Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Paperback – 24 Jan 2011
|New from||Used from|
- Choose from over 13,000 locations across the UK
- Prime members get unlimited deliveries at no additional cost
- Find your preferred location and add it to your address book
- Dispatch to this address when you check out
There is a newer edition of this item:
Frequently Bought Together
Customers Who Bought This Item Also Bought
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
"As an experienced security architect I’ve been reasonably familiar with the "windows registry" for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However, it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensic importance of these files."--Best Digital Forensics Book in InfoSecReviews Book Awards
"It is no exaggeration to say that nearly everything that happens on a Windows system involves the registry―which makes effective examination of the registry absolutely fundamental to good Windows forensics. By devoting a whole book to this critical Windows artifact, Harlan has delivered a much needed resource to everyone doing forensics investigations of Windows systems. What I appreciate about this book, however, is that it is much more than a mere compilation of registry keys important to forensics investigation. This is a book about how to examine the registry, and it is a good one."--Troy Larson, Principal Forensic Program Manager, Network Security Investigations, Microsoft
"Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case. Harlan Carvey steps the reader through critical analysis techniques recovering key evidence of activity of suspect user accounts or intrusion-based malware. Using his extensive experience and research, Harlan's case studies provide behind-the-scenes details that enable every analyst to utilize these techniques immediately in their own investigations. This book is a must have reference for current forensic knowledge of the Microsoft Registry Windows XP through Windows 7 and should become core knowledge for any serious digital forensic investigator."--Rob Lee, SANS Institute
"Useful to beginning and intermediate practitioners, but even advanced examiners may fi nd registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations…. Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read...."--Digital Forensics Magazine
"This guide to digital forensics on computers running the Microsoft Windows operating system provides detailed information on the analysis of the Windows registry to detect intrusion and document user actions. The work is divided into three sections beginning with an overview of the registry structure and following with a discussion of registry analysis tools and concluding with an in depth case study of a registry forensics project. Each section includes answers to frequently asked questions and a selection of references for further reading. Illustrations, code examples, tips and warning notes are provided throughout and an accompanying CD-ROM provides copies of registry analysis tools created by the author. Carvey is a computer forensics consultant."--Book News, Reference & Research
"As an experienced security architect I’ve been reasonably familiar with the ‘windows registry’ for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensics importance of these files….. An extremely useful book to a forensics investigator, even an experienced one. I would not hesitate in recommending this book to anyone…"--InfoSecReviews.com
About the Author
Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and "cloud computing" services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan's primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms. Harlan holds a bachelor's degree in electrical engineering from the Virginia Military Institute and a master's degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.
What Other Items Do Customers Buy After Viewing This Item?
Top Customer Reviews
Most Helpful Customer Reviews on Amazon.com (beta)
Previous reviewers such as David Nardoni have provided excellent detailed overviews of the individual chapters so I won't repeat that level of depth for this review. Harlan takes a "teach them to fish" approach in teaching the reader about the Windows Registry. If the reader is expecting a book with a laundry list of interesting Registry keys, they will walk away disappointed. This isn't to say that there isn't a tremendous amount revealed about individual keys, but it's done in the larger context of Harlan's efforts to teach the reader about the Registry in a comprehensive manner.
The first chapter is where Harlan teaches the reader about fish (the Registry). This chapter explains what the registry is and how to think about it in the context of an examination. The second chapter teachers the reader about the various fishing poles available to them such as Harlan's own RegRipper tool. The third and fourth chapters is where Harlan takes the reader fishing as he walks the reader through Registry examination using a case study approach.
Harlan is an excellent technical writer so the book flows well and the concepts are presented clearly to the reader. The pictures are large enough to show up clearly in the Kindle version of the book which I was grateful for since this is not always the case with Kindle books. My primary complaint with the book is the price especially for the Kindle edition. I don't expect technical books written for a small audience to be as inexpensive as mass market fiction, but a retail price of $69.95 is pretty steep. As I write this, the Amazon price is $62.95 for the physical version and $55.96 for the Kindle version. The price of the Kindle version is especially irritating considering it doesn't come with the DVD and doesn't require a physical distribution channel to provide it to me. In most cases (pay attention Syngress), I simply won't pay that much for a technical book unless it's something that I know is well written and will provide good value. This is one of those exceptional circumstances. Harlan is one of the few authors who I trust enough to spend that amount of money on for a book.
Other areas of the book, such as the description of some of the internal structures of the registry, tend to support this. An advanced book would probably not have omitted a description of the security descriptors on registry keys, for example.
This is probably not obvious to the buyer -- who is likely to go by the subtitle. I bought the book largely on the strength of the title, myself, and while I'm not disappointed, it's not quite the book I hoped for.
To the presumed reader, then, the main value is probably to be found in the two chapters of Case Studies. Here is where the value of the registry in a forensic analysis is most clearly described. These chapters are what beginning registry analysts want to read.
The focus of these chapters, though, is on the information in the registry, not where it is located, or to what extent it can be relied on. This is a deliberate decision of the author, and may be sound enugh. It means, though, that the reader is more drawn into using the author's tools, and less into being able to locate the actual keys and values himself with regedit or other tools. In a text for more advanced users, it would have been been a serious error to omit full key/value descriptions; in this type of book, it may lead to more complexity than is strictly warranted.
So, this is not quite the book for me. I don't mind buying it, but I will not be able to rely on it for reference, so it will end up in the bookshelf. I'd rate it at 3.5, but I do hesitate to round that up to an even four stars, as that is slightly too much, in my opinion.
What would have made me give a higher score?
* Better source references -- as it is, the source references are largely web links to Microsoft's support web site. If there are any references to printed works, I have not noted them. For example:
The author refers to earlier analysis by himself and Cory Altheide on USB artifacts, but so far I have been unable to find a single reference to that. As it's clear from the text that it was published, omitting this reference seems a little odd.
A couple of theses are mentioned: one by Jolantha Thomassen and one by Peter Norris, but none of these are properly referenced. The one by Ms. Thomassen, I was able to find a web link to in a "TIP" sidebar, and the one by Mr. Norris is mentioned in the text as another web link.
And Mark Russinovich's article 'Inside the Registry' mentioned in the text, is not cited either. (It was published in Windows NT Magazine.)
All of these may be available on the web, but as long as such presence is not guaranteed, I feel the proper source references to make are to the actually published texts.
For an introductory book, however, such references may be thought to be a little to academical and over the top -- though in that case, many of the existing references to Microsoft's support web site could not improbably be dropped as well.
* A road map for further studies -- assuming that this particular book is an introduction to the topic, additional sources for continued studies would have been welcome. The preface hints of a wealth of information about the registry, and it is not clear that all aspects have been covered.
I expected to find a mention of Jerry Honeycutt's bok 'Microsoft Windows Registry Guide, 2. ed.' (Microsoft Press, 2005) mentioned, mainly because it describes the practical workings of the registry, and deploying techniques, as well as how to identify what registry settings a particular program modifies. It also documents many registry settings that may be of interest at an investigation, though it's focus is on computer management, not investigations, and it does go into many areas that were not included in the present book, such as registry access rights, and registry auditing.
Additionally, I can't rid myself of a feeling that the book tries t be a little more than just an introduction. Some of the information is not on an introductory level. For example, the note on NoInstrumentation on p. 190 is not obviously of any practical value, as it raises the question what exact information is affected by this setting. To the researcher, though, it is probably the starting point for further experiments.
And I must also admit that some terminological vagueness, spelling errors (the first is on the first text page of the book) and general grammatical and typographical fuzziness helps pull down the score a bit. The book uses '...' which normally indicates deliberate omissions, but here seems to be used instead of dashes -- this is very confusing at first. Proper typography as well as text polishing is generally the job of the publisher, but as the present publisher, Syngress, does not have much of a reputation in this area, it probably should be considered to be part and parcel of buying a Syngress book in the first place, and so not affect the score of any particular title. Still, the presence of it grates.
Additionally, in a book of reference the index would have been diaster. In an introductory book ... well, it may serve some purpose, but it's pretty clear that I can't use it to find anything important. There is, for example, an index entry 'Master boot record) MBR', but as the text it references only covers how to find drive signatures/volume IDs in the MBR, that entry is clearly not specific enough to be useful. More useful would have been to have index entries on 'drive signature' and 'volume ID', but there are none.
Chapter 1 provides a very detailed overview of registry analysis. Harlan really wants analysts to first consider the types of information they need prior to starting a forensic exercise. The `what' and `where' of the registry is detailed at great length in addition to its structure. Though this book shows you where to find the registry and some important keys, the author is careful to not present this as the bible of registry information - knowing full well that the minutiae will change from Windows release to Windows release. What this chapter does provide, however, is a good sense of what types of information can be found within the Windows registry. Chapter 2 provides in-depth coverage of several tools to not only conduct forensic investigations on the Windows registry but also how to interact with the registry (both on the target systems and remotely). The author describes tools that he has crated (and that are freely available) in addition to tools and applications from others.
Perhaps the most valuable chapters in the entire book are the last two chapters. In chapters 3 and 4 the author provides numerous case studies that illustrate the kinds of information that can be found within the Windows registry. The various hives are discussed at length (the treasure chest of Windows artifacts) and numerous steps for tracking user activity are also discussed.
I cannot recommend this book enough. If you're looking for this book to be the Bible of registry information - you're not looking at the right book. If you want to know exactly what kind of information is stored within the Windows registry, however, this is an excellent map to get you to the finish line.
The book provides an insightful overview of the forensic analysis process - critical "before you get started" information, particularly the point about knowing your goals before you begin. Too many analysts make the mistake of diving in and "looking for stuff" without fully understanding what they're looking for or what questions they're trying to answer. The overview of registry terminology, format, and contents, including information and important changes in Vista and Windows 7, lays the essential foundation for any serious analyst.
The book's focus on free and open source tools (including the author's own iconic RegRipper) makes analysis accessible to everyone, from students to hobbyists to professionals on a limited budget. This approach is refreshing in an age of competing (and expensive) commercial tools. An added bonus is that the tools discussed tend to be "lean and mean", placing the analyst very close to the raw data in question. This tends to foster better analysts who possess an understanding of "what's actually happening" over those who are over-reliant on commercial tools with the equivalent of built-in "find evidence" buttons.
While providing a detailed discussion of both system and user registry hives, the book thankfully avoids a "laundry list" approach of "important" registry values. While this may disappoint readers who are looking for a simple checklist approach to registry analysis, the author's point that "important" values change over time is well-taken; analyst's who limit their investigation to "known" important keys may overlook critical evidence. Instead, Mr. Carvey highlights various examples, while always encouraging his readers to further explore and test on their own.
That said, the book does provide a welcome in-depth discussion of topics of more recent interest and research (such as those related to removable media, network interfaces and wireless access points, and the value of historical data from system restore points). Mr. Carvey goes a step further by also discussing the interrelations among multiple keys, allowing the integration of data points from disparate parts of the registry to provide a more in-depth picture not only of "what happened" - but in some cases, also "who did it".
Perhaps of greatest interest is the author's discussion of the user registry environment, which is unique among current forensics books on the market. As forensic analysis becomes increasingly critical in proving a variety of crimes, an analyst's ability to tie system activity to a particular user account, and thereby demonstrate which account was (or was not) used to perform some activity becomes an essential skill.
Given the scope of the Windows registry, the lack of formal documentation from Microsoft, the variations across versions of Windows, and the endless number of applications that may interact with the registry in a variety of ways, no book can comprehensively address all there is to know about the subject. That said, Harlan Carvey does the next best thing: he demystifies the registry, provides his readers with a map, appropriate tools, and a comprehensive guide to enable them to perform their own testing and analysis according to their own needs or inclinations. As Mr. Carvey has repeatedly demonstrated throughout his career, we all become better analysts when we research, document, and (most importantly) share our findings. This book provides essential skills and guidance for analysts to examine the Windows registry today, but also lays the groundwork for further study and expansion of the field as a whole.
In typical fashion Harlan come out of the gate with providing you a great foundation about the registry in Chapter 1, which covers the basic building blocks of understanding what the registry is, where it is located and how it is structured. I found the material on the registry structure to be very valuable as it explains in detail some of the various time based information you may find yourself encountering while investigating various artifacts from different applications.
The tools section in Chapter 2 covers two main groups. Tools for live registry analysis and tools for forensic analysis (typically offline registry files). The live analysis portion does a good job of giving you the benefits & costs of performing live analysis and the tools that can help you accomplish this job. The book also does a decent job of mentioning some of the tools for live registry monitoring. The forensic portion of Chapter 2 deals with some of the typical tools forensic examiners might use for offline registry analysis. My favorite part of Chapter 2 is how the book goes into detail in using the RegRipper and RipXP tools. I really appreciated the extra effort that was taken to explain how to write plugins for RegRipper and explain some of the perl code that is being used behind some of the various RegRipper plugins. Many examiners may be using tools like RegRipper without having any idea how it works. I think this chapter does a better job in explaining some of those details for non-programmers. In my opinion even with the explanation in this chapter I still feel you should have a basic understanding of perl if you want to write your own plugins.
Chapter 3 dives head first into the various registry hives dealing with the computer system (Security, SAM, System, Software & BCD hives). Now this is the stuff that most of us buy the book for! Chapter 3 deals with numerous real world examples of forensic artifacts we want to decipher to be able to tell story based on what we found in the registry. Some of the areas detailed out in the chapter focus on determining if a user had a password set, what level of auditing was enabled on the system, how to crack the users password, how to boot this system up in a virtual machine. If you like the details about USB/portable devices and the artifacts they leave behind Chapter 3 is for you. Web Browser settings, wireless settings, file associations, autostart locations are all covered well in the Software hive section.
Tracking user activity is the title of Chapter 4 and Harlan does do a good job with giving us plenty to work in this Chapter. I really like how there are little sections in the book that focus on helping the reader answer a question. For instance, "What Application Uses or Created that File?" is the name of a section in the book that walks through how an examiner might go about answering that question. The end of Chapter 4 has two great sections: "Tying it Together" and "The Trojan Defense". Both of these sections do a great job of reminding us as examiners that we are ultimately trying to tell a story based on artifacts that we find on a computer system.
Windows Registry Forensics is a great asset to have on your bookshelf if you want to advance you understanding of the Windows Registry from a forensic perspective.
Look for similar items by category
- Books > Business, Finance & Law > Law
- Books > Computing & Internet > Networking & Security > Network Topics
- Books > Computing & Internet > Networking & Security > Security
- Books > Computing & Internet > Programming > Microsoft Windows
- Books > Computing & Internet > Web Development > E-commerce
- Books > Society, Politics & Philosophy > Social Sciences > Law & Disorder > Forensic Science