Tuesday, April 10, 2012

Review of Windows Forensic Analysis and Windows Registry Forensics

  

     Both "Windows Forensic Analysis (Third Edition)" and "Windows Registry Forensics" are authored by Harlan Carvey and he is the author of a few other books regarding digital forensics.  This will be a short review of both books.  I really enjoyed both of these books.  If you've ever read anything from Harlan, his writing style is very easy to follow and understand.  Each book is laid out in a manner that makes sense as far as being applied practically.

     Windows Forensic Analysis is the third installment to Harlan's Windows forensics books; however, as he says in the intro you should think of it as a companion to the second edition rather than a re-write replacement. This book includes all the latest and greatest information from the latest Windows 7 release.  Things like volume shadow copies, application analysis, and a summary of registry analysis provide great insight on Windows Artifacts.  Chapters on malware detection and timeline analysis are especially exceptionable.

      Windows Registry Forensics, I like to think of it, is an extension to Windows Forensic Analysis books.  The Windows registry is a treasure trove of evidence for analysis.  Registry forensics does an excellent job of not only outlining most of the artifacts that are known about, but gives you a background on available tools that can be used to analyze these artifacts.  The case studies are especially helpful in relating the discussed artifacts to practical experience.

      Both books are fantastic, and I would highly suggest adding them to your digital forensics library and put them next to at least the second edition of Windows Forensic Analysis.  Honestly, I feel like all three books should be considered one big compendium on Windows digital forensics.  I would also say that, at this point, there isn't a better collection of material on the subject of Windows analysis.  If possible, I would recommend setting up a lab with various Windows machines so you can test and play with all of the artifacts you will learn about.  Also, that will give you a chance to install the various tools mentioned in the text and test them out for yourself.

1 comment:

  1. Thanks for taking the time to review the books, and thank you for such positive comments!

    ReplyDelete