InfoSec Reviews – Windows Forensic Analysis

Book Title:   Windows Forensic Analysis

Subtitle: DVD Toolkit 2nd Edition

Author: Harlan Carvey

Publisher: Syngress

Date of Publishing: June 2009

ISBN(13): 9781597494229

Price (UK&US price – full price, not discounted price): £ £42.99,   $69.95

URL of Publisher Site: Syngress

URL of Amazon UK web page:  Windows Forensic Analysis DVD Toolkit

URL of Amazon UK (Kindle) web page: Windows Forensic Analysis DVD Toolkit

URL of Amazon US web page:  Windows Forensic Analysis DVD Toolkit, Second Edition (See all Computer Privacy Books)

URL of Amazon US (Kindle) web page:  Windows Forensic Analysis DVD Toolkit

This 2nd edition of Harlan Carvey’s highly regarded and excellent book on Windows Forensic Analysis is a fantastic uplift from probably the best book I own on Windows forensics, especially from a practitioners’ perspective. This 2nd edition works on multiple levels; with practical advice and guidance for live Windows forensic analysis as well as more in-depth discovery guidelines for back your work back in the lab, all augmented by real scripts and utilities that will help you retrieve valuable forensic evidence from a target machine. Chapter 4 on registry analysis is particularly strong with details on audit policy and event log analysis, wireless SSID discovery, understanding autostart, and one of my favorites: the section on how to track USB removable storage devices across Windows systems. Earlier chapters on Windows Live Response and Windows memory analysis are also extremely strong and very useful with loads of practical tips to extracting and preserving evidence. Chapter 5, on file analysis, is also really useful with a fantastic discussion on Alternate Data Streams, one of the lesser-understood features of the NTSF file system. Data can easily be hidden inside NTFS using ADS techniques, and forensic investigators should know how to find this stuff and what to do with it. Chapters 6 and 7 deal with malicious code and understanding executable files, as well as delving down into the details of rootkits to see how they may affect a system being investigated and how you might identify they are there and what they are doing. Chapter 8 pulls everything together into a series of case studies, where the author walks us through using all the techniques previously discussed. Finally, the last chapter looks at performing forensic analysis on a budget using a bunch of free tools, such as dd for Windows, the SleuthKit, PyFlag, hex editors, network tools and packet capture and analysis. On the DVD, there are movies showing a variety of investigation techniques, scripts and tools that all contribute to this being the best Windows Forensic Toolkit available today. The only major criticism I have is that now that Windows 7 is the primary OS for desktops and the preferred operating system on OEM PCs, although many of the tools and techniques will still be relevant, there will be new features that need covering, such as Jump Lists. Highly recommended.

This second edition of Harlan Carvey’s excellent book on Windows Forensic Analysis is a fantastic uplift to what I’d classify as the best book I own on Windows forensics.

Marks: 5 out of 5

You don`t have permission to comment here!