Dave Hull, fellow SANS Computer Forensic blog editor and SANS Instructor, is the Technical Editor for Windows Registry Forensics (WRF).
In Chapter 1 (Registry Analysis), Harlan goes into the structure of the registry, which consists of binary data, and for the most part is unbeknownst to the user. Nomenclature of the windows registry (i.e. keys, sub-keys, values, and data) and analyzing registry cell structure data is covered thoroughly in this chapter.
In Chapter 2 (Tools), Harlan discusses free and open source tools to the reader, which can immediately be used for conducting his/her own analysis of registry artifacts, such as Reg Ripper, Autoruns, Regshot, and MiTeC Registry File Viewer (RFV). This chapter walks the reader through live response and forensic analysis of registry artifacts using various free tools.
Chapter 3 (Case Studies: The System) and Chapter 4 (Case Studies: Tracking User Activity) go hand-in-hand. These chapters are the practical application portion of the book, providing the reader with real-case examples, and outlining registry forensic artifacts (or lack thereof…remember, the absence of an artifact in itself is an artifact). Harlan discusses how to crack the SAM using free tools (e.g. Cain, OphCrack). I’ve read a lot of material the last few years covering USB device artifacts; I’ve not seen a more detailed analysis of USB artifacts through registry forensic analysis, until reading Windows Registry Forensics. The case studies chapters also cover real world scenarios (e.g. The Trojan Defense, Tying It Together) and how the analyst’s investigative goals can be guided by using registry analysis, during the intrusion investigation or forensic examination.
In summary, there are a few grammatical and “print shop” errors that should have been caught by the publisher prior to printing the book; however, that does not keep me from giving this book a 5-star review. Once an author submits a final manuscript to a publisher, the publisher is responsible for ensuring the book and content are print (”showroom”) ready. Once again Harlan delivered an exceptional reference book to digital forensic community!
What I’ve taken away from this book is the registry key structure and its nomenclature, key time stamps (data correlation and understanding LastWrite times), deleted registry keys, and the registry redirector (i.e. 64-bit OS calling on 32-bit application in registry). If you want to sharpen your forensic analysis skills, look no farther than Windows Registry Forensics. There’s a key for that!
3 comments:
Brad,
Thanks for the review!
What did you think of the content?
Thanks!
Harlan,
The overall content was great! You touched on many common areas of the registry and a lot of areas where there has been little published research. Chapters 3 and 4 of WRF remind me of Chapter 8 (Tying It All Together) of WFA 2/e. Essentially, taking the reader through a scenario from identifying the forensic artifact to analyzing what that artifact is telling the analyst. In regards to timeline analysis and analyzing time stamps, your thorough explain of LastWrite time, DateLastConnected times, and correlating registry keys to an event are invaluable. For example, the “ShutdownTime” value maintained in the System hive is often parsed by the analyst when “reg ripping”. Correlating the “ShutdownTime” value with other LastWrite time keys, Event IDs, and system files (e.g. disk.sys) are “clues” when an incident or event occurred on the system. I think you done an excellent job in presenting the importance of analyst approaching a forensic examination, with a broader lens versus basing conclusions off a single value (registry artifact).
Cool, thanks! When I started writing the book, this is what I thought was important for the reader, to help them understand really how valuable the Registry can be as a forensic resource.
Thanks!
Post a Comment