Book Title: Windows Registry Forensics
Subtitle: Advanced Digital Forensic Analysis of the Windows Registry
Author: Harlan Carvey
Date of Publishing: February 2011
Price (UK&US price – full price, not discounted price): £42.99, $69.25
URL of Publisher Site: Syngress
URL of Amazon UK: Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
URL of Amazon US: Amazon.com
As an experienced security architect I’ve been reasonably familiar with the “windows registry” for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensics importance of these files.
The book is not large, it only contains 206 pages, and comprises of four chapters. The first chapter defines what “registry analysis” is and then goes on to describe the windows registry and the various “hives” that constitutes the registry. It introduces the reader to the concept that almost any interaction with a Windows system will leave a trace and hence potentially be forensics evidence. Chapter two describes a number of registry analysis tools, some of which the author produced. Most of the tools mentioned are open source and are freely available. In fact a number of the tools are included on the accompanying DVD. As the author freely admits he is Perl “nut” and so it is not surprising that the DVD contains the Perl source code of some of the tools. It is also interesting to note that some of these tools are extensible using plug-ins and the author provides guidance on producing plug-ins. The third chapter provides case studies on analyzing the various system hives and provides examples how to obtain various types of forensics evidence from the registry. The final chapter is very similar to the previous chapter but this focuses on tracking user activity.Don’t expect the book to provide an exhaustive list of registry keys and values useful to an investigator, rather it provides the reader with a solid background to registry forensics analysis. A background sufficiently strong for the reader to continue their reading and research on the subject. Having said that I believe the book would have benefited from having an appendix with key (sorry the pun) values in the various hives.
As mentioned previous the book comes with a DVD containing a number of tools. The tools vary from those that allow an investigator to search for information that is not normally accessible to tools that can “rip” information from the hives. Of note is the RegRipper tool.
An extremely useful book to a forensics investigator, even an experienced one. I would not hesitate in recommending this book to anyone – but why only 4 stars! Basically I don’t believe it’s fantastic value for money, especially as it’s only 206 pages long. If it had the appendix I mentioned above, then I would have definitely given it five stars.
Marks: 4 out of 5
You don`t have permission to comment here!