Support us by visiting our sponsors and win a €20 Amazon Voucher every month

Follow maltainfosec on TwitterTwitter or RSS 2.0 feed

Jul 15

Here's a book I give my thumbs up for. Excellent content, well structured and rather easy to follow and understand. Personally I find particular chapters to be a great reference. The author Harlan Carvey has his own blog-spot and there is also a review of this book which can be found here.

A review...
So finally I've got down to reading Harlan's book. First off this is a unique book that I've really enjoyed reading. The topics are spread over 7 chapters namely:

1. Live Response: Collecting Volatile Data
2. Live Response: Data Analysis
3. Windows Memory Analysis
4. Registry Analysis
5. File Analysis
6. Executable File Analysis
7. Rootkits and Rootkit Detection

Harlan mentions and shows how to use a wealth of tools to accomplish particular investigation techniques. Some of them are even supplied as Perl scripts on the accompanying DVD (as I understand Harlan is particularly knowledgeable in Perl) The book assumes that the reader has prior knowledge of networks and a good understanding of the structured approach a computer forensic investigator must take on cases. Focused particular on Windows tools and performing investigations in the Windows arena, Harlan manages to give a technical insight and explanation of how a hacker thinks and how we as investigators must counter think.

Of particular interest to me were terms like Locards's Exchange Principle which I had never actually encountered in any other book I've read. He explains how this principle applies to the digital realm and how when an investigator interacts with a live system, changes will occur to that system as programs are executed and data is copied from the system. These changes might be transient (process memory, network connections) or permanent (log files, Registry entries). In essence, Harlan explains that anything an investigator does on a live system, even nothing, will have an effect on the system being investigated and leave an artifact. Artifacts occur on the system as it runs with no interaction from a user.

Also of interest was Chapter 3 where in Harlan explains how one would go about dumping physical memory on a Windows system. He does this by outlining several methods even giving pro's and con's to them. Ever wondered if the Hibernation File can provide a clue to what is happening on a system? Harlan explains it...

Another area of interest to me which is not very well known among members of the system administration community is that of NTFS Alternate Data Streams. In Harlan's book, Chapter 5 introduces the reader to this technology and explains how there exists a legitimate way to create files on a Windows system, that contain data as well as scripts or executable code, and that these files can be created or launched but there are no native tools within the operating system distribution that will allow you to detect the presence of arbitrary files. Yep --- except in Windows Vista which now has a switch to let you see ADS'es.

What I like about the book:

- Loads of mention of tools and techniques to perform analysis including reference to them on the web
- Reference to personal experiences
- An FAQ and Summary at the end of every chapter -> Excellent idea!
- Solution Fast Track with a checklist of items per chapter
- Well structured and flowing content
- Granular and technical content

What I dislike about the book:

- No mention of Steganography techniques/tools which Chapter 5 could have benefited from.

My overall opinion of the author is very high given his experience and I would definitely recommend this book to anyone who is into Digital Forensics. I give this book 4.5 stars!


-Donald

Excerpts of this text are taken from Harlan's book ISBN 9781597491563

Posted by Donald Tabone

12825 hits

0 Trackbacks

  1. No Trackbacks

2 Comments

Display comments as(Linear | Threaded)
  1. JimmyWeg says:

    Don, I don't think that Harlan's book would have been a place to approach steg. Notwithstanding my view that the vast majority of examiners have not encountered steg, I'd argue it accounts for only a small fraction of data hiding techniques. Perhaps only slightly more than the infamous named data streams in NTFS. Sure, steg is worthy of discussion, but in a work that's more devoted to forensics on a dead system or cryptography. Otherwise, I agree that Harlan's work was crafted superbly.

  2. donald says:

    Hi Jimmy.

    Thanks for posting a comment here.

    "Sure, steg is worthy of discussion, but in a work that's more devoted to forensics on a dead system or cryptography"

    I tend to disagree with you on this point. I think that steg as a concept is surely worth a mention regardless of past experiences, at least from a technique point of view. Harlan gives many examples of real life experiences and the tools he used to investigate them - and that is excellent, however steg is platform independent and mentioning the concepts of what these techniques is equally important even although it has not been encountered so often in real life. Keeping in mind that steg is all about hiding data in files (a topic covered by Harlan), I surely think that it would have been worth a mention whether or not you are conducting an offline or online investigation.

    That said, the topic could have been intentionally omitted. Nevertheless that doesn't make the book any less appealing. Indeed it is an excellent book to have.

Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Submitted comments will be subject to moderation before being displayed.