I had read WFA 2/e a while back and just kept forgetting to post a review. Well, the wait is over 
One caveat though…. I have not read WFA 1/e, so I cannot compare what differences may exist between the two books. With that said, read on…..
Traditional Digital Forensics methodology was to pull the plug from the back of a PC and conduct a “Dead Box” examination. Chapter 1 covers Live Response to a scene, where that thought process may not be the best course of action anymore. It also covers what evidence in memory to collect first before it disappears (volatile data), as well as analyzing that data using the command line.
Chapter 2 (Data Analysis) essentially guides you into taking data that you collected during your Live Response and understanding what it is telling you. Harlan points out that a lot of times “unusual” or “suspicious activity” that an examiner is seeing is due to their lack of familiarity with how the system operates.
Chapter 3 takes the reader through the tools, such as win32dd & memoryze, and the techniques to conducting an analysis of physical memory (RAM). He also details examining the Hibernation File as part of memory analysis. For an investigation where the responder/examiner was unable to get a “memory dump” from the system prior to shutdown (see “Dead Box” exam reference above), this can be a good source of information (That’s right, I am looking at you fellow LEO’s out there).
Moving on, Chapter 4 covers Registry Analysis. Harlan breaks down the structure of the Registry hive files and what information is contained within those files for the reader. It also introduces the reader to Registry analysis using tools that Harlan wrote- RegRipper and Rip/RipXP. Also of note in this chapter is the tracking of USB devices and User activity.
File Analysis is up in Chapter 5. This chapter is very useful if you are an incident responder. Harlan discusses the use and understanding event logs, as well as helping you understand how timestamps for files are modified. The examination of the Recycle Bin, as well as Restore Points and Volume Shadow Copies are discussed also.
Chapter 6 goes into static & dynamic analysis of suspicious files, as well as the need to conduct them in a virtualized environment or a stand alone workstation. You wouldn’t want to conduct an analysis of a possibly malicious file on a production system and risk infecting “mission critical” systems. Also covered, is the use of tools like RegShot, Process Monitor and File Monitor for file analysis (as well as others). The static and dynamic file analysis portion of this chapter reminded me of Day 1 of the SANS Reverse Engineering Malware course, where these techniques are fleshed out in more detail. This part of the chapter is a good start for an examiner who has not been able to attend that course.
Chapter 7 defines Rootkits, the dangers that they pose on a system and various software solutions to detect & eliminate them.
Chapter 8 essentially goes on to bring everything together that you learned in the previous chapters through the use of case studies. In my opinion chapters like this one are crucial, as it gives the reader/examiner another perspective at which to conduct or fine tune their own exams through the experience of another (the author).
Chapter 9 ends this book with Reporting and Tools. Reporting is crucial to any investigation. If you cannot convey the steps that you took during an investigation to someone who does not have a technical background, it could lead to less than desirable results. Just imagine testifying in a court proceeding and if you fail to explain (in a human understandable way) what you did to the housewife, plumber, librarian (you get the point) sitting on the jury, you may harm the prosecutor/defense attorney’s case. You may also harm your credibility for that matter. The tools listed in this chapter are freely available to use. I’m sure Harlan didn’t have the budget to grab copies of commercially available tools. Remember, the free tools are just as good as the commercial ones is you take the time to learn how to use them.
This book is a wonderful resource for any forensic examiner to have on their bookshelf. Thanks to Harlan for writing this for the Digital Forensics community. I know a lot of time & research must go into writing a book such as this and there isn’t a ton of money to be made from it.
I look forward to WFA 3/e and it’s coverage of the Windows 7 Operating System.
Joe
