Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.
The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.
Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.
The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).
There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.
These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.
When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.
Gregory Prendergast (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)
Book Title: Windows Registry Forensics
Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry
Author(s): Harlan Carvey
Date of Publishing: February 2011
Price: $69.95 / £42.99