Windows Forensic Analysis Toolkit, Third Edition

Author: Harlan Carvey
Pages: 296
Publisher: Syngress
ISBN: 1597497274

Introduction

As a considerable number of PC users has switched to Windows 7, Harlan Carvey has updated its popular Windows Forensic Analysis Toolkit book to cover the systems running it. Still, many users are have stayed with Windows XP, which makes this book less a replacement and more a companion tome for its previous edition.

About the author

Harlan Carvey is VP of Advanced Security Projects with Terremark Worldwide. He has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. His primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms.

Inside the book

The book starts with a great chapter that explains core analysis concepts – a must read for those only just entering the digital forensics field. The knowledge acquired from this chapter might not be a perfect substitute for experience, but will give aspiring practitioners a sound grounding on which to build on.

For example, here the author spells out the subtle (and not) differences between various Windows versions, and describes in detail the principles that influence digital forensic analysis and warns about the common mistakes made by new analysts (“Focus on the process, not the tools”, “Avoid speculation”, etc.), and he does it so well, that you have the feeling of having an extremely interesting one-on-one lecture from your favorite professor.

Chapter two deals with the need of immediate response to computer security incidents and teaches you how to be prepared to do it, while the next one explains Volume Shadow Copies and how to access them on live systems and within acquired images – all peppered with tips, notes and screenshots.

The next two chapters deal with the analysis of files and data structures available on Windows systems, especially those new to Windows 7, and that of the Windows Registry.

The detection of malicious files within the acquired images also gets a chapter, as finding malware and/or indications of malware having executed on a system at one time has become a task often requested of digital forensic experts. Here you’ll learn what to look for to find the malware’s initial infection vector, its propagation and persistence mechanisms, and the artifacts that will help you discover its presence. This chapter is a great read for malware analysts in general.

Lastly, the author discusses the advantage of timeline analysis (and offers a helpful case study) and the ins and outs of application analysis.

Final thoughts

There is a good reason behind the success of the previous editions of this books, and it has to do with two things: new Windows versions are different enough from previous ones to warrant a new edition and, most importantly, the author is simply that good at explaining things. This edition is no different.