Windows Registry Forensics
by, 15th February 2011 at 18:40 (113000 Views)
I had been waiting with some anticipation for this book. I have done a lot with the registry over the years, including writing my own registry viewer, and I was looking forward to what I was hoping would be an authoritative reference, I was both pleased with what I got and a little disappointed.
I wanted to get the paper version but was too impatient to wait until it was released over on this side of the pond so I decided it was time to try a digital book.
To be fair most of my disappointment was the format of the book, by that I obviously mean Kindle. I much prefer a proper paper book, I like to thumb through them bookmark pages and flick back and forth and not least I like a good selection of books. While the kindle does allow you to bookmark pages, add notes and search I still prefer the traditional paper approach. My main grief with the kindle format of this book though is the quality of the graphics, some of them, even when ‘zoomed in’ are of too poor a quality to read the different registry keys that were being depicted something I expect would not be an issue with the paper version.
On to the content, which is why I bought the book in the first place. Harlan has an excellent writing style which I found engages the reader and makes what could be a dull subject about as interesting as it could get. He clearly understands his subject, although that was something I expected having read a number of his posts and blogs over the years, and goes into enough considerable detail to explain why the registry is such a great source of information rather than just focusing on what can be found.
Harlan is clear about his intention not to just provide a list of registry keys that might be relevant and makes this point on a number of occasions. While I agree in principle I feel that a list, or rather an index, of keys that he does cover would have been a useful addition at the end of a book, or chapter. Such a list would make WRF a better reference source and something that you may turn to half way through an investigation when you are looking at a registry hive, have found a key but can’t remember where you saw it discussed. Of course this is less relevant with the kindle edition where you can use the search function to find the text/key you are after.
My final gripe is one that might be more relevant to me than most readers of WRF and that is a lack of a complete breakdown of the registry structure. Now not every forensic analyst delves into the internals of files the way I do but I do feel this very important and it was this coverage that I particularly wanted. Harlan does cover the basics but stops just short of the full monty, just dangling a tantalising tidbit and then failing to feed the beast. For instance in the section on “registry key cells” (I cant give a page number – another failing of the kindle format) – when discussing deleted keys he discusses the deleted size value being made positive to indicate deletion. Harlan then states that “this, along with some other checks is how deleted keys can be located” – what other checks? This is the sort of information I really wanted to see.
Harlan does provide links to some very good resources, one or two of which I was not familiar with, but I feel a forensics reference book should provide this information within its covers. It is because of the depth of information in Brian carriers “File System Forensic Analysis” that this book never makes it to my book shelf, but rather stays on my desk. I would like to have said the same about Windows Registry Analysis.
Now back to the good stuff. As someone who doesn’t get involved in incident response I found the books slant in this direction quite refreshing and this for me, along with Harlans easy writing style, made WRF one of the few forensics books I have read from cover to cover. Harlan has made an effort to make this book a general guide into why and how to do registry forensics rather than just a what to look at book and for this, despite my earlier negativity, the book is the better.
I particularly enjoyed the section on tracking USB devices, despite having used most of the techniques before it is useful to see them all in one place and there were a few bits that I thought I understood well but Harlans explanations cleared things up for me.
If you haven’t used regripper then this is also a great tutorial for this impressive (free) tool. Harlan naturally uses this set of perl programs (along with some other, mainly free, tools) that he has authored in order illustrate the relevance of certain keys. Reading WRF also serves to highlight how useful regripper and its associated plugins can be on any investigation.
If you don’t have a copy then you should, Harlans approach to registry forensics lends itself to most forensic analysis and just this insight into the mind of an acknowledged expert makes the book worth having. I would however steer clear of the Kindle version, and for that matter the overpriced Amazon printed version and wait for either a discount code or shop around and find a hard copy on one of the discounted sites i.e. http://www.computermanuals.co.uk/scr...asp?ref=217362).
Oh and if you do get the eBook there is no mention of where to get the DVD contents – you can download this from http://code.google.com/p/winforensic...downloads/list