Review of Windows Forensic Analysis 4th Edition
Sunday, June 15, 2014
About a month ago I finished reading Windows Forensic Analysis 4th Edition by Harlan Carvey. Due to personal obligations I was unable to post my WFA 4/e review until now. All in all the 4th edition is good update to the Windows Forensic Analysis series.
I think it is necessary to first address the expectations for WFA 4/e. In my Review of Windows Forensic Analysis 3rd Edition I mentioned " at first I was worried about reading the same information I read in Windows Forensic Analysis 2nd Edition or Windows Registry Forensics but my worries were unfounded. The author has said numerous times WFA 3/e is not a rewrite to his other books and is a companion book." In the WFA series, Syngress has kept the same title and just increased the edition number. In a way, this can have an impact on people's expectations. WFA third edition was a complete rewrite of the second edition. This meant the books were complimentary and the third edition didn't contain any of the previous material from the second. I can see how this can create an expectation that with each new edition it will follow the same path. However, this is not how newer editions are typically done since they usually contain updated material and are not complete rewrites. With WFA 4/e the book is not a complete rewrite but it does contain some great updated content. This review is focused on the updated content since I already discussed some of the material in my WFA 3/e review.
There are very few DFIR authors who not only produce content outlining processes and artifacts but also create and release the necessary tools to carry out the process they described. Most of the DFIR authors I've read (including training content authors) usually point people to tools created by others. They don't provide tools of their own or source code to help you better understand how artifacts are parsed. When reviewing a DFIR book it's necessary to take into consideration the book as a whole including the materials provided with it. This is one area where I think Harlan excels and it's something I always liked about his work. The material for his books contain a wealth of resources from cheat sheets to open source tools to explanations about how to do something.
Along with WFA 4/e Harlan provided new and updated material to accompany the book. One of the more notable mentions are the new plug-ins for RegRipper (link to most recent version at time of this post). Seriously, there are so many updates that you'll really need to read the updates.txt file he provides. Some plug-ins were updated to support Wow6432Node, others had alerts added, and there are a bunch of new plug-ins. Besides RegRipper there are tools (and source code) to parse the RecentFileCache.bcf, index.dat, and $UsnJrnl to name a few.
It's not always about the tools either. In the Chapter 5 folder there is a file called usbdev.pdf. This document outlines the Windows 7 USB device analysis including what RegRipper plug-ins pull what, how various registry values tie together, and other information to perform this analysis. The Chapter 9 folder contains even more documents related to report writing. Hands down, the material provided with the book is outstanding.
One of the updates to this edition are two new chapters that tie things together. First is Chapter 8 Correlating Artifacts while the second is Chapter 9 Reporting. To be successful in DFIR one needs to be able to tie information together from different sources to answer the questions presented to them. This is why I really like these updated chapters. Throughout the book Harlan discusses the significance of various Windows artifacts and clearly explains how those artifacts can help a case. However, the artifacts are discussed individually to make it easier to understand. The Correlating Artifacts chapter is where things are tied together. Various artifacts are brought together to illustrate how the information they contain can help address certain questions. The sample questions addressed are ones commonly encountered on various types of cases such as: correlating Windows shortcuts to USB devices, detecting system time changes, and determining data exfiltration. Again, the ability to take the information contained from different artifacts to make sense of it is really what we do in DFIR. The information was laid out in a clear manner and followed up with how to communicate your findings in reporting.
As I said before, all in all the 4th edition is good update to the Windows Forensic Analysis series. There are updates throughout the book including some Windows 8 artifacts and on the back end it's completely new content. The book materials are loaded with new goodies. Personally, I tend to shy away from purchasing updated editions that contain the same material as the previous edition with updates. However, I took a chance with WFA 4/e (based on who the author is) and I wasn't disappointed with my purchase.
It's an Update and Not a Companion Book
I think it is necessary to first address the expectations for WFA 4/e. In my Review of Windows Forensic Analysis 3rd Edition I mentioned " at first I was worried about reading the same information I read in Windows Forensic Analysis 2nd Edition or Windows Registry Forensics but my worries were unfounded. The author has said numerous times WFA 3/e is not a rewrite to his other books and is a companion book." In the WFA series, Syngress has kept the same title and just increased the edition number. In a way, this can have an impact on people's expectations. WFA third edition was a complete rewrite of the second edition. This meant the books were complimentary and the third edition didn't contain any of the previous material from the second. I can see how this can create an expectation that with each new edition it will follow the same path. However, this is not how newer editions are typically done since they usually contain updated material and are not complete rewrites. With WFA 4/e the book is not a complete rewrite but it does contain some great updated content. This review is focused on the updated content since I already discussed some of the material in my WFA 3/e review.
Don’t Overlook the Materials Accompanying the Book
There are very few DFIR authors who not only produce content outlining processes and artifacts but also create and release the necessary tools to carry out the process they described. Most of the DFIR authors I've read (including training content authors) usually point people to tools created by others. They don't provide tools of their own or source code to help you better understand how artifacts are parsed. When reviewing a DFIR book it's necessary to take into consideration the book as a whole including the materials provided with it. This is one area where I think Harlan excels and it's something I always liked about his work. The material for his books contain a wealth of resources from cheat sheets to open source tools to explanations about how to do something.
Along with WFA 4/e Harlan provided new and updated material to accompany the book. One of the more notable mentions are the new plug-ins for RegRipper (link to most recent version at time of this post). Seriously, there are so many updates that you'll really need to read the updates.txt file he provides. Some plug-ins were updated to support Wow6432Node, others had alerts added, and there are a bunch of new plug-ins. Besides RegRipper there are tools (and source code) to parse the RecentFileCache.bcf, index.dat, and $UsnJrnl to name a few.
It's not always about the tools either. In the Chapter 5 folder there is a file called usbdev.pdf. This document outlines the Windows 7 USB device analysis including what RegRipper plug-ins pull what, how various registry values tie together, and other information to perform this analysis. The Chapter 9 folder contains even more documents related to report writing. Hands down, the material provided with the book is outstanding.
Tying Things Together
One of the updates to this edition are two new chapters that tie things together. First is Chapter 8 Correlating Artifacts while the second is Chapter 9 Reporting. To be successful in DFIR one needs to be able to tie information together from different sources to answer the questions presented to them. This is why I really like these updated chapters. Throughout the book Harlan discusses the significance of various Windows artifacts and clearly explains how those artifacts can help a case. However, the artifacts are discussed individually to make it easier to understand. The Correlating Artifacts chapter is where things are tied together. Various artifacts are brought together to illustrate how the information they contain can help address certain questions. The sample questions addressed are ones commonly encountered on various types of cases such as: correlating Windows shortcuts to USB devices, detecting system time changes, and determining data exfiltration. Again, the ability to take the information contained from different artifacts to make sense of it is really what we do in DFIR. The information was laid out in a clear manner and followed up with how to communicate your findings in reporting.
Overall Thoughts
As I said before, all in all the 4th edition is good update to the Windows Forensic Analysis series. There are updates throughout the book including some Windows 8 artifacts and on the back end it's completely new content. The book materials are loaded with new goodies. Personally, I tend to shy away from purchasing updated editions that contain the same material as the previous edition with updates. However, I took a chance with WFA 4/e (based on who the author is) and I wasn't disappointed with my purchase.
Labels:
book review
Corey,
Thanks for purchasing the book, and thanks for taking the time to go through it, and to post a review!
Tend to completely agree with your review of the content.
My issue with this 4th edition is with the title and description.
Lets look at the title. "Advanced Analysis Techniques for Windows 8" which is unfortunate as the first mention of any Windows 8 artifact is on page 73 of a book that touts itself as Advanced and focused on Windows 8.
Simply said -- the title of a book is misleading compared to the content.
Even the description states "Harlan Carvey has updated Windows Forensic Analysis Toolkit, now in its fourth edition, to cover Windows 8 systems. The primary focus of this edition is on analyzing Windows 8 systems and processes using free and open-source tools."
If the book was simply titled "Windows Forensic Analysis - 4th Edition" And simply updated as your review states, it IS a 5 star book.
The average forensicator hoping for the book captured by the title and description, would be disappointed. It is about setting expectations BEFORE someone buys a book.
"...the first mention of any Windows 8 artifact is on page 73 ..."
True, but I'm not clear on how that's "unfortunate", Rob. The first chapter is on analysis concepts, and the second chapter is on incident preparation, both of which are independent of the version of Windows, as well as of the operating system itself.
What you state as the "first mention of any Windows 8 artifact" is correct...it is the first mention. I'm not aware of any location prior to that in the book where it could have been mentioned...sorry. As you progress from chapter 3 into chapter 4, many of the artifacts found on Windows 7 systems are identical, or very nearly so, to those found on Windows 8 systems...including Windows Event Logs (in format), Jump Lists, shortcuts, etc. The same is true as you move into chapter 5, as well.
I get that the issue you have is with the title...I completely understand that.
That issue aside, do you have any comments or thoughts specifically regarding the content? I'd greatly appreciate your thoughts, and would like to address them, should the publisher want a future edition, or even just an update.
Thanks.
First of all -- Harlan -- as you know I am a big fan of your research, books, and work. I have written and endorsed many reviews that are glowing of your work. Don't take my criticism of the book title and description as an attack, but one trying to make sure that your publisher isn't pushing you in directions in order to quickly sell a book.
To that end -- Do you feel that the book description is accurate? The publisher's book description states the PRIMARY focus of your book as "The primary focus of this edition is on analyzing Windows 8 systems."
As for a starting list of suggested additional Windows 8 content that I would likely start with:
• IE 10 and 11
• Extensible Storage Engine format
• OneDrive (SkyDrive) integration into the OS
• Syncing of application information across different devices (Chrome, Firefox, Desktop Settings etc.)
• Metro Apps
I know that a lot of research is still being done on many of these thus why I would have held back on the "Advanced Analysis for Windows 8" title and description until we have a book that is truly in-depth.
Finally -- I do not know or understand the pressure any author or you must feel or have from a publisher wanting each title to be the next "Hacking Exposed." So I have no idea the discussions had between you and the publisher, but something clearly didn't align. Maybe share this feedback with the publisher in the future to give you a little more room to navigate.
Also -- perhaps simply call the book series "Windows Forensic Analysis" and describe the book as one of the most complete books on how to analyze Windows systems in general regardless of version -- this book would have been a 5 star book then.
This book is overpriced. Skip it and buy a used copy of 2E/3E. After you read 2E and 3E hop online and Google, "Windows 8 Forensics". You're likely to get much more than what the title of the book promises (for free).
Update's shouldn't contain copy/pastes from prior editions and if it talks about Windows 8 forensics it should be chalk full of it. Again, not copy/pastes from prior editions.
If there was a refund button I would have used it.