17 of 18 people found the following review helpful
on October 9, 2006
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
WF is a great guide to forensic investigation of Windows. By this I mean WF presents Windows from the perspective of the important directories, files, and registry entries that help an analyst discover malfeasance. WF also covers some of the core applications one would expect to review during host-based forensics, like email, Web browsing history, and P2P application usage. I expected coverage of popular Windows application formats relevant to investigations, like .doc, .ppt, and .xls, but those were missing.
WF addresses the core operational aspects of host-centric forensics, like forming a team and acquiring evidence from live and dead targets. I did not think these sections were as good as material from what I consider the book best suited for all-around hands-on forensic use -- "Incident Response: Computer Forensics, 2nd Ed" by Mandia, Prosise, and Pepe. Live response is one area where I thought WF didn't shine too brightly. I did like the frequent mini-case studies which shared stories from the author's investigative experiences.
A few other aspects of WF resulted in me offering a four star review. I thought the discussion of "vampire taps" on p 157 revealed a real lack of contact with modern network monitoring methods. I don't know anyone who uses or recommends such a contraption in an era of network taps. I continue to question the need to build so-called "sniffing cables," especially when proper interface configuration serves the same purpose. Furthermore, a remotely managed sensor will not be able to hide its traffic on the network anyway, so savvy intruders can usually find them (unless a completely separate management network is run out-of-band). "Chapter 7" was also way too short -- 2 pages!
Although I liked the case studies, I thought there were far too many "gray box" entries. These contain useful hints, but their frequent appearance sometimes interrupted flow of the book. This indicates a need for better organization. Finally, I felt the recent Syngress book "Winternals" did a decent job explaining how to analyze malware, rootkits, and rogue processes on Windows. WF didn't explore this key aspect of Windows incident response.
Overall, however, I would recommend reading WF if you need to understand data sources from Windows systems. I suggest concentrating on the sections that explain where you'll find quality information on Windows, and rely on other sources for generic forensics guidance. I could see readers using WF as a primer for learning about key Windows artifacts, then searching for them in the image files in "Real Digital Forensics."
17 of 19 people found the following review helpful
I have to say, like the next geek, I get frustrated by the lack of Linux/Unix use on the desktops of the corporate world; however, the fact is that Windows desktops outnumber Linux/Unix desktops by way more than 100:1. For this reason, it has been very frustrating to me that so many security books focus on Linux/Unix. I don't care if it's the best platform (though I agree); it's not the most common and we need tools on and for Windows.
This book tells you how Windows file systems work and how to perform forensic analysis on these systems. However, it's more than this - it is a great all around book on forensics analysis and the computer crime investigation process. I highly recommend this resource.
Tom Carpenter - Author: CWSP Certification Official Study Guide
11 of 14 people found the following review helpful
on May 24, 2006
Just read through my copy of this book. I do Cisco work as a CCSE and SANS certified network security specialist, but have been called on to do some investigations at work as the resident "security geek".
I read Brian Carrier's book on file system forensics, which is much deeper into data structures and is a very good book, but this book gives a better holistic look at investigations. We run a mostly Windows shop, and I'm happy to see a book that doesn't just cover Unix stuff. I want to pick up Windows Forensics and Incident Recovery next and see how they compare.
on April 9, 2012
As a university professor and a forensic computer examiner, this book is a must have for my library. Written clearly and with excellent directions, it give a good foundation to doing computer exams. Although written with Windows XP in mind, the knowledge gained can be extended to Vista and Win 7.