Book Review – Windows Registry Forensics

 

 

 

 

Rating: ***

Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.

The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.

Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.

The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).

There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.

These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.

When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.

Gregory Prendergast   (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)

Book Title: Windows Registry Forensics

Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry

Author(s): Harlan Carvey

Publisher: Syngress

Date of Publishing: February 2011

ISBN: 9781597495806

Price: $69.95 / £42.99

(891)

Share

BOOK REVIEW – Hacking the Human

?Hacking the Human

 

 

 

 

 

 

 

Rating: ***

Even though I’m a qualified ISO 27001 Lead Auditor and former “management consultant” I’m still basically a technical geek. So when I was asked to review this book I was not particularly looking forward to it and I asked myself what relevance did this book have to digital forensics?  I have to say having reviewed the book my mindset has changed.

The book contains 12 chapters, divided into three sections. The first section contains four chapters.  It explains social engineering and describes the risks to an organization of social engineering attacks.  It then goes on to explain why people are the weakest link in an organization.  Finally it explains why current thinking and approaches, including ISO 27001, do not pay due attention to social engineering risks. The second section then goes on to explain human vulnerabilities.  It does this by examining a number of topics in the section’s chapters, including building trust, reading a person, subconscious techniques (including Neuro-Linguistic Programming) and then different roles a social engineer attacker could take.  The final section concentrates on countermeasures to social engineering.  It does this by describing techniques to assess an organization’s vulnerabilities, explaining security controls to counter defined vulnerabilities, including awareness and training.  Finally the section explains how the countermeasures can be tested.

The book comprises 254 pages and given the retail price it is not the best value book I have come across.

So given all of the above, why did I get some value out of reviewing it?  The answer lies within the number of examples and incidents of social engineering attacks it describes.  There are over a dozen.  Whilst a few of them have only a human element to them, most involve to some degree IT or phone technology.  So I started thinking!  If one of these attacks occurred what evidence would I need to find to prove such an attack had occurred, or how would it be possible to establish an innocent victim wasn’t actually the perpetrator?  It was quite thought provoking.

This is not a book on IT security, or Digital Forensics.  Given the number of pages and the sell price it is not particularly good value.  However if you would like to understand social engineering attacks and consider its relevance to digital forensics this is a reasonable edition to your library.

John Hughes

Book Title: Hacking the Human

Book Subtitle: Social Engineering Techniques & Security Countermeasures

Author(s): Ian Mann

Publisher: Gower Publishing Ltd.

Date of Publishing: November 2008

ISBN(13): 978-0566087738

Price: $104.95 / £60.00

(7814)

Share

Take part in our online satisfaction survey

Digital Forensics Magazine is running a satisfaction survey – we’d love to hear back from you all and gather your opinions on our magazine and sites. To take part in the survey simply visit http://www.surveymonkey.com/s/DFM-satisfaction-survey and complete the short survey.

All entries will eligible for a prize draw to win one of four subscriptions to the magazine for a year.

Many thanks in advance for your time.

The DFM Team

(507)

Share

Advertising opportunities within DFM

If you are interested in advertising in Digital Forensics Magazine or on our sites, please contact marketing@digitalforensicsmagazine for our latest rate card and a chance to explore opportunities where you can promote your services, college or brand in general.

We have a number of digital and print channels that can be used to reach a very desirable and segmented audience around the world.

(526)

Share

Student discount available until end of Feb

To help students make their money go further Digital Forensics Magazine has reinstated their 20% student discount for all those studying computer sciences or digital forensics. Offer applies to the digital version of the magazine subscription only.

From now until February 28th 2011 Digital Forensics Magazine is again offering students of digital forensics, computer sciences, or just those who are interested in this growing and fascinating discipline, 20% discount on the price of a digital subscription to their magazine.

In order to receive the discount code, please email marketing@digitalforensicsmagazine from a valid academic email account and the DFM team will send back a code to use during the subscription process that will give students 20% discount.

(478)

Share

A View from the Canadian Rockies or What Not to Present as Evidence of Online Paedophilia: R. v. Morelli, 2010 SCC 8, [2010] 1 S.C.R. 253

Don’t like what you see, tempted to jump to an ‘obvious’ conclusion-then don’t. Mr Urbain Morelli, an enthusiast of adult and child pornography, was at home when the computer technician came a calling. The technician noticed a webcam plugged into a VCR and pointed toward the man’s three-year-old daughter who was playing with toys nearby in a play pen. There were several links to adult and child pornography sites in the taskbar’s ‘favorites’ list of Mr. Morelli’s computer. When the technician returned the toys had been put away, the webcam was pointed in a different direction, the hard drive reformatted and the offending icons removed. The technician reported his concerns to a social worker, who told the Royal Canadian Mounted Police and a search warrant was issued. Appealing in the Canadian Supreme Court Mr. Morelli maintained his rights were violated when police searched his computer.  Finding in his favor the Supreme Court noted that the technician saw suspicious links but had not seen pornographic images of children on the computer. In addition information used to obtain the warrant failed to mention that the child was fully clothed, there had been no signs of physical abuse evident to the technician and that there was only one living area in the home.  All in all the court found that a selective presentation of facts portrayed a less objective and more villainous picture than would have been the case had all the material information been presented.  The court heard it was plausible to suppose Mr. Morelli was using his VCR and webcam to videotape his daughter at play for posterity’s sake, not for purposes connected with child pornography. The suspiciously labeled links in were insufficient to characterize a person as an habitual child pornography offender. Since the majority of pornographic material observed was adult this suggested that the accused did not have a pronounced interest in child pornography.

(802)

Share

What on Earth Next: Malta Gets a Prosecuted Pirate and the Right to a Lawyer

2010 saw momentous legal upheaval in Malta. A judgment by a Maltese Magistrates’ Court on 30 September 2010 for the first time there convicted a seller of computer hardware with distributing pirated Microsoft software. The guilty party received a large fine and two years probation. Computer hardware and other related apparatus seized by the Police during their investigations was confiscated. The Business Software Alliance (BSA), global representative of the software industry, welcomed the judgment as ‘a very important step in the fight against software copyright theft’ in Malta. The judgement is ‘proof that Malta is making great efforts to combat the escalating problem of piracy on the island’ according to Georg Herrnleben, BSA Director. In 2010, too, suspects in Malta were granted the marvellous novelty of a lawyer during police questioning. The right, long common to most in the civilised world, had for years languished in the Criminal Code articles 355AT, 355AU, 255AZ and sub-articles 2, 3 and 4 of article 355AX of article 74. What with all that and the emergence of a prosecuted pirate the island’s reputation as a Mecca for digital forensics experts may be about to take wing.

(715)

Share

Amazing 1/2 Price C|HFI Course

Hi everyone,

I’ve just heard from Firebrand Training that they are happy to extend an offer of a reduced-rate Forensics Training courses to our readers if they call now and book the C|HFI course and C|EH together. These are EC-Council courses all provide you with the ability to get certified in your profession. This is a great offer and we are really pleased to be able to offer it to you.

Remember, when you phone, tell them you got the offer from Digital Forensics Magazine.

From Firebrand Training

Firebrand Training is offering half price EC-Council Computer Hacking Forensics Investigator (C|HFI) certification, if you book the Certified Ethical Hacker (C|EH) course at the same time. Call us on 080 80 800 888 and join the Digital Forensics community!”

The links to the the two courses:

CEH – http://www.firebrandtraining.co.uk/courses/ec_council/ceh/hacking.asp
CHFI – http://www.firebrandtraining.co.uk/uk/forensics.asp

Tony

(567)

Share

Reviewer’s copy of iOS Forensics

I received my reviewer’s copy of the iOS Forensics book today from Apress (thanks for the freebie, guys) and it really is a spectacular job. Apress is a great publisher and the layout, cover and attention to detail with Sean’s manuscript is second to none. I hope you feel it worth it to buy this book for your forensics collection as Sean put a mammoth effort into it – I can attest to every late night, ounce of blood and sweat and headache this tome caused – however, the result is… well, view for yourself.

Tony

<

Book Details

iOS Forensic Analysis: for iPhone, iPad and iPod Touch book cover

  • By Sean Morrissey
  • ISBN13: 9781430233428
  • ISBN10: 1430233427
  • 372 pp.
  • Pub Date: 2010-12-21
  • eBook Price: $41.99

(552)

Share

iOS 4 Forensics – New Book from Apress

Sean Morrissey’s new book on iOS4 Forensics is brilliant.

<

Book Details

iOS Forensic Analysis: for iPhone, iPad and iPod Touch book cover

  • By Sean Morrissey
  • ISBN13: 9781430233428
  • ISBN10: 1430233427
  • 372 pp.
  • Pub Date: 2010-12-21
  • eBook Price: $41.99

Product Description

iOS Forensic Analysis provides an in-depth look at investigative processes for the iPhone, iPod Touch, and iPad devices. The methods and procedures outlined in the book can be taken into any courtroom. With iOS information never published before and data sets that are new and evolving, this book gives the examiner and investigator the knowledge to complete a full device examination that will be credible and accepted in the forensic community.
What you’ll learn

* How to respond to security incidents involving iOS devices
* How to acquire and analyze data on iOS devices such as iPhone and iPad
* How to analyze media exploitation on iOS devices

Who this book is for

Computer forensic professionals, law enforcement, attorneys, security professionals, those who are curious about such things, and educators. This book can also be employed by law enforcement training academies, universities, as well as computer forensic, information security, and e-discovery communities.

Purchase This eBook

(822)

Share