Thursday, June 30, 2011

Road to CCE, Pt. II: Review of Windows Forensic Analysis 2E

“The key to forensic analysis isn’t pushing the button on an application user interface.  After all, as I’ve said time and time again, the age of Nintendo forensics is over!  The key to forensic analysis is understanding what artifacts are available to you and having a logical, reasoned, and comprehensive plan or process for collecting and interpreting data.”  These are the words of Harlan Carvey, the author of Windows Forensic Analysis (as well as other great titles).  Reading that quote within the final part of Carvey’s book really summed up what it was all about, for me.  Truly understanding what information that is available to us through thorough examination and not relying upon a tool, was really the underlying message I got from this book.  That message is spot on to me, and is the reason I picked up this book.  I did not want to become another ‘button monkey’ who had to rely on a program to perform an investigation.  Tools are great when you have the background knowledge necessary to understand what the application is doing in the background, and the value of the information it provides.  That being said this book is FANTASTIC; obviously with recommendations from Eric Huber, Rob Lee, and Richard Bejtlich this really didn’t need to be said.  
The first part (chapters 1, 2, and 3) of this book will cover the importance of live response to an incident.  It’ll give you examples of important places to look for and gather crucial data.  It will then give examples on how to analyze the data collected.  Chapter 3 delves into the truly fascinating world of memory forensics and how this portion of analysis should not be overlooked (memory holds a ton of information).  The next portion of the book goes into the various files that can be used in an investigation.  The fourth chapter of the book dives into the deep pool of information that the registry of a Windows system.  The fifth chapter covers the other various files that can be obtained, such as, event logs, browser history, and other numerous log files available on systems.  These chapters are very technical and provide a vast wealth of knowledge.  The next portion of the text goes over executable files and rootkits; which covers the interesting ways in which a program operates and then can be altered.  And the final portions of this book ‘ties it all together’ with great examples and providing ways to perform an investigation on the cheap (particularly interesting to me as a student).
This book is an excellent source of information if you’re interested in learning more about what a Windows computer has to offer to your investigation.  I will definitely be keeping this book around for all the great information it provides.  Carvey, not only provides a treasure of information but he provides data within the text so you can get a good look at what sort of information you’re going to want.  To go along with all the miscellaneous data sources, you’re provided with suggestions/recommendations on tools that can help you obtain and analyze that data.  On top of this there are also tips, notes, and warnings that can apply to the topic at hand that help put the provided material into better context.
To sum up, this book is a must for anyone interested in the topic, it reads like a dream for such a technically heavy text. 

With yet another book completed on my list of texts I wanted to finish, before moving to more of an intensive hands-on approach to learning forensics.  I will be finishing one last book (of which Harlan Carvey is a contributing author to along with Cory Altheide) before applying everything.  I will be reading Digital Forensics with Open Source Tools next for obvious reasons; with more hands on stuff next in what I want to do why not use open source tools?  I am a bit nervous as to the few “not for beginners” mentioned on the Amazon reviews, but I always like a challenge.  However, hopefully it will be as good as a companion to The Sleuth Kit as some reviews say, as well.  Look for a review in a few weeks!   

No comments:

Post a Comment