Slashdot Mirror
Windows Forensic Analysis
Don Wolf writes "Computer forensics is a rapidly growing discipline and an even faster growing business. Whether it's the natural progression of technological science pertaining to crime or perhaps the digression of a few elite information security professionals, computer forensics is every so slowly gaining credibility in the otherwise PhD dominated field of criminal science. Computer evidence continues to be showcased in some of the most high-profile and controversial court cases in history, from the murder case of Lasie Peterson to the multi-billion dollar Enron scandal. Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice." Keep reading for the rest of Don's review.
Windows Forensic Analysis DVD Toolkit
author
Harlan Carvey
pages
416
publisher
Syngress
rating
9
reviewer
Don Wolf
ISBN
9781597491563
summary
Incident Response and Cybercrime Investigation Secrets
While on the road to computer forensic enlightenment I realized early on that many parallels existed between computer forensics and incident response. A number of great authors have published books on incident response, one of which is a gentleman by the name of Harlan Carvey. So when a friendly but cleverly personalized bookstore email rolled in with Harlan's newest book showcased, I thought it might be worthwhile to see what he's been up to.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.
Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".
Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.
I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.
I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.
Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.
If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.
You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Most of the time, the person doing the analysis is the crooked cop who placed the bogus "evidence" on the computer in the first place, or the same person who is then going to try to "find" that "evidence" in a laboratory situation.
Anyone who believes there is even *ONE* honest law enforcement agent in the entire U.S.A, probably even the entire world, is incredibly naive.
--Signed... an unfortunate victim of a crooked cop who planted bogus evidence on my computer systems after perjuring himself on affidavit's to get search warrants for them... who was never held accountable for that perjury even though it was blatant, and would have been obvious to anyone who had bothered to read it... showing clearly that the judge did not bother reading all 27 pages... again.. the fact that it was 27 pages was so that the judge WOULDN'T bother to read the whole thing.
Exactly that type of nonsense can be found in nearly every piece of paperwork filed by any prosecutor or police officer.
I actually have a degree in Computer Forensics, and the only place looking to hire me were police departments, and all of them wanted me to become a police officer for several years before I could even think about doing forensics work.
Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:
Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130, but in a slightly different context (hiding vs finding).
BlackHat Talks:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf
http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf
Papers: http://www.stormingmedia.us/50/5037/A503754.html
FatKit: http://www.4tphi.net/fatkit/
Contests: The Digital Forensics Research Workshop is running a Challenge to see who can create the best linux physical memory analysis tool: http://dfrws.org/2008/challenge/index.shtml
Now the commercial world is entering the fray: http://www.hbgary.com/hbgary_responder_datasheet.pdf
I'm looking forward to using some tools that don't require me to keep a notebook of esoteric command lines and a usb key full of dependencies. Not to mention some report friendly output. Should be a good year!