Wednesday, February 2, 2011

Book Review: Windows Registry Forensics

Harlan Carvey has done it (again) and continues to raise the bar. It's a must read for the digital forensic analyst! Harlan has brought his many years of experience and research in forensic analysis of the windows registry, into one book. As Rob Lee (SANS Institute) stated, “Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case.”


Dave Hull, fellow SANS Computer Forensic blog editor and SANS Instructor, is the Technical Editor for Windows Registry Forensics (WRF).           

The book contains sidebars, tips, notes, and various analysis concepts of registry forensics, which the author highlights. Of course, this book wouldn’t be complete without tools. Windows Registry Forensics paperback includes a CD that contains forensic tools and code (w/perl, of course), discussed in WRF.
In Chapter 1 (Registry Analysis), Harlan goes into the structure of the registry, which consists of binary data, and for the most part is unbeknownst to the user. Nomenclature of the windows registry (i.e. keys, sub-keys, values, and data) and analyzing registry cell structure data is covered thoroughly in this chapter.
In Chapter 2 (Tools), Harlan discusses free and open source tools to the reader, which can immediately be used for conducting his/her own analysis of registry artifacts, such as Reg Ripper, Autoruns, Regshot, and MiTeC Registry File Viewer (RFV). This chapter walks the reader through live response and forensic analysis of registry artifacts using various free tools.
Chapter 3 (Case Studies: The System) and Chapter 4 (Case Studies: Tracking User Activity) go hand-in-hand. These chapters are the practical application portion of the book, providing the reader with real-case examples, and outlining registry forensic artifacts (or lack thereof…remember, the absence of an artifact in itself is an artifact). Harlan discusses how to crack the SAM using free tools (e.g. Cain, OphCrack). I’ve read a lot of material the last few years covering USB device artifacts; I’ve not seen a more detailed analysis of USB artifacts through registry forensic analysis, until reading Windows Registry Forensics. The case studies chapters also cover real world scenarios (e.g. The Trojan Defense, Tying It Together) and how the analyst’s investigative goals can be guided by using registry analysis, during the intrusion investigation or forensic examination.

In summary, there are a few grammatical and “print shop” errors that should have been caught by the publisher prior to printing the book; however, that does not keep me from giving this book a 5-star review. Once an author submits a final manuscript to a publisher, the publisher is responsible for ensuring the book and content are print (”showroom”) ready. Once again Harlan delivered an exceptional reference book to digital forensic community!
What I’ve taken away from this book is the registry key structure and its nomenclature, key time stamps (data correlation and understanding LastWrite times), deleted registry keys, and the registry redirector (i.e. 64-bit OS calling on 32-bit application in registry). If you want to sharpen your forensic analysis skills, look no farther than Windows Registry Forensics. There’s a key for that!