Windows Forensic Analysis DVD Toolkit and over 2 million other books are available for Amazon Kindle . Learn more
FREE Delivery in the UK.
Only 3 left in stock (more on the way).
Dispatched from and sold by Amazon.
Gift-wrap available.
Windows Forensic Analysis... has been added to your Basket
+ £2.80 UK delivery
Used: Very Good | Details
Condition: Used: Very Good
Comment: Expedited shipping available on this book. The book has been read, but is in excellent condition. Pages are intact and not marred by notes or highlighting. The spine remains undamaged.
Trade in your item
Get a £10.88
Gift Card.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Windows Forensic Analysis DVD Toolkit Paperback – 25 Sep 2009

See all 2 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
"Please retry"
£31.68 £19.61

There is a newer edition of this item:

£42.99 FREE Delivery in the UK. Only 3 left in stock (more on the way). Dispatched from and sold by Amazon. Gift-wrap available.

Frequently Bought Together

Windows Forensic Analysis DVD Toolkit + Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7
Price For Both: £85.98

Buy the selected items together

Trade In this Item for up to £10.88
Trade in Windows Forensic Analysis DVD Toolkit for an Amazon Gift Card of up to £10.88, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Learn more

Product details

  • Paperback: 512 pages
  • Publisher: Syngress; 2 edition (25 Sept. 2009)
  • Language: English
  • ISBN-10: 1597494224
  • ISBN-13: 978-1597494229
  • Product Dimensions: 3.2 x 19 x 22.9 cm
  • Average Customer Review: 4.5 out of 5 stars  See all reviews (4 customer reviews)
  • Amazon Bestsellers Rank: 631,253 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

Product Description


"If your job requires investigating compromised Windows hosts, you must read Windows Forensic Analysis."--Richard Bejtlich, Coauthor of Real Digital Forensics and Top 500 Book Reviewer

About the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms.
Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index
Search inside this book:

Customer Reviews

4.5 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 4 customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

2 of 2 people found the following review helpful By Mr. M. A. Johnston on 3 Oct. 2009
Format: Paperback
If you are involved in Computer Forensics this book is the diamond in your library. The author obviously has a great knowledge of, and passion for, the subject, and this comes across in his book. Explanations are precise and understandable and the tools on the accompanying DVD are a great addition to any toolkit.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
1 of 1 people found the following review helpful By Amazon Customer VINE VOICE on 17 Feb. 2010
Format: Paperback Verified Purchase
This is an essential purchase if you are a student of Computer Forensics or an actual computer forensic examiner.Its one of those books you need close at hand.
Its an excellent source of knowledge concerning registry analysis especially.
3 Comments Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
Format: Paperback
Superb to assist in knowing the nuts and bolts of windows and being able Analysis it too
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
0 of 3 people found the following review helpful By intelligy on 8 Aug. 2010
Format: Paperback
bought the book to add to my knowledge of data forensic but only found a couple of chapters worth reading, the rest can be found online for free and doesn't really come up to the blurb in the fact that it doesn't show how to perform a complete forensic recovery of ..emails say WITHOUT using software? chris [...]
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Helpful Customer Reviews on (beta) 20 reviews
21 of 22 people found the following review helpful
Essential reading 7 Jun. 2009
By Jimmy Weg - Published on
Format: Paperback Verified Purchase
The second edition of Harlan's book nicely complements the first and is essential reading for practitioners at all levels. For those of us who primarily engage in exams of acquired images, the chapters on Registry Analysis, File Analysis, Executable Analysis, and Rootkit Detection provide and build upon basic concepts that go beyond what is taught in beginning and intermediate computer forensics courses.

The registry analysis chapter is particularly valuable and one that I draw on repeatedly. The accompanying DVD, with its scripts, not only provides tools to gather the data that Harlan describes, but provides a means to learn while you read by taking a hands on approach to registry analysis.

The chapter on file analysis teaches fundamentals of system files and logs that can provide key evidence in an exam. It explains not only what may be found, but how to get it and why it got there. These are the types of issues that can aid immeasurably when it comes to report writing and courtroom testimony. Similarly, the discussions on malware, rootkits, and executables provide guidance and solutions to considerations of whether an uninvited influence played a role in data arriving on, or departing from, a system.

For those who don't engage in incident or live response at the moment, the time is fast approaching when that aspect forensics is going to be vital to us all. Harlan explains what information is available, and he describes the methods and tools with which we can acquire volatile data and access information that's gone once the plug is pulled. Harlan brings together this area of his book with a discussion of analyzing the data.

In sum, this is a great work that is suited to those who have had basic computer forensics training as well as examiners who have been practicing for a long time. Things change every day, and WFA II provides a means to keep pace.
16 of 19 people found the following review helpful
Even better than the first edition 21 Jun. 2009
By hogfly - Published on
Format: Paperback
In ancient times, when philosophers and scientists gathered to discuss and debate important topics, people would travel for weeks and months to arrive, just to hear the debates. To listen to the great minds of the time, to learn from them, and on occasion ask questions. In 2009 that trend continues though in a different fashion.

In the case of Windows Forensic Analysis we are fortunate enough to have Harlan Carvey. He has a deep well of knowledge to pull from and he continues to pull buckets of information out of the well to keep us all well hydrated. I was honored to read this book, and it's my privilege to write a review. It's the least I could do.

It's a text book, it's a field manual, it's reference material. This is Windows Forensic Analysis Second Edition and it's the best damn book on the planet for Windows Forensics. I thought I liked the first edition and then I read the second.

It's been updated to be sure, but it's also been expanded. There's current information contained in the over 400 pages of content. There are case studies, there are details you won't find elsewhere.

Want to know how to dump memory and collect volatile data? It's in the book.
Can't recall which tool has certain limitations or what the tool can do? It's in the book.
Want to know how to analyze volatile data? It's in the book.
Want to learn how to registry works? It's in the book.
Want to know how to do Windows Forensic Analysis? Read this book.

I've watched the forums and mailing lists since the first edition of the book was released two years ago. Time after time I read the questions being asked and went to the book. In an overwhelming majority of cases, the answer was there. To those of you that asked these questions, do yourself a favor. Go to the bookstore, or online store and buy the book, read it, highlight it, dog ear pages for reference. Make use of the knowledge that has been shared, your clients deserve it.

In ancient times, people would travel for weeks or months to listen and learn from the greats..all you have to do is spend a little money and open the book.
7 of 7 people found the following review helpful
If you buy one book on Windows forensics, this should be it 23 July 2009
By Jennifer Kolde - Published on
Format: Paperback
For several years, Harlan Carvey has led the field in sharing and publishing his extensive knowledge of Windows forensics. The latest edition of Harlan's book does not disappoint, and this updated and revised copy remains THE Windows forensics reference book to have on your shelf. Harlan draws on both his in-depth knowledge of the Windows operating system and his extensive experience in real-world incident response to successfully bridge what is often a gap between the world of the first responder and the world of the forensic analyst. This is particularly appropriate at a time when those roles continue to converge. If there is information to be found on a Windows system (and I think Harlan knows and has documented the Windows registry better than anyone at Microsoft), Harlan will tell you not only where, but also how to find it. But he doesn't stop there; Harlan also provides several open-source (Perl-based) tools on the accompanying DVD to allow you to extract a variety of useful data from a Windows computer to aid you in your investigation. If you want to do two things to aid your incident response / forensics capabilities, then 1. buy this book, and 2. learn Perl!
8 of 9 people found the following review helpful
There is no substitute for this book 7 Sept. 2009
By Richard Bejtlich - Published on
Format: Paperback
I read and reviewed the 1st Ed of this book in July 2007, and I just finished reading Windows Forensic Analysis 2nd Ed (WFA2E) this weekend. If your job involves investigating Windows systems, you must read this book. It's as simple as that. There is no substitute for this book. It also perfectly complements other solid forensics works already published.

The three main reasons why I liked the 1st Ed hold for the 2nd Ed. The subject matter is exactly what I wanted to read. WFA2E introduces a vast number of tools to help investigators implement the concepts explained by the author. Harlan brings a lot of experience to WFA. Of these three, I really appreciate Harlan's experience. He is constantly "in the fight" so he knows what works and what doesn't. He's been around so long that he knows what he's talking about. If he encounters a problem, he can either try fixing it himself or he is friends with someone who can work the issue. All of these characteristics shine in WFA2E.

I expect to see a 3rd Ed of this book in a few years, incorporating more Windows Vista and Windows 7 material. It might also be helpful to consider techniques for Windows Server and Mobile platforms in the 3rd Ed. Regardless, I will look forward to that book when it arrives because I enjoyed WFA1E and WFA2E so much.
4 of 4 people found the following review helpful
The best forensic book currently available 1 Sept. 2009
By Jesse G. Lands - Published on
Format: Paperback
I've started reading or read a number of forensic books in the past two years. Though I have yet to read a specific Operating System forensic book, most have generally focused on Windows as the choice for forensic analysis. Of all the books that I have read, I would have to say that by far Windows Forensic Analysis DVD Toolkit second edition is the best.
The author is very thorough without beating a single tool to death. The author covers numerous tools, but continues to stress that having information from one tool does not give the investigator the `smoking gun' to solving the case. He stresses repeatedly that this is just adding another tool to the investigator's toolbox.
Many books are simply an attempt to sell their book by declaring that if you follow: step one, followed by step two, followed by step three etc. that you will suddenly be a master forensic investigator or incident handler. Harlan Carvery never says that reading this book will make you an expert, only that he hopes to enlighten the reader to new tools and techniques. The author makes it very clear that each tool is valuable, but the reader should find the tools that suite their own need and get the experience necessary to analyze the output.
The book jumps straight into the discussion of volatile data and the importance of capturing it as close to the instance of compromise as possible. I was pleased to see that the author made a point of emphasizing this. There is still a mindset in many situations that pulling the plug is the first thing to accomplish.
The first three chapters are a statement to the importance placed on collecting and analyzing the volatile portion of the incident. Though technically the first two chapters also cover information to tie in the remaining chapters there is always that focus of maintaining data as close to the point of compromise as possible.
The next three chapters cover the static files and registry that a Forensic Analyst will have to review and analyze. The author covers numerous tools as well as providing his tools and his preferences for use.
The last three chapters cover rootkits, tying it together with case studies and then finally Forensic Analysis on a budget.
Throughout the book the author makes references to papers, websites and other books that will provide a much more indepth discussion of the topics. In every chapter he provides a source for more up-to-date software than what is provided on the DVD.
The author includes numerous tools that are his personal scripts or scripts that he has modified for his use. For the most part his scripts are all Perl based, but again the author shows his flexibility and understanding when he explains why his tools are Perl and not something else. At no point does the author take a "this is the only right way to do it" attitude. It is refreshing to see an unbiased book that is primarily Windows oriented.
With all that being said I would say that grammatical editing could have been a little better. Even with these errors the book was definitely worth buying. We have a copy in our office and I am buying a copy for my own personal use. I would say that if you are doing Windows forensics or have an interest in learning about the current trends in Windows forensics you need to pick up a copy. It will be an invaluable resource.
Were these reviews helpful? Let us know