Windows Registry Forensics

Rating: 2 votes, 2.50 average.
I had been waiting with some anticipation for this book. I have done a lot with the registry over the years, including writing my own registry viewer, and I was looking forward to what I was hoping would be an authoritative reference, I was both pleased with what I got and a little disappointed.

I wanted to get the paper version but was too impatient to wait until it was released over on this side of the pond so I decided it was time to try a digital book.

To be fair most of my disappointment was the format of the book, by that I obviously mean Kindle. I much prefer a proper paper book, I like to thumb through them bookmark pages and flick back and forth and not least I like a good selection of books. While the kindle does allow you to bookmark pages, add notes and search I still prefer the traditional paper approach. My main grief with the kindle format of this book though is the quality of the graphics, some of them, even when ‘zoomed in’ are of too poor a quality to read the different registry keys that were being depicted something I expect would not be an issue with the paper version.

On to the content, which is why I bought the book in the first place. Harlan has an excellent writing style which I found engages the reader and makes what could be a dull subject about as interesting as it could get. He clearly understands his subject, although that was something I expected having read a number of his posts and blogs over the years, and goes into enough considerable detail to explain why the registry is such a great source of information rather than just focusing on what can be found.

Harlan is clear about his intention not to just provide a list of registry keys that might be relevant and makes this point on a number of occasions. While I agree in principle I feel that a list, or rather an index, of keys that he does cover would have been a useful addition at the end of a book, or chapter. Such a list would make WRF a better reference source and something that you may turn to half way through an investigation when you are looking at a registry hive, have found a key but can’t remember where you saw it discussed. Of course this is less relevant with the kindle edition where you can use the search function to find the text/key you are after.

My final gripe is one that might be more relevant to me than most readers of WRF and that is a lack of a complete breakdown of the registry structure. Now not every forensic analyst delves into the internals of files the way I do but I do feel this very important and it was this coverage that I particularly wanted. Harlan does cover the basics but stops just short of the full monty, just dangling a tantalising tidbit and then failing to feed the beast. For instance in the section on “registry key cells” (I cant give a page number – another failing of the kindle format) – when discussing deleted keys he discusses the deleted size value being made positive to indicate deletion. Harlan then states that “this, along with some other checks is how deleted keys can be located” – what other checks? This is the sort of information I really wanted to see.

Harlan does provide links to some very good resources, one or two of which I was not familiar with, but I feel a forensics reference book should provide this information within its covers. It is because of the depth of information in Brian carriers “File System Forensic Analysis” that this book never makes it to my book shelf, but rather stays on my desk. I would like to have said the same about Windows Registry Analysis.

Now back to the good stuff. As someone who doesn’t get involved in incident response I found the books slant in this direction quite refreshing and this for me, along with Harlans easy writing style, made WRF one of the few forensics books I have read from cover to cover. Harlan has made an effort to make this book a general guide into why and how to do registry forensics rather than just a what to look at book and for this, despite my earlier negativity, the book is the better.

I particularly enjoyed the section on tracking USB devices, despite having used most of the techniques before it is useful to see them all in one place and there were a few bits that I thought I understood well but Harlans explanations cleared things up for me.

If you haven’t used regripper then this is also a great tutorial for this impressive (free) tool. Harlan naturally uses this set of perl programs (along with some other, mainly free, tools) that he has authored in order illustrate the relevance of certain keys. Reading WRF also serves to highlight how useful regripper and its associated plugins can be on any investigation.

If you don’t have a copy then you should, Harlans approach to registry forensics lends itself to most forensic analysis and just this insight into the mind of an acknowledged expert makes the book worth having. I would however steer clear of the Kindle version, and for that matter the overpriced Amazon printed version and wait for either a discount code or shop around and find a hard copy on one of the discounted sites i.e.

Oh and if you do get the eBook there is no mention of where to get the DVD contents – you can download this from

Submit "Windows Registry Forensics" to Digg Submit "Windows Registry Forensics" to Submit "Windows Registry Forensics" to StumbleUpon Submit "Windows Registry Forensics" to Google

Updated 15th February 2011 at 19:16 by Paul (Typos)

Tags: None Add / Edit Tags


  1. keydet89's Avatar

    Thanks for the review. I think that it's extremely useful to get not only input and insight from folks who actively work in the industry regarding the content (particularly so that others can see), but to also get their view of things such as the approach taken in writing style, etc. I've tried to get that sort of thing beforehand and it doesn't work I have to write something, get folks to purchase and read it, and then get their input/insight to use on the next project.

    I'd like to comment on some of the things you mentioned in your post. First, I agree with you regarding the quality of the my mind, many of them are simply too large in the print version of the book, and appear to be of poor quality. That's somewhat distressing, considering the work that went into the process of providing TIF format images.

    I see your point about the list of keys/values and how that might be useful, and it's something I can work toward in my next project. At the same time, I'd offer this idea to readers...take notes. If you find something of interest, put together your own list. After all, that's where many of us have started.

    As to your comment, "...then states that “this, along with some other checks is how deleted keys can be located” – what other checks?"", yes, I can see what you're saying there. I had assumed that some would be intuitively obvious...such as checking for the right signature ("nk"), a valid date, that sort of thing...but I can see how that would be something that could be missed.

    Thanks again for writing and posting your thoughts, as I greatly appreciate it.
  2. Paul's Avatar
    Thanks Harlan - My point re the deleted keys was that you dont know what you dont know. Checking for signatures is obvious, but I am still always wondering whether I am still missing something...