromise as possible.
The next three chapters cover the static files and registry that a Forensic Analyst will have to review and analyze. The author covers numerous tools as well as providing his tools and his preferences for use.
The last three chapters cover rootkits, tying it together with case studies and then finally Forensic Analysis on a budget.
Throughout the book the author makes references to papers, websites and other books that will provide a much more indepth discussion of the topics. In every chapter he provides a source for more up-to-date software than what is provided on the DVD.
The author includes numerous tools that are his personal scripts or scripts that he has modified for his use. For the most part his scripts are all Perl based, but again the author shows his flexibility and understanding when he explains why his tools are Perl and not something else. At no point does the author take a "this is the only right way to do it" attitude. It is refreshing to see an unbiased book that is primarily Windows oriented.
With all that being said I would say that grammatical editing could have been a little better. Even with these errors the book was definitely worth buying. We have a copy in our office and I am buying a copy for my own personal use. I would say that if you are doing Windows forensics or have an interest in learning about the current trends in Windows forensics you need to pick up a copy. It will be an invaluable resource.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
4 of 4 people found the following review helpful
on September 7, 2010
Format: PaperbackVerified Purchase
I'm extremely impressed with how thoroughly the author covers the methods discussed in this book. Usually when I pick up a book like this I'm prepared for more questions than when I started, but that's not the case with Windows Forensic Analysis. It's elegantly worded and easy to follow which is hard to find when it comes to technical books, especially on a subject like this that can easily intimidate a reader who isn't already a programmer or an industry professional. I almost hesitate to use the term "technical" because that implies you need to be an engineer to understand the subject matter which is not the case here.

I read non-stop for 8 hours straight yesterday and I still didn't want to put it down. Not only that, but today I was able to recall almost all of the subject matter covered without returning to the book for a reminder. This speaks volumes about a book where too often information is easily forgotten if you aren't sitting in front of a computer practicing the methods being discussed as you make your way through it.

As a long time Windows user, this book has helped fill in a lot of blanks, and I feel like I'll have a lot more flexibility and power by employing many of the tools and techniques as an individual who spends a lot of time using Windows. Thank you Harlan!
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
3 of 3 people found the following review helpful
on June 10, 2009
Format: PaperbackVerified Purchase
When I first started in the field of computer forensics many years ago, there were very few books available on the topic. In recent years, there has been an explosion of books on the market of varying quality.

Harlan's Windows Forensic Analysis is required reading for the professional computer forensic examiner. Harlan's book is one of the few computer forensic books that are discussed and recommended in the places on the Internet where experienced computer forensic examiners meet to discuss forensics.

This is a book that is not only in my technical library, but one that I keep within easy reach when I am performing forensic analysis.

One of the aspects that sets this book apart from many of the other books is the emphasis and detail on the collection and analysis of live data. Harlan has been one of the leading advocates and researchers in this area.

One of the frequent comments about this book is that the registry content alone is worth the price of the book and I am enthusiastic in echoing that sentiment.

Regardless of the forensic analysis task that you have before you or your experience level, this book will be of great use and one that you will likely refer to frequently.

The writing style is very approachable and understandable and the book's technical editor and reviewers reads like a "who's who" list of computer forensic experts. Anytime you can get people like Lance Mueller to not only assist with a book, but provide an endorsement on the back cover, you know you have something very unique.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
5 of 6 people found the following review helpful
Format: PaperbackVerified Purchase
If you analyze windows computers for fun or at work you should buy this book. Harlan covers enough new material that really makes the 2nd edition worthwhile.

The book covers a variety of topics from: Collection of Volatile Data, Analysis of Volatile data, Windows Memory Analysis, Registry Analysis, File Analysis, Executable Analysis, Rootkit Detection, a chapter on pulling all the analysis together and finally analysis on a budget.

The chapters on Memory Analysis, Registry Analysis, File Analysis and Executable Analysis have all been expanded. Each of those chapters could be expanded to books on there own and Harlan has done a great job of covering them in these chapters. The Registry chapter was a bit long and felt like drinking from a firehose of knowledge.

Harlan lists a lot of practical examples which are helpful in each of his chapters. He covers the use of open source tools, commercial and tools that he has created via batch files and perl scripts. Just the exposure to all the tools available and artifacts listed in the book make it worthwhile alone. If you have not discovered Reg Ripper for registry analysis, go check it out it is awesome!

This book does a great job of giving you an overview to many of the areas of forensic analysis on windows systems but then gives you enough detail to wet your appetite. The DVD included with the book has many of Harlan's perl scripts as well as some articles and movies that go over specific topics.

If you perform incident response or have to analyze windows computers you need this book!
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
2 of 2 people found the following review helpful
on September 21, 2011
Format: Paperback
I had read WFA 2/e a while back and just kept forgetting to post a review.

One caveat though.... I have not read WFA 1/e, so I cannot compare what differences may exist between the two books. With that said, read on.....

Traditional Digital Forensics methodology was to pull the plug from the back of a PC and conduct a "Dead Box" examination. Chapter 1 covers Live Response to a scene, where that thought process may not be the best course of action anymore. It also covers what evidence in memory to collect first before it disappears (volatile data), as well as analyzing that data using the command line.

Chapter 2 (Data Analysis) essentially guides you into taking data that you collected during your Live Response and understanding what it is telling you. Harlan points out that a lot of times "unusual" or "suspicious activity" that an examiner is seeing is due to their lack of familiarity with how the system operates.

Chapter 3 takes the reader through the tools, such as win32dd & memoryze, and the techniques to conducting an analysis of physical memory (RAM). He also details examining the Hibernation File as part of memory analysis. For an investigation where the responder/examiner was unable to get a "memory dump" from the system prior to shutdown (see "Dead Box" exam reference above), this can be a good source of information (That's right, I am looking at you fellow LEO's out there).

Moving on, Chapter 4 covers Registry Analysis. Harlan breaks down the structure of the Registry hive files and what information is contained within those files for the reader. It also introduces the reader to Registry analysis using tools that Harlan wrote- RegRipper and Rip/RipXP. Also of note in this chapter is the tracking of USB devices and User activity.

File Analysis is up in Chapter 5. This chapter is very useful if you are an incident responder. Harlan discusses the use and understanding event logs, as well as helping you understand how timestamps for files are modified. The examination of the Recycle Bin, as well as Restore Points and Volume Shadow Copies are discussed also.

Chapter 6 goes into static & dynamic analysis of suspicious files, as well as the need to conduct them in a virtualized environment or a stand alone workstation. You wouldn't want to conduct an analysis of a possibly malicious file on a production system and risk infecting "mission critical" systems. Also covered, is the use of tools like RegShot, Process Monitor and File Monitor for file analysis (as well as others). The static and dynamic file analysis portion of this chapter reminded me of Day 1 of the SANS Reverse Engineering Malware course, where these techniques are fleshed out in more detail. This part of the chapter is a good start for an examiner who has not been able to attend that course.

Chapter 7 defines Rootkits, the dangers that they pose on a system and various software solutions to detect & eliminate them.

Chapter 8 essentially goes on to bring everything together that you learned in the previous chapters through the use of case studies. In my opinion chapters like this one are crucial, as it gives the reader/examiner another perspective at which to conduct or fine tune their own exams through the experience of another (the author).

Chapter 9 ends this book with Reporting and Tools. Reporting is crucial to any investigation. If you cannot convey the steps that you took during an investigation to someone who does not have a technical background, it could lead to less than desirable results. Just imagine testifying in a court proceeding and if you fail to explain (in a human understandable way) what you did to the housewife, plumber, librarian (you get the point) sitting on the jury, you may harm the prosecutor/defense attorney's case. You may also harm your credibility for that matter. The tools listed in this chapter are freely available to use. I'm sure Harlan didn't have the budget to grab copies of commercially available tools. Remember, the free tools are just as good as the commercial ones is you take the time to learn how to use them.

This book is a wonderful resource for any forensic examiner to have on their bookshelf. Thanks to Harlan for writing this for the Digital Forensics community. I know a lot of time & research must go into writing a book such as this and there isn't a ton of money to be made from it.

I look forward to WFA 3/e and it's coverage of the Windows 7 Operating System.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
2 of 2 people found the following review helpful
Format: PaperbackVerified Purchase
Harlan Carvey is one of the most prolific writers on compute forensics. He has a spare writing style that conveys information directly, without excursions. In short, he is a delight to read.

In this second edition of Windows Forensic Analysis, he broadens the territory to include live system response. His three chapters on the subject are interesting, but not of particular immediate interest to me since I have no call to do such. It is, however, helpful to have the information just in case and Carvey presents it in a coherent manner. His descriptions of the various available are quite good.

Harlan's chapters on Registry and File Analysis are worth far more than the price of the bok. He is one of the masters of the arcane innards of the Windows Registry and has written a power and useful tool, RegRipper, to make registry analysis far easier and more productive. These two chapters alone make this book a must-have for the active computer forensics examiner.

The chapters on Executable File Analysis and Rootkits, like the earlier chapters on live response will have limited application for many examiners. However, once again Carvey's writing style makes the information highly accessible and the chapters are worth reading solely to put their contents in your own memory.

Harlan is quite am accomplished Perl scripter and the accompanying DVD is crammed with useful Perl scripts he has written. As a courtesy, he has also included the scripts from the first edition of his book, which is very nice of him.

Harlan writes for the person with some experience in the field. For those people, Windows Forensic Analysis 2nd. Ed. Serves not only as a text, but as a quotable reference as well. There are actually very few solid texts on computer forensics. This is one of them.

Jerry
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
     
 
Customers who viewed this also viewed


File System Forensic Analysis
File System Forensic Analysis by Brian Carrier (Paperback - March 27, 2005)
$47.50
 
     

Send us feedback

How can we make Amazon Customer Reviews better for you?
Let us know here.

Your Recently Viewed Items and Featured Recommendations 
 

After viewing product detail pages, look here to find an easy way to navigate back to pages you are interested in.