Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry 1st Edition, Kindle Edition

4.2 out of 5 stars 27 customer reviews
ISBN-13: 978-1597495806
ISBN-10: 1597495808
Why is ISBN important?
ISBN
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Kindle App Ad
Digital List Price: $68.95 Save $13.79 (20%)‎

Deliver to your Kindle or other device

Today through selected date:

Rental price is determined by end date.

Deliver to your Kindle or other device

Price
New from Used from
Kindle
"Please retry"
$55.16

The Amazon Book Review
All Books, All the Time
Read author interviews, book reviews, editors picks, and more at the Amazon Book Review. Read it now
click to open popover

Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.


Editorial Reviews

Amazon.com Review

Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER --Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.

  • Packed with real-world examples using freely available open source tools
  • Deep explanation and understanding of the Windows Registry--the most difficult part of Windows to analyze forensically
  • Includes a CD containing code and author-created tools discussed in the book

An Interview with Harlan Carvey, Author of Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Why do you feel a book on the Windows Registry is needed?

The Windows Registry is perhaps one of the least understood sources of digital evidence on a Windows system. Unfortunately, bad guys have used specific locations in the Registry to remain persistent on systems a lot longer than many analysts actually realize. I think that what most analysts don’t realize is that the Registry is an excellent source of both direct and indirect artifacts.

Don Weber, a friend and fellow IBM alum who’s now with InGuardians, was on an engagement where he found that the bad guys were actually storing executable files in binary Registry values. His find makes me wonder how many times this has occurred but not been “seen” because no one was looking.

Intrusions aside, I’ve also dug into the Registry to perform malware detection. As sometimes happens, malware files will change and avoid detection, but as with malware such as Conficker, some Registry artifacts remained relatively stable across the family. The same has been true for the examinations I’ve performed that involved Zeus, or Z-bot. Understanding this has allowed me and others to determine that malware was on a system, when multiple AV scans were negative.

Finally, the Registry contains a wealth of time stamped data, that when taken in context, can be extremely valuable to an analyst.

Why do you think so many analysts overlook the Windows Registry as a source of data?

For the most part, I think that most analysts really aren’t familiar with the Windows Registry as a source of data. From a purely binary perspective, all the way up to an application-level perspective, I think that most analysts simply aren’t familiar with what is and isn’t in the Registry, and how the Registry can be used to further a wide range of analysis.

Many times, however, when some analysts have become familiar with the Registry as a source of evidence, the pendulum swings too far in the other direction. I’ve seen and received questions along the lines of “where are file copy operations recorded in the Registry?”

As the Windows operating systems become even more sophisticated, analysts who are not actively investigating the Registry now will become completely overwhelmed in very short order.

What is your most memorable experience working in digital forensics?

There’ve been several, and all of them have been like turning a corner and suddenly being face-to-face with someone really famous. Sometimes it’s finding that one artifact that ties everything together, while other times it’s been discovering a whole series of artifacts that are essentially a storyboard or script for what the intruder did while on the system. Sometimes you get lucky and find a log file of what the bad guy did . . . sort of a “/.bash-history” file, but on Windows. Other times, you end up constructing a timeline of systems activity from multiple data sources both on and off a system, and when you look at your results, you have what amounts to that storyboard.

Across the board, however, I think that most memorable experiences have come from taking a step back, developing a “new” analysis methodology, and then having that methodology succeed in some pretty amazing and spectacular ways.


Review

"It is no exaggeration to say that nearly everything that happens on a Windows system involves the registry-which makes effective examination of the registry absolutely fundamental to good Windows forensics.  By devoting a whole book to this critical Windows artifact, Harlan has delivered a much needed resource to everyone doing forensics investigations of Windows systems.  What I appreciate about this book, however, is that it is much more than a  mere compilation of registry keys important to forensics investigation.  This is a book about how to examine the registry, and it is a good one."  

-Troy Larson, Principal Forensic Program Manager, Network Security Investigations, Microsoft

"Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case.  Harlan Carvey steps the reader through critical analysis techniques recovering key evidence of activity of suspect user accounts or intrusion-based malware.  Using his extensive experience and research, Harlan's case studies provide behind-the-scenes details that enable every analyst to utilize these techniques immediately in their own investigations.  This book is a must have reference for current forensic knowledge of the Microsoft Registry Windows XP through Windows 7 and should become core knowledge for any serious digital forensic investigator."

- Rob Lee, SANS Institute


Product details

  • File Size: 1707 KB
  • Print Length: 228 pages
  • Page Numbers Source ISBN: 1597495808
  • Publisher: Syngress; 1 edition (January 3, 2011)
  • Publication Date: January 3, 2011
  • Sold by: Amazon Digital Services LLC
  • Language: English
  • ASIN: B004JN0CDO
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Lending: Not Enabled
  • Enhanced Typesetting: Not Enabled
  • Amazon Best Sellers Rank: #1,155,238 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  • Would you like to tell us about a lower price?


Customer reviews

Rated by customers interested in
Computer Books
4.2 out of 5 stars
4.2 out of 5 stars
Sports Books
4.1 out of 5 stars
4.1 out of 5 stars

Top customer reviews

on April 9, 2016
Format: Kindle Edition|Verified Purchase
0Comment| 4 people found this helpful. Was this review helpful to you?YesNoReport abuse
on February 28, 2011
Format: Kindle Edition|Verified Purchase
0Comment| 13 people found this helpful. Was this review helpful to you?YesNoReport abuse
on July 18, 2016
Format: Paperback|Verified Purchase
0Comment| 2 people found this helpful. Was this review helpful to you?YesNoReport abuse
on March 11, 2017
Format: Paperback|Verified Purchase
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on December 21, 2011
Format: Kindle Edition|Verified Purchase
0Comment|Was this review helpful to you?YesNoReport abuse
on February 13, 2017
Format: Paperback|Verified Purchase
0Comment|Was this review helpful to you?YesNoReport abuse
on November 28, 2012
Format: Kindle Edition|Verified Purchase
0Comment|Was this review helpful to you?YesNoReport abuse

Most recent customer reviews

Set up an Amazon Giveaway

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more about Amazon Giveaway
This item: Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry