Twitter
Jul
15
Here's a book I give my thumbs up for. Excellent content, well structured and rather easy to follow and understand. Personally I find particular chapters to be a great reference. The author Harlan Carvey has his own blog-spot and there is also a review of this book which can be found here.
A review...
So finally I've got down to reading Harlan's book. First off this is a unique book that I've really enjoyed reading. The topics are spread over 7 chapters namely:
1. Live Response: Collecting Volatile Data
2. Live Response: Data Analysis
3. Windows Memory Analysis
4. Registry Analysis
5. File Analysis
6. Executable File Analysis
7. Rootkits and Rootkit Detection
Harlan mentions and shows how to use a wealth of tools to accomplish particular investigation techniques. Some of them are even supplied as Perl scripts on the accompanying DVD (as I understand Harlan is particularly knowledgeable in Perl) The book assumes that the reader has prior knowledge of networks and a good understanding of the structured approach a computer forensic investigator must take on cases. Focused particular on Windows tools and performing investigations in the Windows arena, Harlan manages to give a technical insight and explanation of how a hacker thinks and how we as investigators must counter think.
Of particular interest to me were terms like Locards's Exchange Principle which I had never actually encountered in any other book I've read. He explains how this principle applies to the digital realm and how when an investigator interacts with a live system, changes will occur to that system as programs are executed and data is copied from the system. These changes might be transient (process memory, network connections) or permanent (log files, Registry entries). In essence, Harlan explains that anything an investigator does on a live system, even nothing, will have an effect on the system being investigated and leave an artifact. Artifacts occur on the system as it runs with no interaction from a user.
Also of interest was Chapter 3 where in Harlan explains how one would go about dumping physical memory on a Windows system. He does this by outlining several methods even giving pro's and con's to them. Ever wondered if the Hibernation File can provide a clue to what is happening on a system? Harlan explains it...
Another area of interest to me which is not very well known among members of the system administration community is that of NTFS Alternate Data Streams. In Harlan's book, Chapter 5 introduces the reader to this technology and explains how there exists a legitimate way to create files on a Windows system, that contain data as well as scripts or executable code, and that these files can be created or launched but there are no native tools within the operating system distribution that will allow you to detect the presence of arbitrary files. Yep --- except in Windows Vista which now has a switch to let you see ADS'es.
What I like about the book:
- Loads of mention of tools and techniques to perform analysis including reference to them on the web
- Reference to personal experiences
- An FAQ and Summary at the end of every chapter -> Excellent idea!
- Solution Fast Track with a checklist of items per chapter
- Well structured and flowing content
- Granular and technical content
What I dislike about the book:
- No mention of Steganography techniques/tools which Chapter 5 could have benefited from.
My overall opinion of the author is very high given his experience and I would definitely recommend this book to anyone who is into Digital Forensics. I give this book 4.5 stars!
-Donald
Excerpts of this text are taken from Harlan's book ISBN 9781597491563
1. Live Response: Collecting Volatile Data
2. Live Response: Data Analysis
3. Windows Memory Analysis
4. Registry Analysis
5. File Analysis
6. Executable File Analysis
7. Rootkits and Rootkit Detection
Harlan mentions and shows how to use a wealth of tools to accomplish particular investigation techniques. Some of them are even supplied as Perl scripts on the accompanying DVD (as I understand Harlan is particularly knowledgeable in Perl) The book assumes that the reader has prior knowledge of networks and a good understanding of the structured approach a computer forensic investigator must take on cases. Focused particular on Windows tools and performing investigations in the Windows arena, Harlan manages to give a technical insight and explanation of how a hacker thinks and how we as investigators must counter think.
Of particular interest to me were terms like Locards's Exchange Principle which I had never actually encountered in any other book I've read. He explains how this principle applies to the digital realm and how when an investigator interacts with a live system, changes will occur to that system as programs are executed and data is copied from the system. These changes might be transient (process memory, network connections) or permanent (log files, Registry entries). In essence, Harlan explains that anything an investigator does on a live system, even nothing, will have an effect on the system being investigated and leave an artifact. Artifacts occur on the system as it runs with no interaction from a user.
Also of interest was Chapter 3 where in Harlan explains how one would go about dumping physical memory on a Windows system. He does this by outlining several methods even giving pro's and con's to them. Ever wondered if the Hibernation File can provide a clue to what is happening on a system? Harlan explains it...
Another area of interest to me which is not very well known among members of the system administration community is that of NTFS Alternate Data Streams. In Harlan's book, Chapter 5 introduces the reader to this technology and explains how there exists a legitimate way to create files on a Windows system, that contain data as well as scripts or executable code, and that these files can be created or launched but there are no native tools within the operating system distribution that will allow you to detect the presence of arbitrary files. Yep --- except in Windows Vista which now has a switch to let you see ADS'es.
What I like about the book:
- Loads of mention of tools and techniques to perform analysis including reference to them on the web
- Reference to personal experiences
- An FAQ and Summary at the end of every chapter -> Excellent idea!
- Solution Fast Track with a checklist of items per chapter
- Well structured and flowing content
- Granular and technical content
What I dislike about the book:
- No mention of Steganography techniques/tools which Chapter 5 could have benefited from.
My overall opinion of the author is very high given his experience and I would definitely recommend this book to anyone who is into Digital Forensics. I give this book 4.5 stars!
-Donald
Excerpts of this text are taken from Harlan's book ISBN 9781597491563
0 Trackbacks