Browse Books

Reviewer: Andre Ross

This book is surprisingly well balanced for a technical read, with good coverage of the theory underlying computer forensics and an abundance of practical tips. It is perhaps the best book written by Harlan Carvey thus far. In eight voluminous chapters, he describes his practical approach to computer forensics on Windows-based operating systems (OSs). Chapter 1 covers several foundational computer forensics concepts and reads like a novel. In this valuable chapter, these concepts and approaches are seen through the prism of the author's practical experience. Chapter 2 walks the reader through various incident response situations, from preparation and contracting to data collection and training. A wealth of practical advice is mixed with good examples and some useful tools. Chapter 3 talks about volume shadow copies (VSCs), an important technology that forensic practitioners often neglect. The author touches on Windows XP's volume snapshot service (VSS), and moves on to the current, full-featured Windows 7 versioning system. (For the sake of accuracy, it should be noted that while Windows XP VSS and Windows 7 VSC are distant relatives, the real predecessor of VSC technology was shadow copies for shared folders [1]. This versioning system first debuted in Windows 2003 and was based on a client-server model.) The chapter covers several clever approaches for accessing VSCs from live systems and within forensic images. Chapter 4 goes into Microsoft's New Technology File System (NTFS), time stamps, logs, and other useful Windows OS forensic artifacts. The chapter contains sufficient technical detail. The knowledge in this chapter is relevant to all computer forensic specializations. Chapter 5 is a condensed version of the author's earlier book on Windows registry analysis [2], with additional information specific to Windows 7. The chapter is crammed with information, from registry basics to spectacular Wi-Fi geolocation mapping techniques. The chapter also provides sufficient detail to get the reader up to speed on shellbag registry artifacts. In chapter 6, the reader is acquainted with the structured approach for malware detection, infection, and propagation, and persistence mechanisms focused on detecting and identifying the artifacts left by the malware. The Trojan horse defense has proved successful in a number of cases and is still being actively used, especially when the forensic examination report contains no information on steps for detecting and identifying malware. Because of this, the topic's relevance isn't limited just to malware researchers and incident responders, but will be of importance to all computer forensic professionals. In chapter 7, the author walks the reader through the process of extracting relevant data and creating a timeline of system activity with a number of open-source tools. This chapter is undoubtedly the most complete and comprehensive forensic timeline creation tutorial available today. The last chapter (8) is dedicated to application analysis and the examination of techniques such as process monitoring, network captures, and memory and log analysis, often used in dynamic malware analysis. Carvey's practical experience and strong attention to detail, combined with a unique presentation that helps bridge the gap between new and old knowledge, make this an important work. It takes the reader to a deeper understanding of the forensic analysis process with free and open-source tools, including some written by the author himself. This book is the only book on Windows 7 forensic analysis. It is an absolute must-read for computer professionals who want to stay on top of their game. Online Computing Reviews Service

Reviewer: Neil D Burgess

As an experienced consultant from a military background, Harlan Carvey possesses a wealth of knowledge in this field. He shares as much of that knowledge as the structure of this book allows, in an articulate and readable style. He describes procedures for managing an investigation and provides technical information on what to look for and how to analyze specific digital artifacts. He also gives advice to managers of production systems on the requirements of forensic analysis. Previous editions of this work covered versions of Microsoft Windows up to Windows XP. This third edition moves on to cover specific information relating to Windows 7. Companion material is available for download, including custom tools. There are many other books available that address this field; for example, the books by Nelson et al. [1] and Sammons [2] seem to provide information suitable for a new entrant to the field. Andrew Hoog has written a book on Android forensics [3], and has collaborated with Katie Strzempka on another [4] covering Apple software. At a little over 240 pages, the book only has room for a fairly superficial introduction to the field of digital forensic analysis. It is a full-sized, fairly slim paperback volume. The book has a preface followed by eight chapters. Each chapter begins with an introduction and ends with a summary, making it easy to skim, and reinforcing the main concepts of the chapter. Chapter 1 introduces the concepts of digital forensic analysis on Windows, and chapter 2 gives recommended procedures to be followed before the forensic analysis begins in earnest. Chapter 3 describes the origin, structure, and usefulness of Volume Shadow Copies in Windows. Detailed, technical information on file analysis follows, in chapter 4. The next chapter discusses the Windows registry in some detail, describing selected hives and keys. The book does not pretend to provide all of the information, but it provides many useful specifics and outlines recommended approaches. Chapter 6 discusses the detection of malware (malicious software). It includes information on how to detect what malware has done, and how to determine if it has actually been executed. Chapter 7 is devoted to timeline analysis, outlining its importance and describing techniques for deriving a timeline from the available resources. Chapter 8 concludes the book with a general discussion of application analysis, giving general approaches and typical resources to investigate. The normal academic tradition of providing frequent references is not followed. Illustrations and tables are used sparingly and appropriately. The text is adorned with shaded textboxes, giving tips, warnings, and notes. At over 26 double-column pages, the index is very comprehensive and appears to be accurate. In summary, this book is recommended reading, not only for forensic analysts, but also for chief information officers (CIOs) and information security specialists. There is information on how to prepare the normal infrastructure of a working environment to facilitate forensic analysis, should it be required. Online Computing Reviews Service