Comments on: Windows Forensic Analysis DVD Toolkit, Second Edition

By: Mitchell Zeno

Mitchell Zeno — Tue, 27 Apr 2010 21:09:33 +0000

I just have to say, I enjoy reading your blog. Maybe you could let me know how I can bookmark it ? I feel I should let you know I found your website through Bing.

By: J. Murri

J. Murri — Sat, 13 Mar 2010 07:12:12 +0000

Let's get this out of the way first thing - I've been waiting for this book to come out for quite awhile. Ever since I had heard that this Second Edition was in the works. I badgered the poor folks at TechnoSecurity 2009 manning the Syngress booth almost every day until they got more copies in. See, the book was debuting there, and the first 250 copies sold out before 11:00 am. I was in sessions and couldn't get over to buy a copy. The second shipment appeared to sell well also based on the number of folks carrying around a copy. Secondly, my copy of the first edition has sticky notes and dog ears to the point that it looks like...well, let's just say it's well used.

This second edition complements and adds to the first edition. If you have the first edition, you will not be disappointed by this second edition. There is enough new material in it (I especially like the new Chapter 8 where Harlan has some specific real-life scenarios that "wrap up" the different topics in the book. Very helpful.) to make it well worth the cash.

Harlan's writing style is easy to follow and the writing is concise and thorough. Both editions are well researched and the editing is well done. Way too often you find books in this genre filled full of mistakes, typos, etc. Not the case here.

In short - if you have the first edition then keep your well worn copy for reference and buy this second edition. If you do any Windows Forensics, or really any information security work dealing with Windows, you do yourself a disservice if you do not own this book.

One other thing - I'm recommending this book to Windows System Admins I know. While this is not a book that gets deep into the bowels of Active Directory, etc. it does give an Admin an insight into Windows that they really can't get in the other texts they most likely have in their possession. If you're an infosec guy/gal who works (or struggles) with Windows admins in your company - or if you are a consultant that deals with a lot of Windows admins - buy or recommend a copy of this book to them. Rating: 5 / 5

By: T. Yarrish

T. Yarrish — Sat, 13 Mar 2010 05:56:57 +0000

This is a book that anyone in the Incident Response or Computer Forensic arena HAS to have on their bookshelf. The breakdown of the chapters makes it a great reference book even after you’ve read it cover to cover. Harlan knows his Windows.

I had pre-ordered this book months before it even had a release date, and I bought a second copy just to keep at the office. IT IS JUST THAT GOOD!

And as soon as it’s released for the Kindle, I’ll be buying that version as well.
Rating: 5 / 5

By: Colin C. Sheppard

Colin C. Sheppard — Sat, 13 Mar 2010 04:27:48 +0000

As practicing investigators, we have seen the tide shift over the last few years – from a concentration on traditional disk acquisition and file analysis to a multifaceted practice that now includes techniques such as registry, memory, and binary analysis. The content within WFE 2E embraces this new wave of IR & forensics methodology and reflects Harlan’s gift of presenting content in a meaningful and interesting way. As others have stated, WFE 2E is required reading for anyone in the IR & forensic field or those interested in breaking into this profession. We are lucky to have Harlan publishing quality content, such as Windows Forensic Analysis 2E.
Rating: 5 / 5

By: Jesse G. Lands

Jesse G. Lands — Sat, 13 Mar 2010 02:13:13 +0000

I've started reading or read a number of forensic books in the past two years. Though I have yet to read a specific Operating System forensic book, most have generally focused on Windows as the choice for forensic analysis. Of all the books that I have read, I would have to say that by far Windows Forensic Analysis DVD Toolkit second edition is the best.
The author is very thorough without beating a single tool to death. The author covers numerous tools, but continues to stress that having information from one tool does not give the investigator the `smoking gun' to solving the case. He stresses repeatedly that this is just adding another tool to the investigator's toolbox.
Many books are simply an attempt to sell their book by declaring that if you follow: step one, followed by step two, followed by step three etc. that you will suddenly be a master forensic investigator or incident handler. Harlan Carvery never says that reading this book will make you an expert, only that he hopes to enlighten the reader to new tools and techniques. The author makes it very clear that each tool is valuable, but the reader should find the tools that suite their own need and get the experience necessary to analyze the output.
The book jumps straight into the discussion of volatile data and the importance of capturing it as close to the instance of compromise as possible. I was pleased to see that the author made a point of emphasizing this. There is still a mindset in many situations that pulling the plug is the first thing to accomplish.
The first three chapters are a statement to the importance placed on collecting and analyzing the volatile portion of the incident. Though technically the first two chapters also cover information to tie in the remaining chapters there is always that focus of maintaining data as close to the point of compromise as possible.
The next three chapters cover the static files and registry that a Forensic Analyst will have to review and analyze. The author covers numerous tools as well as providing his tools and his preferences for use.
The last three chapters cover rootkits, tying it together with case studies and then finally Forensic Analysis on a budget.
Throughout the book the author makes references to papers, websites and other books that will provide a much more indepth discussion of the topics. In every chapter he provides a source for more up-to-date software than what is provided on the DVD.
The author includes numerous tools that are his personal scripts or scripts that he has modified for his use. For the most part his scripts are all Perl based, but again the author shows his flexibility and understanding when he explains why his tools are Perl and not something else. At no point does the author take a "this is the only right way to do it" attitude. It is refreshing to see an unbiased book that is primarily Windows oriented.
With all that being said I would say that grammatical editing could have been a little better. Even with these errors the book was definitely worth buying. We have a copy in our office and I am buying a copy for my own personal use. I would say that if you are doing Windows forensics or have an interest in learning about the current trends in Windows forensics you need to pick up a copy. It will be an invaluable resource.

Rating: 5 / 5