The first few chapters define the scope of the book and establish a framework for the rest of the information. Chapters four and five provide a more detailed view of incident response and spell out a variety of techniques and methods to use built-in features of the Windows operating system to prevent attacks.
Carvey walks the reader through an array of tools and utilities that can be used to collect forensic evidence. He describes what he feels are the pros and cons of each and provides a number of URL's so the reader can find the tools and do their own testing to find out which ones work for them.
In chapter 7, Carvey tells you how to look under the hood and see what makes Windows tick. He explains where to look in Windows for forensic evidence, explaining the files and folders that typically give away an attack, and the tools and methods to detect it.
The final chapters discuss Carvey's Forensic Server Project (FSP), different scanners and sniffers, and how to use PERL, Carvey's script language of choice, in a Windows environment.
I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.
There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.
Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.
I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.