Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry [Paperback]

After having read the subtitle -- Advanced Digital Forensic Analysis of the Windows Registry' -- I was a bit surprised to find that this book seems to have its roots in 'the number of analysts ... [who] have no apparent idea of the forensic value of the Windows Registry' as the Preface mentions. This suggests the book is not so much for the advanced analyst, but more of an introduction to the area for those who are not yet proficient in analysing Registry information.

Other areas of the book, such as the description of some of the internal structures of the registry, tend to support this. An advanced book would probably not have omitted a description of the security descriptors on registry keys, for example.

This is probably not obvious to the buyer -- who is likely to go by the subtitle. I bought the book largely on the strength of the title, myself, and while I'm not disappointed, it's not quite the book I hoped for.

To the presumed reader, then, the main value is probably to be found in the two chapters of Case Studies. Here is where the value of the registry in a forensic analysis is most clearly described. These chapters are what beginning registry analysts want to read.

The focus of these chapters, though, is on the information in the registry, not where it is located, or to what extent it can be relied on. This is a deliberate decision of the author, and may be sound enugh. It means, though, that the reader is more drawn into using the author's tools, and less into being able to locate the actual keys and values himself with regedit or other tools. In a text for more advanced users, it would have been been a serious error to omit full key/value descriptions; in this type of book, it may lead to more complexity than is strictly warranted.

So, this is not quite the book for me. I don't mind buying it, but I will not be able to rely on it for reference, so it will end up in the bookshelf. I'd rate it at 3.5, but I do hesitate to round that up to an even four stars, as that is slightly too much, in my opinion.

What would have made me give a higher score?

* Better source references -- as it is, the source references are largely web links to Microsoft's support web site. If there are any references to printed works, I have not noted them. For example:

The author refers to earlier analysis by himself and Cory Altheide on USB artifacts, but so far I have been unable to find a single reference to that. As it's clear from the text that it was published, omitting this reference seems a little odd.

A couple of theses are mentioned: one by Jolantha Thomassen and one by Peter Norris, but none of these are properly referenced. The one by Ms. Thomassen, I was able to find a web link to in a "TIP" sidebar, and the one by Mr. Norris is mentioned in the text as another web link.

And Mark Russinovich's article 'Inside the Registry' mentioned in the text, is not cited either. (It was published in Windows NT Magazine.)

All of these may be available on the web, but as long as such presence is not guaranteed, I feel the proper source references to make are to the actually published texts.

For an introductory book, however, such references may be thought to be a little to academical and over the top -- though in that case, many of the existing references to Microsoft's support web site could not improbably be dropped as well.

* A road map for further studies -- assuming that this particular book is an introduction to the topic, additional sources for continued studies would have been welcome. The preface hints of a wealth of information about the registry, and it is not clear that all aspects have been covered.

I expected to find a mention of Jerry Honeycutt's bok 'Microsoft Windows Registry Guide, 2. ed.' (Microsoft Press, 2005) mentioned, mainly because it describes the practical workings of the registry, and deploying techniques, as well as how to identify what registry settings a particular program modifies. It also documents many registry settings that may be of interest at an investigation, though it's focus is on computer management, not investigations, and it does go into many areas that were not included in the present book, such as registry access rights, and registry auditing.

Additionally, I can't rid myself of a feeling that the book tries t be a little more than just an introduction. Some of the information is not on an introductory level. For example, the note on NoInstrumentation on p. 190 is not obviously of any practical value, as it raises the question what exact information is affected by this setting. To the researcher, though, it is probably the starting point for further experiments.

And I must also admit that some terminological vagueness, spelling errors (the first is on the first text page of the book) and general grammatical and typographical fuzziness helps pull down the score a bit. The book uses '...' which normally indicates deliberate omissions, but here seems to be used instead of dashes -- this is very confusing at first. Proper typography as well as text polishing is generally the job of the publisher, but as the present publisher, Syngress, does not have much of a reputation in this area, it probably should be considered to be part and parcel of buying a Syngress book in the first place, and so not affect the score of any particular title. Still, the presence of it grates.

Additionally, in a book of reference the index would have been diaster. In an introductory book ... well, it may serve some purpose, but it's pretty clear that I can't use it to find anything important. There is, for example, an index entry 'Master boot record) MBR', but as the text it references only covers how to find drive signatures/volume IDs in the MBR, that entry is clearly not specific enough to be useful. More useful would have been to have index entries on 'drive signature' and 'volume ID', but there are none.

Windows Registry Forensics is another excellent installment of Harlan's continuing research and education efforts relating to Windows forensics. In his previous work, Windows Forensic Analysis DVD Toolkit, Second Edition, Harlan covered the broader topic of Windows forensics. While he did cover registry forensics issues in his previous work, this book drills down even deeper into the subject and provides the reader with a comprehensive view of the inner workings of the Windows Registry. If you couple this book with his previous book, you essentially get Windows Forensic Analysis, Second Edition: The Director's Cut. I recommend this book to anyone who is interested in digital forensics and will be adding it to my "So you'd like to... Learn Digital Forensics" Amazon guide.

Previous reviewers such as David Nardoni have provided excellent detailed overviews of the individual chapters so I won't repeat that level of depth for this review. Harlan takes a "teach them to fish" approach in teaching the reader about the Windows Registry. If the reader is expecting a book with a laundry list of interesting Registry keys, they will walk away disappointed. This isn't to say that there isn't a tremendous amount revealed about individual keys, but it's done in the larger context of Harlan's efforts to teach the reader about the Registry in a comprehensive manner.

The first chapter is where Harlan teaches the reader about fish (the Registry). This chapter explains what the registry is and how to think about it in the context of an examination. The second chapter teachers the reader about the various fishing poles available to them such as Harlan's own RegRipper tool. The third and fourth chapters is where Harlan takes the reader fishing as he walks the reader through Registry examination using a case study approach.

Harlan is an excellent technical writer so the book flows well and the concepts are presented clearly to the reader. The pictures are large enough to show up clearly in the Kindle version of the book which I was grateful for since this is not always the case with Kindle books. My primary complaint with the book is the price especially for the Kindle edition. I don't expect technical books written for a small audience to be as inexpensive as mass market fiction, but a retail price of $69.95 is pretty steep. As I write this, the Amazon price is $62.95 for the physical version and $55.96 for the Kindle version. The price of the Kindle version is especially irritating considering it doesn't come with the DVD and doesn't require a physical distribution channel to provide it to me. In most cases (pay attention Syngress), I simply won't pay that much for a technical book unless it's something that I know is well written and will provide good value. This is one of those exceptional circumstances. Harlan is one of the few authors who I trust enough to spend that amount of money on for a book.

Four chapters. You might think that with only four chapters the author could in no way write a book that covers Windows registry forensics. I was a bit skeptical at first too but was quickly proven wrong. I've known Harlan for a few years now and I know that his knowledge of the Windows registry is in the 99th percentile when compared to his peers. Do not think of this as a four-chapter book. Think of this as a continuation of the concepts that Harlan presented in Chapter 4 of his Windows Forensic Analysis DVD Toolkit, Second Edition. With only roughly 100 pages in which to describe the valuable artifacts that reside in the Windows registry, Harlan obviously felt that he needed more room to spread his wing - hence the new book.

Chapter 1 provides a very detailed overview of registry analysis. Harlan really wants analysts to first consider the types of information they need prior to starting a forensic exercise. The `what' and `where' of the registry is detailed at great length in addition to its structure. Though this book shows you where to find the registry and some important keys, the author is careful to not present this as the bible of registry information - knowing full well that the minutiae will change from Windows release to Windows release. What this chapter does provide, however, is a good sense of what types of information can be found within the Windows registry. Chapter 2 provides in-depth coverage of several tools to not only conduct forensic investigations on the Windows registry but also how to interact with the registry (both on the target systems and remotely). The author describes tools that he has crated (and that are freely available) in addition to tools and applications from others.

Perhaps the most valuable chapters in the entire book are the last two chapters. In chapters 3 and 4 the author provides numerous case studies that illustrate the kinds of information that can be found within the Windows registry. The various hives are discussed at length (the treasure chest of Windows artifacts) and numerous steps for tracking user activity are also discussed.

I cannot recommend this book enough. If you're looking for this book to be the Bible of registry information - you're not looking at the right book. If you want to know exactly what kind of information is stored within the Windows registry, however, this is an excellent map to get you to the finish line.