[.ca] Windows Forensic Analysis DVD Toolkit (ISBN 159749156X)

Book Review: Windows Forensic Analysis:
There are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a forensic track in its training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor. This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locards Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few. Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing). On the cover of the book the author has a quote by Troy Larson, Senior Forensic Investigator of Microsofts IT Security Group which states: The Registry Analysis chapter alone is worth the price of the book. When I first received the book I thought Wow, thats a glowing recommendation and upon reading the book cover to cover I couldnt agree more. I have yet to see a book which takes you through the intricacies of the Windows Registry in such a way that I, being a Linux person, could easily relate to. The rootkit chapter was a little light on content but the rest of the book makes up for it. There are books out there dedicated to rootkits and I wouldnt expect the author to provide a book that explains everything about everything and still expect people to be able to carry it with them. The accompanying DVD contains the scripts mentioned in the book, some videos explaining the use of some tools, as well as a bonus folder that contains & well Ill let you buy the book to find out what cool tools are provided. This book should be on every analysts shelf whether they perform Windows forensic analysis as part of their role, or think that they might be called upon to do so in a pinch. I also think that this book is a fantastic supplement to any Microsoft training and any security training you may receive in the future. I give this book 4.5 stars as it is easy to read and kept my interest throughout the entire book. Do yourself a favor and pick up this book today.

This book and the PERL scripts should be an essential part on any examiners tool box:
I met Harlan at an RCFG conference and sat in on his USB/registry lectures and it was easy to see he knew what he was speaking of. Since I can't have him sitting beside me when I am working his book(s) are the next best thing. It is easy to read, and Chap 4 on the registry is gold. I use the perl scripts constantly - they are simple to use and present that information sought after in an understandable format. Pure and simple the book is worth it's weight in gold.

Highly recommend this book:
I have been reading the book intently since its release and have to say I think it is one of the best reference books for forensic examinations of a Windows computer that I have found. The section on live analysis is the most complete reference source that I have and encompasses all the information in one place. The provided scripts and tools DvD is excellent. I would highly recommend the book to anyone working within the forensic computing world.