Windows Forensics: The Field Guide for Corporate Computer Investigations Review
Posted by
Pearlene McKinley
on 11/08/2012
/
Labels:
computer forensics,
computer investigations,
forensics
Average Reviews:
(More customer reviews)I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
WF is a great guide to forensic investigation of Windows. By this I mean WF presents Windows from the perspective of the important directories, files, and registry entries that help an analyst discover malfeasance. WF also covers some of the core applications one would expect to review during host-based forensics, like email, Web browsing history, and P2P application usage. I expected coverage of popular Windows application formats relevant to investigations, like .doc, .ppt, and .xls, but those were missing.
WF addresses the core operational aspects of host-centric forensics, like forming a team and acquiring evidence from live and dead targets. I did not think these sections were as good as material from what I consider the book best suited for all-around hands-on forensic use -- "Incident Response: Computer Forensics, 2nd Ed" by Mandia, Prosise, and Pepe. Live response is one area where I thought WF didn't shine too brightly. I did like the frequent mini-case studies which shared stories from the author's investigative experiences.
A few other aspects of WF resulted in me offering a four star review. I thought the discussion of "vampire taps" on p 157 revealed a real lack of contact with modern network monitoring methods. I don't know anyone who uses or recommends such a contraption in an era of network taps. I continue to question the need to build so-called "sniffing cables," especially when proper interface configuration serves the same purpose. Furthermore, a remotely managed sensor will not be able to hide its traffic on the network anyway, so savvy intruders can usually find them (unless a completely separate management network is run out-of-band). "Chapter 7" was also way too short -- 2 pages!
Although I liked the case studies, I thought there were far too many "gray box" entries. These contain useful hints, but their frequent appearance sometimes interrupted flow of the book. This indicates a need for better organization. Finally, I felt the recent Syngress book "Winternals" did a decent job explaining how to analyze malware, rootkits, and rogue processes on Windows. WF didn't explore this key aspect of Windows incident response.
Overall, however, I would recommend reading WF if you need to understand data sources from Windows systems. I suggest concentrating on the sections that explain where you'll find quality information on Windows, and rely on other sources for generic forensics guidance. I could see readers using WF as a primer for learning about key Windows artifacts, then searching for them in the image files in "Real Digital Forensics."
Click Here to see more reviews about: Windows Forensics: The Field Guide for Corporate Computer Investigations
The evidence is in--to solve Windows crime, you need Windows toolsAn arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.* Identify evidence of fraud, electronic theft, and employee Internet abuse* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)* Learn what it takes to become a computer forensics analyst* Take advantage of sample forms and layouts as well as case studies* Protect the integrity of evidence* Compile a forensic response toolkit* Assess and analyze damage from computer crime and process the crime scene* Develop a structure for effectively conducting investigations* Discover how to locate evidence in the Windows Registry
0 comments:
Post a Comment