Home - APIs & Operating Environments
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Price: $69.95
& 2-Day * Free Nationwide Shipping! (* details)
Availability: Usually ship in 24 hours if sold by Amazon.com
Product Details
| Binding: | Kindle Edition |
|---|---|
| EAN: | |
| Label: | Syngress |
| Feature: | |
| Publisher: | Syngress |
| Studio: | Syngress |
Editorial Reviews
Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER -- Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.
- Packed with real-world examples using freely available open source tools
- Deep explanation and understanding of the Windows Registry - the most difficult part of Windows to analyze forensically
- Includes a CD containing code and author-created tools discussed in the book
Customer Reviews
Anders Thulin @ 2011-03-28 An introduction to Windows Registry forensics
After having read the subtitle -- Advanced Digital Forensic Analysis of the Windows Registry' -- I was a bit surprised to find that this book seems to have its roots in 'the number of analysts ... [who] have no apparent idea of the forensic value of the Windows Registry' as the Preface mentions. This suggests the book is not so much for the advanced analyst, but more of an introduction to the area for those who are not yet proficient in analysing Registry information.
Other areas of the book, such as the description of some of the internal structures of the registry, tend to support this. An advanced book would probably not have omitted a description of the security descriptors on registry keys, for example.
This is probably not obvious to the buyer -- who is likely to go by the subtitle. I bought the book largely on the strength of the title, myself, and while I'm not disappointed, it's not quite the book I hoped for.
To the presumed reader, then, the main value is probably to be found in the two chapters of Case Studies. Here is where the value of the registry in a forensic analysis is most clearly described. These chapters are what beginning registry analysts want to read.
The focus of these chapters, though, is on the information in the registry, not where it is located, or to what extent it can be relied on. This is a deliberate decision of the author, and may be sound enugh. It means, though, that the reader is more drawn into using the author's tools, and less into being able to locate the actual keys and values himself with regedit or other tools. In a text for more advanced users, it would have been been a serious error to omit full key/value descriptions; in this type of book, it may lead to more complexity than is strictly warranted.
So, this is not quite the book for me. I don't mind buying it, but I will not be able to rely on it for reference, so it will end up in the bookshelf. I'd rate it at 3.5, but I do hesitate to round that up to an even four stars, as that is slightly too much, in my opinion.
What would have made me give a higher score?
* Better source references -- as it is, the source references are largely web links to Microsoft's support web site. If there are any references to printed works, I have not noted them. For example:
The author refers to earlier analysis by himself and Cory Altheide on USB artifacts, but so far I have been unable to find a single reference to that. As it's clear from the text that it was published, omitting this reference seems a little odd.
A couple of theses are mentioned: one by Jolantha Thomassen and one by Peter Norris, but none of these are properly referenced. The one by Ms. Thomassen, I was able to find a web link to in a "TIP" sidebar, and the one by Mr. Norris is mentioned in the text as another web link.
And Mark Russinovich's article 'Inside the Registry' mentioned in the text, is not cited either. (It was published in Windows NT Magazine.)
All of these may be available on the web, but as long as such presence is not guaranteed, I feel the proper source references to make are to the actually published texts.
For an introductory book, however, such references may be thought to be a little to academical and over the top -- though in that case, many of the existing references to Microsoft's support web site could not improbably be dropped as well.
* A road map for further studies -- assuming that this particular book is an introduction to the topic, additional sources for continued studies would have been welcome. The preface hints of a wealth of information about the registry, and it is not clear that all aspects have been covered.
I expected to find a mention of Jerry Honeycutt's bok 'Microsoft Windows Registry Guide, 2. ed.' (Microsoft Press, 2005) mentioned, mainly because it describes the practical workings of the registry, and deploying techniques, as well as how to identify what registry settings a particular program modifies. It also documents many registry settings that may be of interest at an investigation, though it's focus is on computer management, not investigations, and it does go into many areas that were not included in the present book, such as registry access rights, and registry auditing.
Additionally, I can't rid myself of a feeling that the book tries t be a little more than just an introduction. Some of the information is not on an introductory level. For example, the note on NoInstrumentation on p. 190 is not obviously of any practical value, as it raises the question what exact information is affected by this setting. To the researcher, though, it is probably the starting point for further experiments.
And I must also admit that some terminological vagueness, spelling errors (the first is on the first text page of the book) and general grammatical and typographical fuzziness helps pull down the score a bit. The book uses '...' which normally indicates deliberate omissions, but here seems to be used instead of dashes -- this is very confusing at first. Proper typography as well as text polishing is generally the job of the publisher, but as the present publisher, Syngress, does not have much of a reputation in this area, it probably should be considered to be part and parcel of buying a Syngress book in the first place, and so not affect the score of any particular title. Still, the presence of it grates.
Additionally, in a book of reference the index would have been diaster. In an introductory book ... well, it may serve some purpose, but it's pretty clear that I can't use it to find anything important. There is, for example, an index entry 'Master boot record) MBR', but as the text it references only covers how to find drive signatures/volume IDs in the MBR, that entry is clearly not specific enough to be useful. More useful would have been to have index entries on 'drive signature' and 'volume ID', but there are none.
Other areas of the book, such as the description of some of the internal structures of the registry, tend to support this. An advanced book would probably not have omitted a description of the security descriptors on registry keys, for example.
This is probably not obvious to the buyer -- who is likely to go by the subtitle. I bought the book largely on the strength of the title, myself, and while I'm not disappointed, it's not quite the book I hoped for.
To the presumed reader, then, the main value is probably to be found in the two chapters of Case Studies. Here is where the value of the registry in a forensic analysis is most clearly described. These chapters are what beginning registry analysts want to read.
The focus of these chapters, though, is on the information in the registry, not where it is located, or to what extent it can be relied on. This is a deliberate decision of the author, and may be sound enugh. It means, though, that the reader is more drawn into using the author's tools, and less into being able to locate the actual keys and values himself with regedit or other tools. In a text for more advanced users, it would have been been a serious error to omit full key/value descriptions; in this type of book, it may lead to more complexity than is strictly warranted.
So, this is not quite the book for me. I don't mind buying it, but I will not be able to rely on it for reference, so it will end up in the bookshelf. I'd rate it at 3.5, but I do hesitate to round that up to an even four stars, as that is slightly too much, in my opinion.
What would have made me give a higher score?
* Better source references -- as it is, the source references are largely web links to Microsoft's support web site. If there are any references to printed works, I have not noted them. For example:
The author refers to earlier analysis by himself and Cory Altheide on USB artifacts, but so far I have been unable to find a single reference to that. As it's clear from the text that it was published, omitting this reference seems a little odd.
A couple of theses are mentioned: one by Jolantha Thomassen and one by Peter Norris, but none of these are properly referenced. The one by Ms. Thomassen, I was able to find a web link to in a "TIP" sidebar, and the one by Mr. Norris is mentioned in the text as another web link.
And Mark Russinovich's article 'Inside the Registry' mentioned in the text, is not cited either. (It was published in Windows NT Magazine.)
All of these may be available on the web, but as long as such presence is not guaranteed, I feel the proper source references to make are to the actually published texts.
For an introductory book, however, such references may be thought to be a little to academical and over the top -- though in that case, many of the existing references to Microsoft's support web site could not improbably be dropped as well.
* A road map for further studies -- assuming that this particular book is an introduction to the topic, additional sources for continued studies would have been welcome. The preface hints of a wealth of information about the registry, and it is not clear that all aspects have been covered.
I expected to find a mention of Jerry Honeycutt's bok 'Microsoft Windows Registry Guide, 2. ed.' (Microsoft Press, 2005) mentioned, mainly because it describes the practical workings of the registry, and deploying techniques, as well as how to identify what registry settings a particular program modifies. It also documents many registry settings that may be of interest at an investigation, though it's focus is on computer management, not investigations, and it does go into many areas that were not included in the present book, such as registry access rights, and registry auditing.
Additionally, I can't rid myself of a feeling that the book tries t be a little more than just an introduction. Some of the information is not on an introductory level. For example, the note on NoInstrumentation on p. 190 is not obviously of any practical value, as it raises the question what exact information is affected by this setting. To the researcher, though, it is probably the starting point for further experiments.
And I must also admit that some terminological vagueness, spelling errors (the first is on the first text page of the book) and general grammatical and typographical fuzziness helps pull down the score a bit. The book uses '...' which normally indicates deliberate omissions, but here seems to be used instead of dashes -- this is very confusing at first. Proper typography as well as text polishing is generally the job of the publisher, but as the present publisher, Syngress, does not have much of a reputation in this area, it probably should be considered to be part and parcel of buying a Syngress book in the first place, and so not affect the score of any particular title. Still, the presence of it grates.
Additionally, in a book of reference the index would have been diaster. In an introductory book ... well, it may serve some purpose, but it's pretty clear that I can't use it to find anything important. There is, for example, an index entry 'Master boot record) MBR', but as the text it references only covers how to find drive signatures/volume IDs in the MBR, that entry is clearly not specific enough to be useful. More useful would have been to have index entries on 'drive signature' and 'volume ID', but there are none.
Eric Huber @ 2011-02-28 Fishing With Harlan
Windows Registry Forensics is another excellent installment of Harlan's continuing research and education efforts relating to Windows forensics. In his previous work, Windows Forensic Analysis DVD Toolkit, Second Edition, Harlan covered the broader topic of Windows forensics. While he did cover registry forensics issues in his previous work, this book drills down even deeper into the subject and provides the reader with a comprehensive view of the inner workings of the Windows Registry. If you couple this book with his previous book, you essentially get Windows Forensic Analysis, Second Edition: The Director's Cut. I recommend this book to anyone who is interested in digital forensics and will be adding it to my "So you'd like to... Learn Digital Forensics" Amazon guide.
Previous reviewers such as David Nardoni have provided excellent detailed overviews of the individual chapters so I won't repeat that level of depth for this review. Harlan takes a "teach them to fish" approach in teaching the reader about the Windows Registry. If the reader is expecting a book with a laundry list of interesting Registry keys, they will walk away disappointed. This isn't to say that there isn't a tremendous amount revealed about individual keys, but it's done in the larger context of Harlan's efforts to teach the reader about the Registry in a comprehensive manner.
The first chapter is where Harlan teaches the reader about fish (the Registry). This chapter explains what the registry is and how to think about it in the context of an examination. The second chapter teachers the reader about the various fishing poles available to them such as Harlan's own RegRipper tool. The third and fourth chapters is where Harlan takes the reader fishing as he walks the reader through Registry examination using a case study approach.
Harlan is an excellent technical writer so the book flows well and the concepts are presented clearly to the reader. The pictures are large enough to show up clearly in the Kindle version of the book which I was grateful for since this is not always the case with Kindle books. My primary complaint with the book is the price especially for the Kindle edition. I don't expect technical books written for a small audience to be as inexpensive as mass market fiction, but a retail price of $69.95 is pretty steep. As I write this, the Amazon price is $62.95 for the physical version and $55.96 for the Kindle version. The price of the Kindle version is especially irritating considering it doesn't come with the DVD and doesn't require a physical distribution channel to provide it to me. In most cases (pay attention Syngress), I simply won't pay that much for a technical book unless it's something that I know is well written and will provide good value. This is one of those exceptional circumstances. Harlan is one of the few authors who I trust enough to spend that amount of money on for a book.
Previous reviewers such as David Nardoni have provided excellent detailed overviews of the individual chapters so I won't repeat that level of depth for this review. Harlan takes a "teach them to fish" approach in teaching the reader about the Windows Registry. If the reader is expecting a book with a laundry list of interesting Registry keys, they will walk away disappointed. This isn't to say that there isn't a tremendous amount revealed about individual keys, but it's done in the larger context of Harlan's efforts to teach the reader about the Registry in a comprehensive manner.
The first chapter is where Harlan teaches the reader about fish (the Registry). This chapter explains what the registry is and how to think about it in the context of an examination. The second chapter teachers the reader about the various fishing poles available to them such as Harlan's own RegRipper tool. The third and fourth chapters is where Harlan takes the reader fishing as he walks the reader through Registry examination using a case study approach.
Harlan is an excellent technical writer so the book flows well and the concepts are presented clearly to the reader. The pictures are large enough to show up clearly in the Kindle version of the book which I was grateful for since this is not always the case with Kindle books. My primary complaint with the book is the price especially for the Kindle edition. I don't expect technical books written for a small audience to be as inexpensive as mass market fiction, but a retail price of $69.95 is pretty steep. As I write this, the Amazon price is $62.95 for the physical version and $55.96 for the Kindle version. The price of the Kindle version is especially irritating considering it doesn't come with the DVD and doesn't require a physical distribution channel to provide it to me. In most cases (pay attention Syngress), I simply won't pay that much for a technical book unless it's something that I know is well written and will provide good value. This is one of those exceptional circumstances. Harlan is one of the few authors who I trust enough to spend that amount of money on for a book.
Andrew Hay "Devastat @ 2011-07-18 A 4-chapter book with 20 chapters of knowledge
Four chapters. You might think that with only four chapters the author could in no way write a book that covers Windows registry forensics. I was a bit skeptical at first too but was quickly proven wrong. I've known Harlan for a few years now and I know that his knowledge of the Windows registry is in the 99th percentile when compared to his peers. Do not think of this as a four-chapter book. Think of this as a continuation of the concepts that Harlan presented in Chapter 4 of his Windows Forensic Analysis DVD Toolkit, Second Edition. With only roughly 100 pages in which to describe the valuable artifacts that reside in the Windows registry, Harlan obviously felt that he needed more room to spread his wing - hence the new book.
Chapter 1 provides a very detailed overview of registry analysis. Harlan really wants analysts to first consider the types of information they need prior to starting a forensic exercise. The `what' and `where' of the registry is detailed at great length in addition to its structure. Though this book shows you where to find the registry and some important keys, the author is careful to not present this as the bible of registry information - knowing full well that the minutiae will change from Windows release to Windows release. What this chapter does provide, however, is a good sense of what types of information can be found within the Windows registry. Chapter 2 provides in-depth coverage of several tools to not only conduct forensic investigations on the Windows registry but also how to interact with the registry (both on the target systems and remotely). The author describes tools that he has crated (and that are freely available) in addition to tools and applications from others.
Perhaps the most valuable chapters in the entire book are the last two chapters. In chapters 3 and 4 the author provides numerous case studies that illustrate the kinds of information that can be found within the Windows registry. The various hives are discussed at length (the treasure chest of Windows artifacts) and numerous steps for tracking user activity are also discussed.
I cannot recommend this book enough. If you're looking for this book to be the Bible of registry information - you're not looking at the right book. If you want to know exactly what kind of information is stored within the Windows registry, however, this is an excellent map to get you to the finish line.
Chapter 1 provides a very detailed overview of registry analysis. Harlan really wants analysts to first consider the types of information they need prior to starting a forensic exercise. The `what' and `where' of the registry is detailed at great length in addition to its structure. Though this book shows you where to find the registry and some important keys, the author is careful to not present this as the bible of registry information - knowing full well that the minutiae will change from Windows release to Windows release. What this chapter does provide, however, is a good sense of what types of information can be found within the Windows registry. Chapter 2 provides in-depth coverage of several tools to not only conduct forensic investigations on the Windows registry but also how to interact with the registry (both on the target systems and remotely). The author describes tools that he has crated (and that are freely available) in addition to tools and applications from others.
Perhaps the most valuable chapters in the entire book are the last two chapters. In chapters 3 and 4 the author provides numerous case studies that illustrate the kinds of information that can be found within the Windows registry. The various hives are discussed at length (the treasure chest of Windows artifacts) and numerous steps for tracking user activity are also discussed.
I cannot recommend this book enough. If you're looking for this book to be the Bible of registry information - you're not looking at the right book. If you want to know exactly what kind of information is stored within the Windows registry, however, this is an excellent map to get you to the finish line.
Jennifer Kolde @ 2011-02-20 The essential guide to the Windows registry for any serious analyst
Harlan Carvey's latest book, "Windows Registry Forensics", is a welcome companion to his well-known "Windows Forensic Analysis" volume. As anyone familiar with Windows knows, the registry is not only the heart of Windows configuration data, but a treasure trove of data about both system and user activity. A discussion of the scope and value of the data found in the registry merits its own volume, and once again Harlan Carvey has delivered.
The book provides an insightful overview of the forensic analysis process - critical "before you get started" information, particularly the point about knowing your goals before you begin. Too many analysts make the mistake of diving in and "looking for stuff" without fully understanding what they're looking for or what questions they're trying to answer. The overview of registry terminology, format, and contents, including information and important changes in Vista and Windows 7, lays the essential foundation for any serious analyst.
The book's focus on free and open source tools (including the author's own iconic RegRipper) makes analysis accessible to everyone, from students to hobbyists to professionals on a limited budget. This approach is refreshing in an age of competing (and expensive) commercial tools. An added bonus is that the tools discussed tend to be "lean and mean", placing the analyst very close to the raw data in question. This tends to foster better analysts who possess an understanding of "what's actually happening" over those who are over-reliant on commercial tools with the equivalent of built-in "find evidence" buttons.
While providing a detailed discussion of both system and user registry hives, the book thankfully avoids a "laundry list" approach of "important" registry values. While this may disappoint readers who are looking for a simple checklist approach to registry analysis, the author's point that "important" values change over time is well-taken; analyst's who limit their investigation to "known" important keys may overlook critical evidence. Instead, Mr. Carvey highlights various examples, while always encouraging his readers to further explore and test on their own.
That said, the book does provide a welcome in-depth discussion of topics of more recent interest and research (such as those related to removable media, network interfaces and wireless access points, and the value of historical data from system restore points). Mr. Carvey goes a step further by also discussing the interrelations among multiple keys, allowing the integration of data points from disparate parts of the registry to provide a more in-depth picture not only of "what happened" - but in some cases, also "who did it".
Perhaps of greatest interest is the author's discussion of the user registry environment, which is unique among current forensics books on the market. As forensic analysis becomes increasingly critical in proving a variety of crimes, an analyst's ability to tie system activity to a particular user account, and thereby demonstrate which account was (or was not) used to perform some activity becomes an essential skill.
Given the scope of the Windows registry, the lack of formal documentation from Microsoft, the variations across versions of Windows, and the endless number of applications that may interact with the registry in a variety of ways, no book can comprehensively address all there is to know about the subject. That said, Harlan Carvey does the next best thing: he demystifies the registry, provides his readers with a map, appropriate tools, and a comprehensive guide to enable them to perform their own testing and analysis according to their own needs or inclinations. As Mr. Carvey has repeatedly demonstrated throughout his career, we all become better analysts when we research, document, and (most importantly) share our findings. This book provides essential skills and guidance for analysts to examine the Windows registry today, but also lays the groundwork for further study and expansion of the field as a whole.
The book provides an insightful overview of the forensic analysis process - critical "before you get started" information, particularly the point about knowing your goals before you begin. Too many analysts make the mistake of diving in and "looking for stuff" without fully understanding what they're looking for or what questions they're trying to answer. The overview of registry terminology, format, and contents, including information and important changes in Vista and Windows 7, lays the essential foundation for any serious analyst.
The book's focus on free and open source tools (including the author's own iconic RegRipper) makes analysis accessible to everyone, from students to hobbyists to professionals on a limited budget. This approach is refreshing in an age of competing (and expensive) commercial tools. An added bonus is that the tools discussed tend to be "lean and mean", placing the analyst very close to the raw data in question. This tends to foster better analysts who possess an understanding of "what's actually happening" over those who are over-reliant on commercial tools with the equivalent of built-in "find evidence" buttons.
While providing a detailed discussion of both system and user registry hives, the book thankfully avoids a "laundry list" approach of "important" registry values. While this may disappoint readers who are looking for a simple checklist approach to registry analysis, the author's point that "important" values change over time is well-taken; analyst's who limit their investigation to "known" important keys may overlook critical evidence. Instead, Mr. Carvey highlights various examples, while always encouraging his readers to further explore and test on their own.
That said, the book does provide a welcome in-depth discussion of topics of more recent interest and research (such as those related to removable media, network interfaces and wireless access points, and the value of historical data from system restore points). Mr. Carvey goes a step further by also discussing the interrelations among multiple keys, allowing the integration of data points from disparate parts of the registry to provide a more in-depth picture not only of "what happened" - but in some cases, also "who did it".
Perhaps of greatest interest is the author's discussion of the user registry environment, which is unique among current forensics books on the market. As forensic analysis becomes increasingly critical in proving a variety of crimes, an analyst's ability to tie system activity to a particular user account, and thereby demonstrate which account was (or was not) used to perform some activity becomes an essential skill.
Given the scope of the Windows registry, the lack of formal documentation from Microsoft, the variations across versions of Windows, and the endless number of applications that may interact with the registry in a variety of ways, no book can comprehensively address all there is to know about the subject. That said, Harlan Carvey does the next best thing: he demystifies the registry, provides his readers with a map, appropriate tools, and a comprehensive guide to enable them to perform their own testing and analysis according to their own needs or inclinations. As Mr. Carvey has repeatedly demonstrated throughout his career, we all become better analysts when we research, document, and (most importantly) share our findings. This book provides essential skills and guidance for analysts to examine the Windows registry today, but also lays the groundwork for further study and expansion of the field as a whole.
David Nardoni, EnCE, @ 2011-02-02 If you want to advance your windows forensic skills, buy this book to get a deeper understanding of the windows registry.
Harlan Carvey has done a great job again with continuing to produce excellent quality Windows Forensic material. The latest book "Windows Registry Forensics" should be considered a must read for people who want to dig deeper and understand what types of answers the registry may provide to their questions.
In typical fashion Harlan come out of the gate with providing you a great foundation about the registry in Chapter 1, which covers the basic building blocks of understanding what the registry is, where it is located and how it is structured. I found the material on the registry structure to be very valuable as it explains in detail some of the various time based information you may find yourself encountering while investigating various artifacts from different applications.
The tools section in Chapter 2 covers two main groups. Tools for live registry analysis and tools for forensic analysis (typically offline registry files). The live analysis portion does a good job of giving you the benefits & costs of performing live analysis and the tools that can help you accomplish this job. The book also does a decent job of mentioning some of the tools for live registry monitoring. The forensic portion of Chapter 2 deals with some of the typical tools forensic examiners might use for offline registry analysis. My favorite part of Chapter 2 is how the book goes into detail in using the RegRipper and RipXP tools. I really appreciated the extra effort that was taken to explain how to write plugins for RegRipper and explain some of the perl code that is being used behind some of the various RegRipper plugins. Many examiners may be using tools like RegRipper without having any idea how it works. I think this chapter does a better job in explaining some of those details for non-programmers. In my opinion even with the explanation in this chapter I still feel you should have a basic understanding of perl if you want to write your own plugins.
Chapter 3 dives head first into the various registry hives dealing with the computer system (Security, SAM, System, Software & BCD hives). Now this is the stuff that most of us buy the book for! Chapter 3 deals with numerous real world examples of forensic artifacts we want to decipher to be able to tell story based on what we found in the registry. Some of the areas detailed out in the chapter focus on determining if a user had a password set, what level of auditing was enabled on the system, how to crack the users password, how to boot this system up in a virtual machine. If you like the details about USB/portable devices and the artifacts they leave behind Chapter 3 is for you. Web Browser settings, wireless settings, file associations, autostart locations are all covered well in the Software hive section.
Tracking user activity is the title of Chapter 4 and Harlan does do a good job with giving us plenty to work in this Chapter. I really like how there are little sections in the book that focus on helping the reader answer a question. For instance, "What Application Uses or Created that File?" is the name of a section in the book that walks through how an examiner might go about answering that question. The end of Chapter 4 has two great sections: "Tying it Together" and "The Trojan Defense". Both of these sections do a great job of reminding us as examiners that we are ultimately trying to tell a story based on artifacts that we find on a computer system.
Windows Registry Forensics is a great asset to have on your bookshelf if you want to advance you understanding of the Windows Registry from a forensic perspective.
In typical fashion Harlan come out of the gate with providing you a great foundation about the registry in Chapter 1, which covers the basic building blocks of understanding what the registry is, where it is located and how it is structured. I found the material on the registry structure to be very valuable as it explains in detail some of the various time based information you may find yourself encountering while investigating various artifacts from different applications.
The tools section in Chapter 2 covers two main groups. Tools for live registry analysis and tools for forensic analysis (typically offline registry files). The live analysis portion does a good job of giving you the benefits & costs of performing live analysis and the tools that can help you accomplish this job. The book also does a decent job of mentioning some of the tools for live registry monitoring. The forensic portion of Chapter 2 deals with some of the typical tools forensic examiners might use for offline registry analysis. My favorite part of Chapter 2 is how the book goes into detail in using the RegRipper and RipXP tools. I really appreciated the extra effort that was taken to explain how to write plugins for RegRipper and explain some of the perl code that is being used behind some of the various RegRipper plugins. Many examiners may be using tools like RegRipper without having any idea how it works. I think this chapter does a better job in explaining some of those details for non-programmers. In my opinion even with the explanation in this chapter I still feel you should have a basic understanding of perl if you want to write your own plugins.
Chapter 3 dives head first into the various registry hives dealing with the computer system (Security, SAM, System, Software & BCD hives). Now this is the stuff that most of us buy the book for! Chapter 3 deals with numerous real world examples of forensic artifacts we want to decipher to be able to tell story based on what we found in the registry. Some of the areas detailed out in the chapter focus on determining if a user had a password set, what level of auditing was enabled on the system, how to crack the users password, how to boot this system up in a virtual machine. If you like the details about USB/portable devices and the artifacts they leave behind Chapter 3 is for you. Web Browser settings, wireless settings, file associations, autostart locations are all covered well in the Software hive section.
Tracking user activity is the title of Chapter 4 and Harlan does do a good job with giving us plenty to work in this Chapter. I really like how there are little sections in the book that focus on helping the reader answer a question. For instance, "What Application Uses or Created that File?" is the name of a section in the book that walks through how an examiner might go about answering that question. The end of Chapter 4 has two great sections: "Tying it Together" and "The Trojan Defense". Both of these sections do a great job of reminding us as examiners that we are ultimately trying to tell a story based on artifacts that we find on a computer system.
Windows Registry Forensics is a great asset to have on your bookshelf if you want to advance you understanding of the Windows Registry from a forensic perspective.
Joseph Garcia @ 2011-08-02 A must own book for any serious Digital Forensic Examiner
Windows Registry Forensics is a book that I had picked up some months ago on sale (50% off) from the Publisher and had just didn't have the time to read it until recently. Once I picked it up though, I could not put it down. Harlan Carvey has placed his knowledge and vast experience in dealing with the Windows Registry as an incident handler into this book. WRF should be considered a companion work to his Windows Forensic Analysis 2/e book (WFA 3/e is in the works as of this review and will cover Vista and Windows 7). Harlan does his best to pack this information into 200 pages without overloading the reader.
Let's look at the Chapters in this book:
Chapter One (Registry Analysis)- Here is where the Windows Registry is explained. What it is, why analyzing it can be important to a digital forensic examiner and its nomenclature.
Chapter Two (Tools)- In this chapter, Harlan goes over some tools that an examiner can use while working on their cases and for conducting research. Tools like Regshot, Autoruns and Process Monitor from Microsoft Sysinternals, F-Response, and Harlan's own RegRipper (which should be in every examiner's toolkit).
Chapter Three (Case Studies- The System)- For this chapter, Harlan highlights various Registry artifacts that deal with the computer system itself. Topics such as USB devices that were connected to a system, file system settings and wireless networks that a system has connected to, to name a few.
Chapter Four (Case Studies- The User)- Finally, in this chapter Harlan goes over some key Registry artifacts that help show User activity on a system and how it ties into the information gained back in Chapter Three (like using the Mount Points 2 artifact to assist in creating a timeline of when a device was connected to a system). In both Chapter Three & Four, he draws from his experiences in the field during various Incident Handling engagements.
The DVD that accompanies this book contains a few goodies. A few of which are PDF's that cover topics such as how to tell if a CD image was burned by the user, an explanation of the ACMRU & UserAssist keys and how to locate shares on a Windows image. These are great reference materials to an examiner. A copy of RegRipper is also included on the DVD. By the time of this review though, an updated version is available at [...].
Two complaints I've heard or read about this book have been, "For the price of this book, I can't believe this book is only 200 pages and doesn't have a list of every registry key" and "man, those large graphics use up a lot of page space". I would like to address these one at a time.
First, there are many keys that can/do hold a wealth of information. Unfortunately, from Windows version to Windows version, these locations and the information held within them may and do change. I agree with the approach Harlan took with this. He gave the readers the keys that haven't changed much or if they did it was with the benefit of providing additional information with each passing version of Windows. There are plenty of resources on the Internet that have additional Registry key information (The Forensics Wiki, The SANS DFIR Blog, ForensicArtifacts.com, etc...). If you are only interested in lists, go to those sites and find them. The best part about Harlan's writing is that it is to the point. No fluff in this book. I know that I do not have the time to waste when trying to learn something. If that is what you are looking for, then I'd recommend that you buy a novel.
Second, I was happy to see larger graphics in this book. I have read a bunch of technical books that contain small images that make it hard to get the authors point, especially when dealing with directories and files. Each of the images provided in this book make it comfortable enough for the reader to follow along and not to guess as to what the author was speaking about. I cannot comment on the quality of the graphics on the Kindle version of this book since I did not have it available to me.
As far as Cons for this book, the one I'd have to go with was the poor editing. There are quite a few grammatical and spelling mistakes that were glaring enough that they should have been picked up before this book went to print. I lay that blame on the Publisher, not on the Author. Overall, some may think the price point of $69.99 (originally) was a bit steep. It is worth the price tag to gain the knowledge that Harlan has put into this book. If I did not luck out and get this on sale, I would have paid full price. Trust me, you will find yourself going back and highlighting sections of this book for later use in your exams.
Even the minimal annoyances with the book cannot keep me from giving it 5-stars.
Thanks to Harlan for another fine effort!
Let's look at the Chapters in this book:
Chapter One (Registry Analysis)- Here is where the Windows Registry is explained. What it is, why analyzing it can be important to a digital forensic examiner and its nomenclature.
Chapter Two (Tools)- In this chapter, Harlan goes over some tools that an examiner can use while working on their cases and for conducting research. Tools like Regshot, Autoruns and Process Monitor from Microsoft Sysinternals, F-Response, and Harlan's own RegRipper (which should be in every examiner's toolkit).
Chapter Three (Case Studies- The System)- For this chapter, Harlan highlights various Registry artifacts that deal with the computer system itself. Topics such as USB devices that were connected to a system, file system settings and wireless networks that a system has connected to, to name a few.
Chapter Four (Case Studies- The User)- Finally, in this chapter Harlan goes over some key Registry artifacts that help show User activity on a system and how it ties into the information gained back in Chapter Three (like using the Mount Points 2 artifact to assist in creating a timeline of when a device was connected to a system). In both Chapter Three & Four, he draws from his experiences in the field during various Incident Handling engagements.
The DVD that accompanies this book contains a few goodies. A few of which are PDF's that cover topics such as how to tell if a CD image was burned by the user, an explanation of the ACMRU & UserAssist keys and how to locate shares on a Windows image. These are great reference materials to an examiner. A copy of RegRipper is also included on the DVD. By the time of this review though, an updated version is available at [...].
Two complaints I've heard or read about this book have been, "For the price of this book, I can't believe this book is only 200 pages and doesn't have a list of every registry key" and "man, those large graphics use up a lot of page space". I would like to address these one at a time.
First, there are many keys that can/do hold a wealth of information. Unfortunately, from Windows version to Windows version, these locations and the information held within them may and do change. I agree with the approach Harlan took with this. He gave the readers the keys that haven't changed much or if they did it was with the benefit of providing additional information with each passing version of Windows. There are plenty of resources on the Internet that have additional Registry key information (The Forensics Wiki, The SANS DFIR Blog, ForensicArtifacts.com, etc...). If you are only interested in lists, go to those sites and find them. The best part about Harlan's writing is that it is to the point. No fluff in this book. I know that I do not have the time to waste when trying to learn something. If that is what you are looking for, then I'd recommend that you buy a novel.
Second, I was happy to see larger graphics in this book. I have read a bunch of technical books that contain small images that make it hard to get the authors point, especially when dealing with directories and files. Each of the images provided in this book make it comfortable enough for the reader to follow along and not to guess as to what the author was speaking about. I cannot comment on the quality of the graphics on the Kindle version of this book since I did not have it available to me.
As far as Cons for this book, the one I'd have to go with was the poor editing. There are quite a few grammatical and spelling mistakes that were glaring enough that they should have been picked up before this book went to print. I lay that blame on the Publisher, not on the Author. Overall, some may think the price point of $69.99 (originally) was a bit steep. It is worth the price tag to gain the knowledge that Harlan has put into this book. If I did not luck out and get this on sale, I would have paid full price. Trust me, you will find yourself going back and highlighting sections of this book for later use in your exams.
Even the minimal annoyances with the book cannot keep me from giving it 5-stars.
Thanks to Harlan for another fine effort!
Brad Garnett @ 2011-02-02 If you want to sharpen your forensic analysis skills, look no farther than Windows Registry Forensics. There's a key for that!
Harlan Carvey has done it (again) and continues to raise the bar. It's a must read for the digital forensic analyst! Harlan has brought his many years of experience and research in forensic analysis of the windows registry, into one book. As Rob Lee (SANS Institute) stated, "Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case."
Dave Hull, fellow SANS Computer Forensic blog editor and SANS Instructor, was the Technical Editor for Windows Registry Forensics (WRF).
The book contains sidebars, tips, notes, and various analysis concepts of registry forensics, which the author highlights. Of course, this book wouldn't be complete without tools. Windows Registry Forensics paperback includes a CD that contains forensic tools and code (w/perl, of course), discussed in WRF.
In Chapter 1 (Registry Analysis), Harlan goes into the structure of the registry, which consists of binary data, and for the most part is unbeknownst to the user. Nomenclature of the windows registry (i.e. keys, sub-keys, values, and data) and analyzing registry cell structure data is covered thoroughly in this chapter.
In Chapter 2 (Tools), Harlan discusses free and open source tools to the reader, which can immediately be used for conducting his/her own analysis of registry artifacts, such as Reg Ripper, Autoruns, Regshot, and MiTeC Registry File Viewer (RFV). This chapter walks the reader through live response and forensic analysis of registry artifacts using various free tools.
Chapter 3 (Case Studies: The System) and Chapter 4 (Case Studies: Tracking User Activity) go hand-in-hand. These chapters are the practical application portion of the book, providing the reader with real-case examples, and outlining registry forensic artifacts (or lack thereof...remember, the absence of an artifact in itself is an artifact). Harlan discusses how to crack the SAM using free tools (e.g. Cain, OphCrack). I've read a lot of material the last few years covering USB device artifacts; I've not seen a more detailed analysis of USB artifacts through registry forensic analysis, until reading Windows Registry Forensics. The case studies chapters also cover real world scenarios (e.g. The Trojan Defense, Tying It Together) and how the analyst's investigative goals can be guided by using registry analysis, during the intrusion investigation or forensic examination.
In summary, there are a few grammatical and "print shop" errors that should have been caught by the publisher prior to printing the book; however, that does not keep me from giving this book a 5-star review. Once an author submits a final manuscript to a publisher, the publisher is responsible for ensuring the book and content are print ("showroom") ready. Once again Harlan delivered an exceptional reference book to digital forensic community!
What I've taken away from this book is the registry key structure and its nomenclature, key time stamps (data correlation and understanding LastWrite times), deleted registry keys, and the registry redirector (i.e. 64-bit OS calling on 32-bit application in registry). If you want to sharpen your forensic analysis skills, look no farther than Windows Registry Forensics. There's a key for that!
Dave Hull, fellow SANS Computer Forensic blog editor and SANS Instructor, was the Technical Editor for Windows Registry Forensics (WRF).
The book contains sidebars, tips, notes, and various analysis concepts of registry forensics, which the author highlights. Of course, this book wouldn't be complete without tools. Windows Registry Forensics paperback includes a CD that contains forensic tools and code (w/perl, of course), discussed in WRF.
In Chapter 1 (Registry Analysis), Harlan goes into the structure of the registry, which consists of binary data, and for the most part is unbeknownst to the user. Nomenclature of the windows registry (i.e. keys, sub-keys, values, and data) and analyzing registry cell structure data is covered thoroughly in this chapter.
In Chapter 2 (Tools), Harlan discusses free and open source tools to the reader, which can immediately be used for conducting his/her own analysis of registry artifacts, such as Reg Ripper, Autoruns, Regshot, and MiTeC Registry File Viewer (RFV). This chapter walks the reader through live response and forensic analysis of registry artifacts using various free tools.
Chapter 3 (Case Studies: The System) and Chapter 4 (Case Studies: Tracking User Activity) go hand-in-hand. These chapters are the practical application portion of the book, providing the reader with real-case examples, and outlining registry forensic artifacts (or lack thereof...remember, the absence of an artifact in itself is an artifact). Harlan discusses how to crack the SAM using free tools (e.g. Cain, OphCrack). I've read a lot of material the last few years covering USB device artifacts; I've not seen a more detailed analysis of USB artifacts through registry forensic analysis, until reading Windows Registry Forensics. The case studies chapters also cover real world scenarios (e.g. The Trojan Defense, Tying It Together) and how the analyst's investigative goals can be guided by using registry analysis, during the intrusion investigation or forensic examination.
In summary, there are a few grammatical and "print shop" errors that should have been caught by the publisher prior to printing the book; however, that does not keep me from giving this book a 5-star review. Once an author submits a final manuscript to a publisher, the publisher is responsible for ensuring the book and content are print ("showroom") ready. Once again Harlan delivered an exceptional reference book to digital forensic community!
What I've taken away from this book is the registry key structure and its nomenclature, key time stamps (data correlation and understanding LastWrite times), deleted registry keys, and the registry redirector (i.e. 64-bit OS calling on 32-bit application in registry). If you want to sharpen your forensic analysis skills, look no farther than Windows Registry Forensics. There's a key for that!
Alessi @ 2011-12-21 Great book but poorly translated for Kindle edition.
I love this book and I found the information within it very valuable.
However the kindle edition of it is lazily programmed. The index and table of contents are very poor, lacking detail, and it is difficult to find sections that you wish to reference.
There are no page numbers either, just section numbers.
This wouldn't be such a problem with a print edition which is easy to browse through, but it is not sufficient for an ebook.
If this kindle book was easy to navigate it would be indispensible.
The content is worth five stars but the poor design of the kindle edition is worth about two. Therefore I will give this edition four stars.
However the kindle edition of it is lazily programmed. The index and table of contents are very poor, lacking detail, and it is difficult to find sections that you wish to reference.
There are no page numbers either, just section numbers.
This wouldn't be such a problem with a print edition which is easy to browse through, but it is not sufficient for an ebook.
If this kindle book was easy to navigate it would be indispensible.
The content is worth five stars but the poor design of the kindle edition is worth about two. Therefore I will give this edition four stars.
Prof. Torach @ 2011-07-05 Clear, Understandable
Harlan Carvey is well known for writing clear concise books. This one continues that line of quality writing. The book is easily understood and the information presented is quite useful. Should my university allow for another Digital Forensic Science course to be developed and taught, I plan to use this book. Chiefly because it's not written like the standard textbook (boring) but is written to clearly convey information. Thanks Harlan for another good book. -T. Carver, CCE
Biffle35 @ 2011-05-29 Windows Registry Forensics Review
Really like it, short and to the point with great nuggets of knowledge. Used it to populate an IR script with keys and other methods I otherwise would have never known about. I don't know if $60 is really the right price for a book this short, but it does have lots of good information. Price is the only reason I didn't give it 5 stars. Can't go wrong with Harlan Carvey.
Jerry Saperstein @ 2011-03-23 Harlan Carvey is one of the best minds at work in computer forensics
In an obscure federal court opinion, a judge opined that computer forensics is both art and science.
With Harlan Carvey, computer forensics is science predicated upon art - and hard work.
Few people outside this small craft are equipped to appreciate what computer forensics is - and I am not about to attempt explaining the full scope of computer forensics in this limited space.
Suffice it to say that a primary objective of computer forensics is the hunt for data.
Those who do this for a living know that no two situations are the same and thus practitioners must have broad knowledge of operating systems, particularly Microsoft Windows.
And working in the innards of Windows isn't for sissies.
Harlan Carvey is among the few practitioners who write for the trade. He is an accomplished Perl scripter and one of his tools, RegRipper, is widely used.
Here, Harlan attempts to explain how to conduct forensic analysis of the Windows Registry. The Registry is never-never land for most of the computer forensic "experts" I've known. Not long ago, I assisted a client in obtaining a large settlement because the opposing expert paid no attention to the Registry and I did.
Carvey explains the Registry in a systematic manner. He begins with an overview of Registry analysis which I think Is too short, but in fact is probably going to be overkill for most because they simply don't get it. He moves on to Registry analysis tools and then case studies. Overall, for those with little or no understanding of Windows Registry, it is probably a good introduction. I remember way back when the Registry was introduced and then had its functionality extended in Windows 95. Little information was available from Microsoft and those of us in the field had to learn Registry the hard way. Today, people like Harlan are developing tools for Registry analysis and writing books explaining how to do it. Pretty neat.
Harlan has done his homework in gathering information on the Registry and he obviously understands it well enough to write fine tool with which to analyze it.
Yet, I would say that this book is not suitable for beginners in computer forensics because there is so much else to know about operating systems and file systems before you can grasp what the Registry is all about. By the same token, the book will provide only tidbits for those who have been doing serious computer forensics for several years.
Carvey's writing style is smooth, though the editors at Syngress might consider taking a refresher course.
Overall, despite the high price of the book, I think any serious practitioner of computer forensics would realize some benefit from reading this book.
Jerry
With Harlan Carvey, computer forensics is science predicated upon art - and hard work.
Few people outside this small craft are equipped to appreciate what computer forensics is - and I am not about to attempt explaining the full scope of computer forensics in this limited space.
Suffice it to say that a primary objective of computer forensics is the hunt for data.
Those who do this for a living know that no two situations are the same and thus practitioners must have broad knowledge of operating systems, particularly Microsoft Windows.
And working in the innards of Windows isn't for sissies.
Harlan Carvey is among the few practitioners who write for the trade. He is an accomplished Perl scripter and one of his tools, RegRipper, is widely used.
Here, Harlan attempts to explain how to conduct forensic analysis of the Windows Registry. The Registry is never-never land for most of the computer forensic "experts" I've known. Not long ago, I assisted a client in obtaining a large settlement because the opposing expert paid no attention to the Registry and I did.
Carvey explains the Registry in a systematic manner. He begins with an overview of Registry analysis which I think Is too short, but in fact is probably going to be overkill for most because they simply don't get it. He moves on to Registry analysis tools and then case studies. Overall, for those with little or no understanding of Windows Registry, it is probably a good introduction. I remember way back when the Registry was introduced and then had its functionality extended in Windows 95. Little information was available from Microsoft and those of us in the field had to learn Registry the hard way. Today, people like Harlan are developing tools for Registry analysis and writing books explaining how to do it. Pretty neat.
Harlan has done his homework in gathering information on the Registry and he obviously understands it well enough to write fine tool with which to analyze it.
Yet, I would say that this book is not suitable for beginners in computer forensics because there is so much else to know about operating systems and file systems before you can grasp what the Registry is all about. By the same token, the book will provide only tidbits for those who have been doing serious computer forensics for several years.
Carvey's writing style is smooth, though the editors at Syngress might consider taking a refresher course.
Overall, despite the high price of the book, I think any serious practitioner of computer forensics would realize some benefit from reading this book.
Jerry
J-man "Jim" @ 2011-02-22 Stay AWAY from this book!
This Carvey person should "carry 'them' around in a wheel barrow" for having to the gall to put out a useless piece of garbage like this. It is exactly 200 pages of content of large type big screen shots of tools he downloaded at SysInternals and very sparse on significant content. Not even a poor man's reference book either. The book seemed to have no coherent organization to it but just worded like this guy thinks his "common" knowledge of the registry is somehow enough to right a tiny book and sell it for more than virtually any technology book you ever buy on Amazon and that one will be a large book and full of expert content. It spends a little time up front explain to idiots what a registry is and that Windows has one. Then it tells you how to use RegEdit and other common tools you already know. Take a look at the content before you even think about it. The title word "forensics" won't help you find out anything of significance other than how to get rid of $63 for a pamphlet about the size of pocket reference.
Don't buy it now, and you can thank me for not having to return it immediately, (like I did) later!
Everybody comments on the crappy content of the book but says they love the tools. I didn't didn't open the attached CD because I was going to return it. But, I can't imagine someone needing a tool bad enough to purchase this book. There are scads of freeware, shareware and even professionally done registry packages out there. I see he put out just the tools in a package $10 less because he realizes his book is useless too. "Caveat Emptor" people. Caveat Emptor.
P.S. You might want to be wary of this SynGress publishing. If they would publish this, they don't seem to have very discriminating editors and management. Makes me think they would publish virtually anything.
Don't buy it now, and you can thank me for not having to return it immediately, (like I did) later!
Everybody comments on the crappy content of the book but says they love the tools. I didn't didn't open the attached CD because I was going to return it. But, I can't imagine someone needing a tool bad enough to purchase this book. There are scads of freeware, shareware and even professionally done registry packages out there. I see he put out just the tools in a package $10 less because he realizes his book is useless too. "Caveat Emptor" people. Caveat Emptor.
P.S. You might want to be wary of this SynGress publishing. If they would publish this, they don't seem to have very discriminating editors and management. Makes me think they would publish virtually anything.
Share your thoughts with other customers
Create your own review
Create your own review