Saturday, June 23, 2007

Review - Windows Forensic Analysis

I was doing some thinking lately and I realized that there's something commonly missing from our field - Reviews. (surprise!)

Not just peer reviews but reviews of tools and books on the subject of forensics. As such I think I'm going to start adding reviews to this blog. You won't see me adding "stars" to the reviews as I don't put much value in this type of rating. Rather I'll be rating the books/tools on how useful they are and have been to me.

Up first is my most recent read: Windows Forensic Analysis by Harlan Carvey. I own both of Harlan's books and having participated in a number of the same venues as Harlan for a few years - and seeing where his research was going, I was really anticipating this new addition to my bookshelf.

The book begins with some of my favorite subjects such as live response collection and analysis. These chapters of the book pick up where I believe Harlan left off with his first book on the subject of Windows Incident Response. I probably won't do this type of review very often since many books contain too many chapters, however with 7 chapters, this book was digestable and I think a chapter by chapter highlight review works.

Chapter 1: Live Response - Data Collection.

This chapter provides some great insight in to the mind of the Incident Responder and the focal points of a live response. What to collect, what not to collect, suggestions on how to collect, common tools, their usage and output and my personal favorite - introduction of methodology. This is something that's missing from a lot of other books, useful methods providing guidance.

Chapter 2: Live Response - Data Analysis.

Of all of the great chapters in the book, I was perhaps the most disappointed by this chapter. It's one of the shortest in the book and doesn't cover much in the way of analysis. I would have loved to see a scenario where multiple disparate volatile data sources are pulled together to reconstruct the events.

Chapter 3: Memory Analysis

This chapter was one of the better, more informative of the book. Memory analysis is relatively new (just 2 years) and Harlan does a fantastic job of detailing the intracacies of how processes and threads are structured and created, and how to collect this information and present it in a usable format.

Chapter 4: Registry Analysis

Troy Larson was telling the truth. I've already referred to this chapter a few times.

Chapter 5: File Analysis

This chapter, like the book fills several important gaps in what's currently "out there". The event log detail and analysis is second to none and I've also used this as a reference a few times already.

Chapter 6: Executable File Analysis

I enjoyed this chapter because it included PE header analysis. While there are several books and papers on this subject, Harlan details import and export tables which you don't see elsewhere.

Chapter 7: Rootkit detection

This is another short chapter but it includes a variety of tools that are used in rootkit detection, some of which I hadn't come across.

Bonuses:
Did I mention that Harlan writes some of the best and most useful scripts around? The DVD is full to the brim with scripts to collect and analyze all types of data. I've used several of these scripts already in my day to day operations and in my honeynet.

Final notes:
This book fills a very important gap on the subject of Forensics. Harlan manages to cover topics that I've not seen elsewhere and he's included relevant and accurate information based on a lot of research and practical experience. This book is a strong reference and really useful and it belongs on your shelf within easy grasp. Even though it's new, I've already used it several times as a reference.
Favorite Chapters: 1,3,4,5,6

5 comments:

H. Carvey said...

Hogfly,

Thanks for the review!

...I was perhaps the most disappointed by this chapter

Sorry about that. Do you have an example of what it is you're looking for? For example, when you say, ...where multiple disparate volatile data sources are pulled together..., do you have some thoughts on an example or two?

Thanks,

Harlan

hogfly said...

I wouldn't be sorry. The book was great.
I can't give a specific example but something to the effect of taking what you talked about in chapter 1 - using tools XYZ to collect information about the system (Who's logged on, what services are running, what ports are open etc) and then paint a more complete picture of the event. Even if you just took the example of using FRUC/FSP and used data from every collection point you list on p.68 in the analysis example it would have been more complete.
You sort of do this, but you only use process information and some netstat output.

I guess what I'm saying is that you had an awesome first chapter, and it would have been really nice to see that information applied in the second.

H. Carvey said...

...can't give a specific example...

Interesting.

I guess sometimes one simply doesn't need all of the data points...

Again, sorry to disappoint.

hogfly said...

Oh come on, that's taking my comment out of context. I said a lot more than that. I can't give a specific scenario at this time, but I'd be happy to contribute one if you gave me parameters of what you need.

H. Carvey said...

that's taking my comment out of context. I said a lot more than that.

Right, I'll give you that, but you did say, "...I was perhaps the most disappointed by this chapter."

I'm not sure how to take that out of context, particularly after you said *why* you were disappointed.

I can't give a specific scenario at this time, but I'd be happy to contribute one if you gave me parameters of what you need.

I think it's kind of interesting that you feel the way you do about the second chapter, and yet you seem to be having the same trouble I did...how to pull together those multiple disparate volatile data sources to reconstruct events, in a way that's understandable and usable to the reader.

One of the challenges I've run into with the information in the book is that when I provide training based on the contents of the book, many folks find it over their heads...their words, not mine. I've had folks tell me, "...this is great info, but it's not like we've ever done or ever will do it."

Another issue is that in many cases those multiple disparate data sources simply may not be needed...you can get from point A to point B with a minimal set.

Also, I think the book itself serves as a great set of parameters.