Book Review – Windows Registry Forensics

 

 

 

 

Rating: ***

Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.

The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.

Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.

The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).

There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.

These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.

When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.

Gregory Prendergast   (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)

Book Title: Windows Registry Forensics

Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry

Author(s): Harlan Carvey

Publisher: Syngress

Date of Publishing: February 2011

ISBN: 9781597495806

Price: $69.95 / £42.99

(896)

Share

BOOK REVIEW – Hacking the Human

?Hacking the Human

 

 

 

 

 

 

 

Rating: ***

Even though I’m a qualified ISO 27001 Lead Auditor and former “management consultant” I’m still basically a technical geek. So when I was asked to review this book I was not particularly looking forward to it and I asked myself what relevance did this book have to digital forensics?  I have to say having reviewed the book my mindset has changed.

The book contains 12 chapters, divided into three sections. The first section contains four chapters.  It explains social engineering and describes the risks to an organization of social engineering attacks.  It then goes on to explain why people are the weakest link in an organization.  Finally it explains why current thinking and approaches, including ISO 27001, do not pay due attention to social engineering risks. The second section then goes on to explain human vulnerabilities.  It does this by examining a number of topics in the section’s chapters, including building trust, reading a person, subconscious techniques (including Neuro-Linguistic Programming) and then different roles a social engineer attacker could take.  The final section concentrates on countermeasures to social engineering.  It does this by describing techniques to assess an organization’s vulnerabilities, explaining security controls to counter defined vulnerabilities, including awareness and training.  Finally the section explains how the countermeasures can be tested.

The book comprises 254 pages and given the retail price it is not the best value book I have come across.

So given all of the above, why did I get some value out of reviewing it?  The answer lies within the number of examples and incidents of social engineering attacks it describes.  There are over a dozen.  Whilst a few of them have only a human element to them, most involve to some degree IT or phone technology.  So I started thinking!  If one of these attacks occurred what evidence would I need to find to prove such an attack had occurred, or how would it be possible to establish an innocent victim wasn’t actually the perpetrator?  It was quite thought provoking.

This is not a book on IT security, or Digital Forensics.  Given the number of pages and the sell price it is not particularly good value.  However if you would like to understand social engineering attacks and consider its relevance to digital forensics this is a reasonable edition to your library.

John Hughes

Book Title: Hacking the Human

Book Subtitle: Social Engineering Techniques & Security Countermeasures

Author(s): Ian Mann

Publisher: Gower Publishing Ltd.

Date of Publishing: November 2008

ISBN(13): 978-0566087738

Price: $104.95 / £60.00

(7814)

Share