Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Windows Forensics and Incident Recovery PAP/CDR Edition

4.3 out of 5 stars 8 customer reviews
ISBN-13: 978-0321200983
ISBN-10: 0321200985
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used On clicking this link, a new layer will be open
$18.29 On clicking this link, a new layer will be open
Buy new On clicking this link, a new layer will be open
$54.13 On clicking this link, a new layer will be open
More Buying Choices
22 New from $3.50 31 Used from $0.01
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

Windows 10 For Dummies Video Training
Get up to speed with Windows 10 with this video training course from For Dummies. Learn more.
$54.13 FREE Shipping. Only 1 left in stock (more on the way). Ships from and sold by Amazon.com. Gift-wrap available.
click to open popover

Frequently Bought Together

  • Windows Forensics and Incident Recovery
  • +
  • File System Forensic Analysis
Total price: $107.60
Buy the selected items together

Editorial Reviews

From the Back Cover

Praise for Windows Forensics and Incident Recovery

"Windows Forensics and Incident Recovery doesn't just discuss forensics, it also includes tools for analysis and shows readers how to use them. I look forward to putting these tools through their paces, and I recommend Carvey's book as a terrific addition to the security professional's bookshelf."
—Warren G. Kruse II, Partner

Computer Forensic Services, LLC

"This book is a good reference for the tools needed to prepare for, respond to, and confirm a Windows-based computer incident."
—Brian Carrier
Digital forensics researcher

"This book provides a unique 'command-line centric' view of Microsoft and non-Microsoft tools that can be very helpful to folks responsible for security and system administration on the Windows platform."
—Vishwas Lele, principal architect
Applied Information Sciences, Inc.

"Harlan Carvey's book serves as a great resource for investigators and systems administrators looking to peek under the hoods of their Windows systems."
—Jason Chan, security consultant

"Regardless of what you know already, you are guaranteed to learn something new about Windows incident response from this book."
—Brian Behler, computer forensics and intrusion analyst/engineer

"Harlan Carvey's vast security and forensics experience shows through in all facets of this work. Many books have attempted to be the prescriptive guide to forensics on the Windows platform. This book not only attempts it, but it succeeds—with guidance to spare."
—Rick Kingslan, Microsoft MVP
West Corporation

"This book is the first to bring together into a single volume the topics of malicious code, incident response, and forensics on the Windows platform. Mr. Carvey's work should serve as a valuable reference for any Windows system administrator or security professional."
—Jennifer Kolde, information security consultant, author, and instructor

"Harlan Carvey's book is a one-of-a-kind approach to do-it-yourself Windows forensics. With detailed and illustrative examples coupled with Harlan's renowned Perl scripts, this book certainly is a great find."
—Mark Burnett, security consultant and author

  • The first book to focus on forensics and incident recovery in a Windows environment

  • Teaches through case studies and real world-examples

  • Companion CD contains unique tools developed by the author.

  • Covers Windows Server 2003, Windows 2000, Windows NT, and Windows XP

If you're responsible for protecting Windows systems, firewalls and anti-virus aren't enough. You also need to master incident response, recovery, and auditing. Leading Windows security expert and instructor Harlan Carvey offers a start-to-finish guide to the subject: everything administrators must know to recognize and respond to virtually any attack.

Drawing on his widely acclaimed course, Carvey uses real-world examples to cover every significant incident response, recovery, and forensics technique. He delivers a complete incident response toolset that combines today's best open source and freeware tools, his own exclusive software and scripts, and step-by-step instructions for using them. This book's tools and techniques apply to every current and professional version of Windows: NT, 2000, XP, and Windows Server 2003. Coverage includes:

  • Developing a practical methodology for responding to potential attacks

  • Preparing your systems to prevent and detect incidents

  • Recognizing the signatures of an attack—in time to act

  • Uncovering attacks that evade detection by Event Viewer, Task Manager, and other Windows GUI tools

  • Using the Forensic Server Project to automate data collection during live investigations

  • Analyzing live forensics data in order to determine what occurred


CD-ROM contains incident response and forensics toolkit code developed by the author, sample network packet captures, as well as data collected from compromised systems using the Forensic Server Project. You can also access Carvey's website at http://www.windows-ir.com for code samples, updates, and errata.


I'd like to start by thanking Larry Leibrock and Jay Heiser for getting me started down this road. Several years ago, I had developed a 2-day, hands-on incident response course for Windows 2000, and Larry provided me with my initial opportunity to teach it at the University of Texas in Austin. This book began its life as the presentation for the incident response course. I had done a technical review of Jay and Warren Kruse's computer forensics book, and Jay provided my name to his former editor as someone who may be interested in writing a book on the subject of Windows security.

Karen Gettman offered me the opportunity to write this book, and I decided to take it. I'd had articles published, but I'd never written a book. Karen and her assistant, Elizabeth Zdunich, kept me on track throughout this process.

I'd like to thank several of the reviewers as well. Of all of the reviewers who've been involved in this process, I'd like to recognize Jennifer Kolde, Mike Lyman, and Jason Chan for their efforts and input. The reviews from these three individuals provided valuable constructive criticism regarding the content and structure of the book. I can't say that I followed all the advice they provided, but I did read and consider everything they said thoroughly. With their help and insight, I didn't feel as if I were working on this book alone. Thanks, guys, for your time and effort. And Jen, thanks for indulging me all those time I'd email you with thoughts about your comments. Those exchanges gave me even more insight into to the content of the book, as well as the subject of incident response on Windows systems, in general.

Finally, and most importantly, I'd like to thank Terri Dougherty. I've written a book, and yet I can't seem to find the words to express my gratitude for your support throughout this process. Thank you. I owe you a debt that I will be repaying for a long time.

© Copyright Pearson Education. All rights reserved.

About the Author

Harlan Carvey¿s interest in computer and information security began while he was an officer in the U.S. military, during which time he earned his master¿s degree in Electrical Engineering. After leaving military service, he began working in the field of commercial and government information security consulting, performing vulnerability assessments and penetration tests. While employed at one company, he was the sole developer of a program for collecting security-specific information (i.e., Registry entries, file information, configuration settings, etc.) from Windows NT systems during vulnerability assessments. The purpose of the product was to overcome shortfalls in commercial scanning products and provide more valuable information to the customer. Harlan has also done considerable work in the area of incident response and forensics, performing internal and external investigations. He has also written a number of proof-of- concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of files.

Harlan¿s experience with computers began in the early ¿80s, with a Timex-Sinclair 1000. Around that time, he was learning to program BASIC on an Apple IIe. From there, he moved on to computers such as the Epson QX-10 and the TRS-80, on which he programmed BASIC learned PASCAL, using the TurboPASCAL compiler. Since then, he¿s worked with SunOS and Solaris systems, as well as various versions of DOS and Windows, OS/2, and Linux.

Harlan has presented at Usenix, DefCon9, Black Hat, GMU2003 on various topics specific to issues on Windows platforms, such as data hiding. He has had articles published in the Information Security Bulletin and on the SecurityFocus web site.


The latest book club pick from Oprah
"The Underground Railroad" by Colson Whitehead is a magnificent novel chronicling a young slave's adventures as she makes a desperate bid for freedom in the antebellum South. See more

Product Details

  • Paperback: 480 pages
  • Publisher: Addison-Wesley Professional; PAP/CDR edition (July 31, 2004)
  • Language: English
  • ISBN-10: 0321200985
  • ISBN-13: 978-0321200983
  • Product Dimensions: 7 x 1.1 x 9.1 inches
  • Shipping Weight: 1.6 pounds (View shipping rates and policies)
  • Average Customer Review: 4.2 out of 5 stars  See all reviews (8 customer reviews)
  • Amazon Best Sellers Rank: #1,947,261 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

By Richard L. Bunnell on September 25, 2004
Format: Paperback Verified Purchase
I am a nuts and bolts kind of guy and this book suits me to a tee. Harlan covers the topics thoroughly and has added to my knowledge of forensic methodology and shown me new techniques to discover information the many recent versions of the Windows operating system. He has done his homework, mixed it up with lots of coding examples, and even added some dream weaving to illustrate his points.

He lays the groundwork in chapters one, two, and three so that anyone reading the book will be sure to understand his purpose and see the framework that will be used for a methodology for Windows incident response.

Chapters four and five cover incident response. Among the preventative tools mentioned are group policies and configuration options that can be used on a Windows system so it can be configured to effectively take advantage of native security features. One of the topics in this chapter is using and extending Windows File Protection (WFP). A useful suggestion found here is the extension of WFP to protect static pages located on the root of a web site - especially since there are web site defacements occurring all the time. In Chapter five he covers the collection of volatile and non-volatile information. Although there are many tools out there for collection of this information, many well known to forensic examiners, Harlan progresses in a logical sequence and enumerates the pros and cons of each in a very understandable way. There are many examples of command lines, screen shots, and perl scripts to explain the concepts. In chapter 5 there are 47 web links that can be used to research the tools mentioned.

I had never imagined a dream sequence in a book about computer forensics - but there it was in chapter six.
Read more ›
Comment 15 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today's Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring.

This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit.

The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.

I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring.
Comment 8 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
Windows Forensics and Incident Recovery is an invaluable resource for a Windows Administrator. The author points out correctly that an investigation into anomalous computer behavior is often cut short due to a lack of understanding what to look for and the time constraints that all IT departments work under. After presenting tools to reveal hidden processes and information, he presents a methodology to quickly and easily retrieve this information from a machine so that an informed decision as to whether patching, rebuilding or further investigation into the machine in question can be made.

Many of the utilities that are presented in the book will be familiar to most IT professionals. These utilities combined with the Perl scripts included on the companion CD make for a potent investigative tool kit. The step by step guide made installing Perl and integrated modules easy to follow. While Perl may not be a familiar language to many, opening the scripts with Note Pad or a Freeware tool such as Crimson Editor reveals detailed notes as to the purpose of each section of the script. After completing the setup for the Forensic Server Project the reader is rewarded with a powerful incident protocol ready for real world use.

There is also a review of several methods to hide data from within programs such as MS Word or Excel and also the operating system itself. On general security fundamentals Carvey discusses and confirms what should be the mantra of any Microsoft Administrator; patch, monitor and be informed. This book is a great resource for any Microsoft Administrator.
Comment 8 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Set up an Amazon Giveaway

Windows Forensics and Incident Recovery
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more about Amazon Giveaway
This item: Windows Forensics and Incident Recovery