Windows Forensic Analysis DVD Toolkit (2ed)
by H. Carvey
Syngress 2009.
ISBN 978-1-59749-422-9 . Amazon.com USD 62.95
Reviewed by Richard Austin July 17, 2009
Digital technology touches many facets of our personal and professional lives, and with this contact comes the important realization that events in the physical world increasingly leave traces in the digital world. The practice of digital forensics (the collection, preservation and analysis of digital information for use in legal proceedings) deals with finding and interpreting these digital traces to answer important questions of fact ("Did John send Jane several threatening EMAILs before her disappearance?", "How did the intruder gain access to the engineering server and what did she do with that access?", etc).
Carvey's book is a treasure trove of information and tools dealing with the forensic analysis of Windows systems. It is organized into nine chapters and includes a similarly organized DVD that includes tools and multimedia presentations relevant to each chapter.
The book devotes its first three chapters to the important topic of "live response" which deals with collecting information from a running system. Traditional computer forensics has predominantly limited itself to collecting and examining images of the disks collected after a system was powered down. Live response is a critical activity based on the recognition that much information (the list of running processes, open network connections, etc) would not be found in a disk image. Chapter 3, "Windows Memory Analysis", covers the recent development of tools for collecting a copy of system memory and, equally important, tools for analyzing it to retrieve important information. Since volatile data collection makes use of the running system, the possibility always exists that malware (e.g., a rootkit) may be modifying the information retrieved to conceal its activities. Collecting the contents of memory (without the necessity of halting the system) for later analysis make it less likely that important information will be hidden.
Chapter 4 , Registry Analysis, is another gem that delves into the information that can be retrieved from the Windows registry and the tools that reveal it. It gives an excellent introduction to RegRipper, written by Carvey, which simplifies the process of retrieving and interpreting the overwhelming wealth of information from the registry.
The next two chapters, "File Analysis" and "Executable File Analysis", introduce the tools and techniques for making sense of the various types of files encountered on the system including topics ranging from event logs to metadata found in Word and PDF files. The chapter on executables provides an excellent introduction how executables are structured and how malware authors conceal their activities using things like "cryptors" and "packers".
Chapter 7, "Rootkits and Rootkit Detection", provides a good introduction and discussion of this frightening type of malware (as Hercule Poirot said "When someone is lying to you, watch out!") as well as the various ways of detecting their presence on a system.
Chapter 8, "Tying It All Together", pulls the techniques together in a series of 7 case studies followed by sound advice on how to actually get started using them in practice.
The final chapter, "Performing Analysis on a Budget", gives sound advice on how to "bootstrap" your forensic capability on a limited budget while still delivering genuine capability and real results. This is particularly important as a forensic capability in incident response is becoming less of a luxury and more of a necessity. As Carvey points out, simply wiping and reinstalling a server after a compromise without understanding how the compromise was affected is just an invitation to be "p0wned" again in the same way.
This book is extremely practical and is written for the working IT professional. Most of the tools are written in Perl, and Carvey is very faithful to provide references to where the information underlying the tools came from. This is important because forensics is inseparably linked with the legal system and it is critical that an analyst be able to clearly explain not only the results from a tool but also how those results were generated. More managerially-focused professionals may find the book hard sledding but the introductory material in each chapter will reward skimming to understand the available types of information and the practical uses that can be made of it. Definitely a recommended read and worthy of a place on your bookshelf.
Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu