1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Book review of Windows Forensics and Incident Recovery

Harlan Carvey Provides Expert Guidance In Windows Security

About.com Rating 4.5 Star Rating


Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery by Harlan Carvey from Addison Wesley

Harlan Carvey is a Windows security instructor who created his own 2-day, hands-on course in Windows incident response and forensic investigations. This book shares some of Carvey's extensive knowledge and expertise in recognizing and responding to attacks on Windows systems in relatively plain English aimed at Windows system administrators. A CD is also included which contains a variety of tools including the PERL scripts described throughout the book.

The Book

The book is laid out nicely, moving from basics to more advanced topics in a way that allows the reader to keep up.

The first few chapters define the scope of the book and establish a framework for the rest of the information. Chapters four and five provide a more detailed view of incident response and spell out a variety of techniques and methods to use built-in features of the Windows operating system to prevent attacks.

Carvey walks the reader through an array of tools and utilities that can be used to collect forensic evidence. He describes what he feels are the pros and cons of each and provides a number of URL's so the reader can find the tools and do their own testing to find out which ones work for them.

In chapter 7, Carvey tells you how to look under the hood and see what makes Windows tick. He explains where to look in Windows for forensic evidence, explaining the files and folders that typically give away an attack, and the tools and methods to detect it.

The final chapters discuss Carvey's Forensic Server Project (FSP), different scanners and sniffers, and how to use PERL, Carvey's script language of choice, in a Windows environment.

My Review

About a year ago I was investigating a system to try and determine if it was attacked, as well as when and how if it had been. I wrote for help to a list that I am on and Harlan Carvey responded with detailed and useful information that helped me out.

I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.

There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.

Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.

I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.

©2014 About.com. All rights reserved.