A couple of months ago I finished reading my first Harlan Carvey book - Windows Registry Forensics. I must say I loved it and learn a lot.
Chapter 1 - Registry Analysis - In this chapter Harlan introduces the foundations needed to build the knowledge he intended to share with the book. It goes into the Microsoft Windows Registry internal structure and basics Digital Forensics investigation principals like the Locard's Exchange Principal and the Least Frequency of Occurrence.
I really like this phrase.
Chapter 2 - Processes and Tools - This chapter presents some tools we can use while diving deep in the Windows Registry. It is showed the differences between registry viewing applications and registry parsers and it's pro and cons. Is in this chapter that Harlan's RegRipper application is introduced
Chapter 3 - Analyzing the System Hives- It is in this chapter that you roll up your sleeves and start digging deep in the Microsoft Windows Registry Hives. The Hives in the spot light in this chapter are Security, SAM, System, Software and AmCache. As Harlan mentions it is not a full coverage of every artifacts useful but a collections intended to introduce the reader to the thematic of Windows Registry Forensics. This chapter is well written and present the message in a very easy to digest way.
Chapter 4 - Case Studies: User Hives - This chapter is dedicated to the discussion of user hives, NTUSER.DAT and USRCLASS.DAT. I enjoyed learning that there is an artifacts that saves the images viewed with Microsoft Windows Photos. I will surely remember that when investigating a Windows 8 system.
Chapter 5 - Regripper - In this chapter Harlan talks about his tool regripper and some way you can improve your workflow using it. He talks about creating and using profiles, plugins ultimately contributing to the project itself.
Closing remarks:
I really enjoyed reading this book I fell like it improved me as a forensicator. The only complain I have is that I found myself referencing this book more and more and the index is to high level for me and I never caught the hang of reading the remissive index.
Chapter 1 - Registry Analysis - In this chapter Harlan introduces the foundations needed to build the knowledge he intended to share with the book. It goes into the Microsoft Windows Registry internal structure and basics Digital Forensics investigation principals like the Locard's Exchange Principal and the Least Frequency of Occurrence.
I really like this phrase.
Something that is very important to keep in mind when considering whether to engage in live response activities ( as opposed to acquiring and image of the hard drive and conducting postmortem analysis) is that while actions do have an effect on the system (processes loaded into memory, files created on the system as a result of your actions, etc) so does your inaction. - Harlan Carvey , Windows Registry Forensics
Chapter 2 - Processes and Tools - This chapter presents some tools we can use while diving deep in the Windows Registry. It is showed the differences between registry viewing applications and registry parsers and it's pro and cons. Is in this chapter that Harlan's RegRipper application is introduced
Chapter 3 - Analyzing the System Hives- It is in this chapter that you roll up your sleeves and start digging deep in the Microsoft Windows Registry Hives. The Hives in the spot light in this chapter are Security, SAM, System, Software and AmCache. As Harlan mentions it is not a full coverage of every artifacts useful but a collections intended to introduce the reader to the thematic of Windows Registry Forensics. This chapter is well written and present the message in a very easy to digest way.
Part of computer forensic analysis is not just recognizing what is out of place or unusual; it's also recognizing when some artifacts should be present, but isn't. - Harlan Carvey, Windows Registry Forensics
Chapter 4 - Case Studies: User Hives - This chapter is dedicated to the discussion of user hives, NTUSER.DAT and USRCLASS.DAT. I enjoyed learning that there is an artifacts that saves the images viewed with Microsoft Windows Photos. I will surely remember that when investigating a Windows 8 system.
Chapter 5 - Regripper - In this chapter Harlan talks about his tool regripper and some way you can improve your workflow using it. He talks about creating and using profiles, plugins ultimately contributing to the project itself.
Closing remarks:
I really enjoyed reading this book I fell like it improved me as a forensicator. The only complain I have is that I found myself referencing this book more and more and the index is to high level for me and I never caught the hang of reading the remissive index.
Comentários
Enviar um comentário