| Windows Forensic Analysis Including DVD Toolkit | 
| Author: Harlan Carvey
Creator: Dave Kleiman
Publisher: Syngress
Category: Book
List Price: $59.95
Buy New: $44.92
You Save: $15.03 (25%)
Buy New/Used from $43.88
Avg. Customer Rating:   (11 reviews)
Sales Rank: 17275
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Edition: Pap/DVD
Number Of Items: 1
Pages: 416
Shipping Weight (lbs): 1.4
Dimensions (in): 8.9 x 7 x 1.1
ISBN: 159749156X
Dewey Decimal Number: 363.250968
EAN: 9781597491563
ASIN: 159749156X
Publication Date: April 24, 2007
Availability: Usually ships in 1-2 business days
|
| Customer Reviews:
This is a Must Read before it goes on your reference shelf October 2, 2007
2 out of 2 found this review helpful
Often times when you read reviews of technical books the reviewers will say, 'This book deserves a place on your reference shelf.' I have read many and thought the only reason it deserves a place on my shelf is to hold up the other books.
This book presents innovative ideas that will have you sitting at your computer trying the many scripts provided on the accompanying DVD. If you cannot wait and jump right to the Registry analysis chapter you will not be disappointed. However I would take each chapter and each set of scripts and examples and walk yourself through what amounts to a multifaceted Windows investigation.
While Harlan Carvey references ProDiscover, and many of the scripts are designed for ProDiscover, this book is not a tutorial for ProDiscover. This book is an in depth look at Windows, or more importantly the underpinnings of Windows, and what can be discovered with the right mindset and tools.
I for one can only hope that this is not the last of Carvey's books on Windows, Live Response, the Registry and the many ever changing issues facing examiners.
Excellent Book September 17, 2007
A well written, easy to read must have for anyone who works in the field of computer forensics.
Not only for the "Registry Analysis" chapter ... September 13, 2007
6 out of 6 found this review helpful
Imagine that you are a computer forensic analyst, and have to answer a question like "is it possible to find out which commands user John Doe ran, and when?", or "is it possible to prove that user X connected the same USB device to these two machines?" (and many others of the same type). Up to a few months ago, your best bet was to knock your head on the monitor, googling on a huge number of sometimes not-always-so-useful computer forensics websites and forums (they seem to sprout like mushrooms, these days), and crossing your fingers hoping to find an answer in the short time left to conclude your investigation.
Fortunately, after the publication of "Windows Forensic Analysis" by Harlan Carvey, you will find answers to these questions (and many more) in a single place, much handier that wandering around the Internet. This book is really a must for everybody working in computer forensics (or planning to do so) -- not necessarily just for windows systems. As a matter of fact, what this book teaches you, besides specific techniques working on Windows, is a methdology by which you can set up experiments that enable you to find answers to your own questions and that can be used also for other operating systems.
The book covers both live response (Chap. 1 and Chap. 2 describe collection and analysis of volatile data, respectively), and post-mortem analysis (Chap. 4, 5, and 6). In addition, two topics not covered by other computer forensics books are Memory Analysis (Chap. 3) and Rootkits Detection (Chap. 7).
The style of the book is a nice mixture of both methodology and practice, and contains the description of many techniques and tools that can be used to properly extract and analyze various type of digital evidence.
The accompanying DVD contains a large number of Perl scripts, written by Harlan Carvey, that implement most of the techniques described in the book.
The book assumes that the reader has a basic knowledge of computer forensics, and as such it does not cover computer forensic techniques (like mass storage imaging and file system analysis), but focuses on the analysis of artifacts produced either by the Windows OS or by its typical applications when operated by a user. This makes it unique in the computer forensics book arena, and an invaluable tool in the computer forensic bag of any specialist working in the area (much more valuable than your favourite computer forensic software, since no tool can ever substitute knowledge).
In summary, I totally agree with Troy Larons's quote reported on the book cover ("The Registry Analysis chapter alone is worth the price of the book"), but be assured that also all the other chapters are at the same level of the Registry Analysis one.
Not just for forensics, but for a deeper understanding of Windows itself. August 26, 2007
6 out of 6 found this review helpful
I bought this book after reading Richard Bejtlichs review and can say I am not disappointed at all. Clearly this book is well worth the time and the money. After reading just half of the first chapter I was so engrossed I couldn't put the book down. I worked through the entire book, trying most of the tools, advice and experiments/labs that were included. The inclusion of the tools (on the included DVD) not only in Pearl but in .exe format was really a great touch. I'd consider this one of the best books written, not just for forensics but for a deeper understanding of Windows itself.
Wow -- what a great forensics book -- a must read for investigators July 5, 2007
19 out of 19 found this review helpful
I loved Windows Forensic Analysis (WFA). It's the first five star book from Syngress I've read since early 2006. WFA delivered just what I hoped to read in a book of its size and intended audience, and my expectations were high. If your job requires investigating compromised Windows hosts, you must read WFA.
Let me name three aspects of WFA that really sold me. First, the subject matter is exactly what I wanted to read. The book does not repeat basic or fundamental material you can (and should) read elsewhere, like working "crime scenes," hard drive image acquisition, and the like. I recommend the recent book Windows Forensics by Chad Steel (4 stars) as a great first book to read before WFA. The two are sufficiently different yet complementary to warrant reading both, in fact. In addition to not repeating material, WFA covers very recent (late 2006, early 2007) activity in Windows forensics that are not addressed by other books. The chapter on Windows memory analysis (ch 3) was even better than the Registry chapter that everyone likes. WFA cites plenty of outside sources in a way that doesn't confuse the reader and enriches the learning process.
Second, WFA introduces a vast number of tools to help investigators implement the concepts author Harlan Carvey explains. Many of the tools are Harlan's own work and are included on the book's DVD. The DVD even contains movies showing how to use some of the tools, like Harlan's Forensic Server Project. Many tools that were new to me appear in the book, but well-known commercial suites like EnCase do not. This is great; if you want to know EnCase, read the (3 star) book on it I reviewed last year. I intend to integrate many of these tools into my own CIRT's response processes.
Third, Harlan brings a lot of experience to WFA. He cites plenty of examples and niche topics that I haven't seen elsewhere. I had never heard of using multiple OLE streams to hide entire Word files in Excel spreadsheets and vice-versa. Better yet, Harlan describes how to find these techniques, along with other issues like alternate data streams. Many times multiple ways to approach a problem appear in WFA. Furthermore, Harlan continuously emphasizes implementing repeatable, automated processes to improve the accuracy and scalability of forensic investigations.
There really is no excuse to not read WFA. I think it would be interesting to try some of Harlan's tools and techniques on the images and evidence collected by myself and my Real Digital Forensics co-authors Keith Jones and Curtis Rose. Bravo to Harlan for writing WFA.
|
|
|
