27 of 32 people found the following review helpful
An introduction to Windows Registry forensics,
This review is from: Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry (Paperback)
After having read the subtitle -- Advanced Digital Forensic Analysis of the Windows Registry' -- I was a bit surprised to find that this book seems to have its roots in 'the number of analysts ... [who] have no apparent idea of the forensic value of the Windows Registry' as the Preface mentions. This suggests the book is not so much for the advanced analyst, but more of an introduction to the area for those who are not yet proficient in analysing Registry information.
Other areas of the book, such as the description of some of the internal structures of the registry, tend to support this. An advanced book would probably not have omitted a description of the security descriptors on registry keys, for example.
This is probably not obvious to the buyer -- who is likely to go by the subtitle. I bought the book largely on the strength of the title, myself, and while I'm not disappointed, it's not quite the book I hoped for.
To the presumed reader, then, the main value is probably to be found in the two chapters of Case Studies. Here is where the value of the registry in a forensic analysis is most clearly described. These chapters are what beginning registry analysts want to read.
The focus of these chapters, though, is on the information in the registry, not where it is located, or to what extent it can be relied on. This is a deliberate decision of the author, and may be sound enugh. It means, though, that the reader is more drawn into using the author's tools, and less into being able to locate the actual keys and values himself with regedit or other tools. In a text for more advanced users, it would have been been a serious error to omit full key/value descriptions; in this type of book, it may lead to more complexity than is strictly warranted.
So, this is not quite the book for me. I don't mind buying it, but I will not be able to rely on it for reference, so it will end up in the bookshelf. I'd rate it at 3.5, but I do hesitate to round that up to an even four stars, as that is slightly too much, in my opinion.
What would have made me give a higher score?
* Better source references -- as it is, the source references are largely web links to Microsoft's support web site. If there are any references to printed works, I have not noted them. For example:
The author refers to earlier analysis by himself and Cory Altheide on USB artifacts, but so far I have been unable to find a single reference to that. As it's clear from the text that it was published, omitting this reference seems a little odd.
A couple of theses are mentioned: one by Jolantha Thomassen and one by Peter Norris, but none of these are properly referenced. The one by Ms. Thomassen, I was able to find a web link to in a "TIP" sidebar, and the one by Mr. Norris is mentioned in the text as another web link.
And Mark Russinovich's article 'Inside the Registry' mentioned in the text, is not cited either. (It was published in Windows NT Magazine.)
All of these may be available on the web, but as long as such presence is not guaranteed, I feel the proper source references to make are to the actually published texts.
For an introductory book, however, such references may be thought to be a little to academical and over the top -- though in that case, many of the existing references to Microsoft's support web site could not improbably be dropped as well.
* A road map for further studies -- assuming that this particular book is an introduction to the topic, additional sources for continued studies would have been welcome. The preface hints of a wealth of information about the registry, and it is not clear that all aspects have been covered.
I expected to find a mention of Jerry Honeycutt's bok 'Microsoft Windows Registry Guide, 2. ed.' (Microsoft Press, 2005) mentioned, mainly because it describes the practical workings of the registry, and deploying techniques, as well as how to identify what registry settings a particular program modifies. It also documents many registry settings that may be of interest at an investigation, though it's focus is on computer management, not investigations, and it does go into many areas that were not included in the present book, such as registry access rights, and registry auditing.
Additionally, I can't rid myself of a feeling that the book tries t be a little more than just an introduction. Some of the information is not on an introductory level. For example, the note on NoInstrumentation on p. 190 is not obviously of any practical value, as it raises the question what exact information is affected by this setting. To the researcher, though, it is probably the starting point for further experiments.
And I must also admit that some terminological vagueness, spelling errors (the first is on the first text page of the book) and general grammatical and typographical fuzziness helps pull down the score a bit. The book uses '...' which normally indicates deliberate omissions, but here seems to be used instead of dashes -- this is very confusing at first. Proper typography as well as text polishing is generally the job of the publisher, but as the present publisher, Syngress, does not have much of a reputation in this area, it probably should be considered to be part and parcel of buying a Syngress book in the first place, and so not affect the score of any particular title. Still, the presence of it grates.
Additionally, in a book of reference the index would have been diaster. In an introductory book ... well, it may serve some purpose, but it's pretty clear that I can't use it to find anything important. There is, for example, an index entry 'Master boot record) MBR', but as the text it references only covers how to find drive signatures/volume IDs in the MBR, that entry is clearly not specific enough to be useful. More useful would have been to have index entries on 'drive signature' and 'volume ID', but there are none.