Review - Windows Forensic Analysis
I was doing some thinking lately and I realized that there's something commonly missing from our field - Reviews. (surprise!)
Not just peer reviews but reviews of tools and books on the subject of forensics. As such I think I'm going to start adding reviews to this blog. You won't see me adding "stars" to the reviews as I don't put much value in this type of rating. Rather I'll be rating the books/tools on how useful they are and have been to me.
Up first is my most recent read: Windows Forensic Analysis by Harlan Carvey. I own both of Harlan's books and having participated in a number of the same venues as Harlan for a few years - and seeing where his research was going, I was really anticipating this new addition to my bookshelf.
The book begins with some of my favorite subjects such as live response collection and analysis. These chapters of the book pick up where I believe Harlan left off with his first book on the subject of Windows Incident Response. I probably won't do this type of review very often since many books contain too many chapters, however with 7 chapters, this book was digestable and I think a chapter by chapter highlight review works.
Chapter 1: Live Response - Data Collection.
This chapter provides some great insight in to the mind of the Incident Responder and the focal points of a live response. What to collect, what not to collect, suggestions on how to collect, common tools, their usage and output and my personal favorite - introduction of methodology. This is something that's missing from a lot of other books, useful methods providing guidance.
Chapter 2: Live Response - Data Analysis.
Of all of the great chapters in the book, I was perhaps the most disappointed by this chapter. It's one of the shortest in the book and doesn't cover much in the way of analysis. I would have loved to see a scenario where multiple disparate volatile data sources are pulled together to reconstruct the events.
Chapter 3: Memory Analysis
This chapter was one of the better, more informative of the book. Memory analysis is relatively new (just 2 years) and Harlan does a fantastic job of detailing the intracacies of how processes and threads are structured and created, and how to collect this information and present it in a usable format.
Chapter 4: Registry Analysis
Troy Larson was telling the truth. I've already referred to this chapter a few times.
Chapter 5: File Analysis
This chapter, like the book fills several important gaps in what's currently "out there". The event log detail and analysis is second to none and I've also used this as a reference a few times already.
Chapter 6: Executable File Analysis
I enjoyed this chapter because it included PE header analysis. While there are several books and papers on this subject, Harlan details import and export tables which you don't see elsewhere.
Chapter 7: Rootkit detection
This is another short chapter but it includes a variety of tools that are used in rootkit detection, some of which I hadn't come across.
Bonuses:
Did I mention that Harlan writes some of the best and most useful scripts around? The DVD is full to the brim with scripts to collect and analyze all types of data. I've used several of these scripts already in my day to day operations and in my honeynet.
Final notes:
This book fills a very important gap on the subject of Forensics. Harlan manages to cover topics that I've not seen elsewhere and he's included relevant and accurate information based on a lot of research and practical experience. This book is a strong reference and really useful and it belongs on your shelf within easy grasp. Even though it's new, I've already used it several times as a reference.
Favorite Chapters: 1,3,4,5,6
Not just peer reviews but reviews of tools and books on the subject of forensics. As such I think I'm going to start adding reviews to this blog. You won't see me adding "stars" to the reviews as I don't put much value in this type of rating. Rather I'll be rating the books/tools on how useful they are and have been to me.
Up first is my most recent read: Windows Forensic Analysis by Harlan Carvey. I own both of Harlan's books and having participated in a number of the same venues as Harlan for a few years - and seeing where his research was going, I was really anticipating this new addition to my bookshelf.
The book begins with some of my favorite subjects such as live response collection and analysis. These chapters of the book pick up where I believe Harlan left off with his first book on the subject of Windows Incident Response. I probably won't do this type of review very often since many books contain too many chapters, however with 7 chapters, this book was digestable and I think a chapter by chapter highlight review works.
Chapter 1: Live Response - Data Collection.
This chapter provides some great insight in to the mind of the Incident Responder and the focal points of a live response. What to collect, what not to collect, suggestions on how to collect, common tools, their usage and output and my personal favorite - introduction of methodology. This is something that's missing from a lot of other books, useful methods providing guidance.
Chapter 2: Live Response - Data Analysis.
Of all of the great chapters in the book, I was perhaps the most disappointed by this chapter. It's one of the shortest in the book and doesn't cover much in the way of analysis. I would have loved to see a scenario where multiple disparate volatile data sources are pulled together to reconstruct the events.
Chapter 3: Memory Analysis
This chapter was one of the better, more informative of the book. Memory analysis is relatively new (just 2 years) and Harlan does a fantastic job of detailing the intracacies of how processes and threads are structured and created, and how to collect this information and present it in a usable format.
Chapter 4: Registry Analysis
Troy Larson was telling the truth. I've already referred to this chapter a few times.
Chapter 5: File Analysis
This chapter, like the book fills several important gaps in what's currently "out there". The event log detail and analysis is second to none and I've also used this as a reference a few times already.
Chapter 6: Executable File Analysis
I enjoyed this chapter because it included PE header analysis. While there are several books and papers on this subject, Harlan details import and export tables which you don't see elsewhere.
Chapter 7: Rootkit detection
This is another short chapter but it includes a variety of tools that are used in rootkit detection, some of which I hadn't come across.
Bonuses:
Did I mention that Harlan writes some of the best and most useful scripts around? The DVD is full to the brim with scripts to collect and analyze all types of data. I've used several of these scripts already in my day to day operations and in my honeynet.
Final notes:
This book fills a very important gap on the subject of Forensics. Harlan manages to cover topics that I've not seen elsewhere and he's included relevant and accurate information based on a lot of research and practical experience. This book is a strong reference and really useful and it belongs on your shelf within easy grasp. Even though it's new, I've already used it several times as a reference.
Favorite Chapters: 1,3,4,5,6
