Start reading Windows Forensic Analysis Toolkit on your Kindle in under a minute. Don't have a Kindle? Get your Kindle here or start reading now with a free Kindle Reading App.

Deliver to your Kindle or other device


Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 [Kindle Edition]

Harlan Carvey
3.8 out of 5 stars  See all reviews (4 customer reviews)

Print List Price: £42.99
Kindle Price: £29.31 includes VAT* & free wireless delivery via Amazon Whispernet
You Save: £13.68 (32%)
* Unlike print books, digital books are subject to VAT.

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your e-mail address or mobile phone number.


Amazon Price New from Used from
Kindle Edition £29.31  
Paperback £30.85  
Kindle Daily Deal
Kindle Daily Deal: Up to 70% off
Each day we unveil a new book deal at a specially discounted price--for that day only. Learn more about the Kindle Daily Deal or sign up for the Kindle Daily Deal Newsletter to receive free e-mail notifications about each day's deal.

Book Description

Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 provides an overview of live and postmortem response collection and analysis methodologies for Windows 7. It considers the core investigative and analysis concepts that are critical to the work of professionals within the digital forensic analysis community, as well as the need for immediate response once an incident has been identified.
Organized into eight chapters, the book discusses Volume Shadow Copies (VSCs) in the context of digital forensics and explains how analysts can access the wealth of information available in VSCs without interacting with the live system or purchasing expensive solutions. It also describes files and data structures that are new to Windows 7 (or Vista), Windows Registry Forensics, how the presence of malware within an image acquired from a Windows system can be detected, the idea of timeline analysis as applied to digital forensic analysis, and concepts and techniques that are often associated with dynamic malware analysis. Also included are several tools written in the Perl scripting language, accompanied by Windows executables.
This book will prove useful to digital forensic analysts, incident responders, law enforcement officers, students, researchers, system administrators, hobbyists, or anyone with an interest in digital forensic analysis of Windows 7 systems.

  • Timely 3e of a Syngress digital forensic bestseller
  • Updated to cover Windows 7 systems, the newest Windows version
  • New online companion website houses checklists, cheat sheets, free tools, and demos

Product Description


"Harlan has done it again! Continuing in the tradition of excellence established by the previous editions, Windows Forensics Analysis Toolkit 3e is an indispensable resource for any forensic examiner. Whether you're a seasoned veteran or just starting out, this work is required reading. WFA3e will maintain a perennial spot on my core reference bookshelf!"--Cory Altheide, Google "Windows Forensic Analysis Toolkit 3rd Edition provides a wealth of important information for new and old practitioners alike. Not only does it provide a great overview of artifacts of interest on Windows 7 systems, but it also presents plenty of technology independent concepts that play an important role in any investigation. Feel free to place a copy on your shelf next to WFA 2ed and WRF." "The third edition of this reference for system administrators, digital forensic analysts, students, and law enforcement does not replace the second edition, but rather serves as a companion. Coverage encompasses areas such as immediate response, volume shadow copies, file and registry analysis, malware detection, and application analysis. Learning features include b&w screenshots, tip and warning boxes, code (also available on a website), case studies, and 'war stories' from the field. The tools described throughout the book are written in the Perl scripting language, but readers don't need to be experts in Perl, and most of the scripts are accompanied by Windows executables found online. For this third edition, a companion website provides printable checklists, cheat sheets, custom tools, and demos."--Reference and Research Book News, Inc. "There is a good reason behind the success of the previous editions of this book, and it has to do with two things: new Windows versions are different enough from previous ones to warrant a new edition and, most importantly, the author is simply that good at explaining things. This edition is no different."--HelpNetSecurity

About the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and "cloud computing services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan's primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Product details

  • Format: Kindle Edition
  • File Size: 2441 KB
  • Print Length: 296 pages
  • Publisher: Syngress; 3 edition (27 Jan. 2012)
  • Sold by: Amazon Media EU S.à r.l.
  • Language: English
  • ASIN: B00746IPC8
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Average Customer Review: 3.8 out of 5 stars  See all reviews (4 customer reviews)
  • Amazon Bestsellers Rank: #578,521 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?

More About the Author

Discover books, learn about writers, and more.

What Other Items Do Customers Buy After Viewing This Item?

Customer Reviews

3.8 out of 5 stars
3.8 out of 5 stars
Most Helpful Customer Reviews
2 of 2 people found the following review helpful
Format:Paperback|Verified Purchase
Very introductory book.
Despite the name xxx Windows 7, Windows XP mentioned very often, a lot of explanation how it worked in XP, the pictures as well taken form XP machine. Totally irrelevant, and annoying (noise), assuming that the author spend a lot of time with this platform. Probably to read about Win7 one need to wait when the same book will be about Windows 9 or 10.
Comment | 
Was this review helpful to you?
2.0 out of 5 stars Basic, basic, basic... 19 Oct. 2014
- The author goes (yet again) - as in all his other books - and explains a lot of good theoretical concepts. Some may find the amount of "talk for the sake of talking" a bit too much.
- There's a few good DFIR tools mentioned in the book.

- From a bird's eye view, although the book says it's about "advanced analysis techniques for Win7" it still covers (for about 50% or so) XP / 2003 & Vista - XP being a clear winner here with around 30%. Win7's new features account for at most 15-20% of the content.
- Now if I were to look at the title and look for something that would justify the "advanced analysis" part of the title I have to say I can't point out anything in particular. Most of the techniques are the same used on XP but slightly adapted to include new tools.
- The memory analysis is missing completely... there's absolutely nothing about the new memory structures specific to Win7. What kind of DFIR investigation is one where memory is not even considered as a potential source of evidence??
- Also speaking of "advanced" the book is not spending enough time talking about what's going on under the hood of many tools presented; one example is *.pf files who's structure is very interesting and with a bit of effort one can parse it at hand. My point is that too much abuse of various tools tend to transform the investigator into a "tool monkey" without an "advanced" understanding of what's really going beneath the GUI of his various tools.
Comment | 
Was this review helpful to you?
5.0 out of 5 stars Essential 30 Nov. 2012
If you're doing forensic analysis of Windows computers then you need this book. Virtually every page is packed with the sort of day-to-day techniques and tactics that you need for getting the job done. It's well-written, timely and doesn't make any false promises - where the behaviour or significance of an artefact is in dispute or uncertain, the author highlights this and gives pointers for further research. He also links topics in the book to other analysts in the community, so if something's of particular interest you can follow up. There's a strong emphasis on understanding the evidence you're recovering as well, rather than just relying on tools to do the work for you. I really can't recommend this book highly enough.
Comment | 
Was this review helpful to you?
5.0 out of 5 stars This is my Windows bible 13 April 2014
By deadlyh
This book has a wealth of knowledge on Windows forensics and has saved my bacon numerous times when I just couldn't find the information I needed online. If you're looking for low-level information on Windows files and the registry then I would strongly recommend this book. Anyone doing Windows-based digital forensics should own a copy of this book!
Comment | 
Was this review helpful to you?
Most Helpful Customer Reviews on (beta) 0.0 out of 5 stars  0 reviews
3 of 3 people found the following review helpful
5.0 out of 5 stars A perfect companion 26 Feb. 2012
By Jimmy Weg - Published on
I found that Harlan's latest book is a great adjunct to my collection of his works. While it presents many of the essential operating system updates that we've discussed on forums, it also reviews enough previously published material to give the reader a foundation upon which to grasp important topics that haven't been issues in earlier systems. I like the way that Harlan laid out the chapters; he presents the material succinctly, yet with sufficient detail to provide a worthwhile learning experience. From my perspective, I particularly appreciate the Malware Detection chapter, as it presents a very nice summary of problems that many law enforcement examiners face, and Harlan provides not only direction, but tells us why certain procedures and artifacts are important.
2 of 2 people found the following review helpful
5.0 out of 5 stars Easy to read and follow 15 May 2014
By Brandon Meyer - Published on
Format:Paperback|Verified Purchase
This book is a great extension to the second edition. NOTE: THIS BOOK CONTINUES ON FROM THE SECOND EDITION. This is not a complete rewrite or modifications, this is a continuation which means it references things that Harlan mentions in the Second Edition.
With that out of the way this book is great. I read along and I don't get bored, normally I would be bored with books like this but the writing is great so I can follow along easily. The tips and tidbits are great that go with. I highly recommend this book.
3 of 4 people found the following review helpful
5.0 out of 5 stars The third essential volume in Harlan Carvey's Windows forensic "trilogy" 6 Mar. 2012
By Jennifer Kolde - Published on
If you've worked with Windows for any length of time, you know that each subsequent version of Microsoft's operating system tends to be almost the same...and yet entirely different. Windows 7 is no exception, giving us many familiar logs, structures, and artifacts that we know from Windows XP or 2003...only revised and expanded, or in different locations, or in different formats, or all of the above. Not to mention the brand new stuff.

Harlan has once again found the sweet spot - instead of fully revising the Second Edition of his book (which would be premature, as most environments still have extensive XP / 2003 infrastructure in place, and likely will for some time), he provides a companion book that builds on his previous volumes and outlines the new technologies and key differences between Windows 7 and earlier versions of the OS.

Now that many corporations are finally rolling out Windows 7 in force, forensic examiners are also making the transition to analyzing "new" Windows systems. This book provides the essential reference for Windows 7 analysis. While many of the technologies and techniques in Harlan's book have been discussed on blogs, mailing lists, and at conferences, he has been kind enough to collect the information in one place. In addition, he has been thorough enough to verify and expand upon the information through his own research and analysis, providing real world examples, tips, and cautions along the way.

Finally, as always Harlan writes with a keen awareness - both first-hand and through his extensive industry contacts - of what is current "in the field". This encompasses not only the specific questions and challenges faced by real analysts in real cases, but the tools and techniques in use or under development to address those issues. Harlan's information is both timely and relevant...and all the better for those of us on a budget that many of those tools and techniques he discusses are free and / or open source.

Harlan Carvey's "Windows Forensic Analysis Toolkit - Third Edition" is a welcome companion to both his Second Edition and Windows Registry Analysis. The three form a set that no Windows incident responder or forensic analyst should be without.
2 of 2 people found the following review helpful
4.0 out of 5 stars Good Read 18 Mar. 2014
By W. Reis - Published on
Format:Paperback|Verified Purchase
If you are interested in this subject this is a good primer for the basics and how to documentation. Nice layout do not have to read from cover to cover
3 of 4 people found the following review helpful
4.0 out of 5 stars Cyber Forensic 18 Feb. 2013
By Katie - Published on
Format:Paperback|Verified Purchase
I needed this book for my forensic class and I was able to find it for a great price. The book is a bit boring the author keeps going off on tangents about his life, instead of teaching
Were these reviews helpful?   Let us know
Search Customer Reviews
Only search this product's reviews

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
First post:
Prompts for sign-in

Search Customer Discussions
Search all Amazon discussions

Look for similar items by category