- Email: [email protected]
Windows Forensic Analysis Toolkit
REVIEWS
Reviews BOOK REVIEW
Windows Forensic Analysis Toolkit Harlan Carvey. Third edition published by Syngress (ISBN: 978-1-59749-727-5). Price: $69.95, 272pgs, paperback. his is the third edition of this book, now updated to encompass Windows 7. In fact, calling it a third edition is slightly misleading. Rather than simply updating the second edition, author Harlan Carvey says he decided to start afresh, writing this version from scratch in order to focus entirely on Windows 7. If your interest extends to earlier versions of Windows, particularly XP, you’ll also want to get the second edition. There are other reasons for wanting both editions. Carvey explains that some subjects, such as memory analysis, are not fully covered in this newer title because they are already covered in depth in the earlier edition. In that specific case, you’re told how to collect the memory data you need under Windows 7, but the job of analysing it hasn’t changed so there is little point in repeating the material. This approach has two effects: if you want to cover Windows forensics in proper depth, you’re definitely going to need both editions. At the same time, by not covering the same ground twice Carvey has given himself lots of room in the new book to really go into detail on the specifics of Windows 7. So, what ground does he cover? Those who like to roll up their sleeves and start hacking away will have to delay their gratification just a little. The book starts at a conceptual level, because Carvey believes
T
4
Network Security
it’s important to understand the ‘why’ of what you’re doing as much as the ‘how’. This, he says, helps when things don’t go quite according to plan. There are tools and procedures in forensics that will produce predictable results every time, but equally you will encounter systems and situations that aren’t covered by the manuals. This is when you need to have a conceptual grasp of what you’re doing so you can improvise tactics for getting to the information you need in a safe and legally valid way. Some of the principles he covers are very much about attitude – for example, being strict about documenting only what you find, rather than what you think you’ve found. Speculation is not part of a forensic analyst’s work, he insists. Other principles are to do with procedure – such as emphasising process over tools, which means you are not constrained by what your main toolset gives you but will have the flexibility of thought to switch tools as appropriate. Carvey also briefly outlines setting up an analysis system. While he does mention a number of specific tools, the main message here is that he recommends that you use a Windows system. There are many fine forensic tools available on other platforms, and his point really isn’t about the quality or quantity of the tools themselves. His argument is that using Windows as your platform – working with it day in and day out – will give you a better grasp of the system. The remaining seven chapters are where things get practical and technical. Each takes a different part of the analysis job, starting with the immediate response. From the moment an incident is detected, the forensics analyst’s job becomes harder. As Carvey points out, even an apparently idle Windows system is actually very active and files that are essential to the analyst’s work are being overwritten, modified or deleted. So the second chapter is all about how you can respond as quickly as possible, and what your first steps should be. The book then devotes a whole chapter to Volume Shadow Copies (VSCs). These were introduced with XP and then substantially updated with Vista and Windows 7. The Volume Shadow Copy Service (VSS) is part of the system restore capability, creating automatic backups so that a user can rollback the system to an earlier restore point when issues are encountered – for example, if
a patch causes problems. In the process, this effectively preserves data that, for example, a user might think has been deleted. Carvey believes that, while forensic analysts are aware of VSCs, not all fully appreciate their forensic significance, which is why he’s devoted a whole chapter to the subject. The following chapters cover more familiar ground. A chapter of file analysis takes us through the Master File Table (MFT), logs, prefetch files, the recycle bin, hibernation files and so on. Then we move to the registry. Carvey eschews a keyby-key analysis because, as he points out, this subject has been covered extensively elsewhere – not just in the second edition of this book but also titles such as the Malware Analyst’s Cookbook. Instead, he examines a few key analysis questions through the use of case studies. Nevertheless, it’s a meaty chapter that will help you get to grips with both the nature of the registry and its value to forensic analysts. Then it’s the turn of malware – specifically, looking for the effects that malware may have had on the system. With all the fuss about Advanced Persistent Threats (APTs), malware is assuming an ever-greater significance in hacking attacks, so tracking the path of malware through the system is very important. As most analysts are aware, it’s not just what is on the system – in terms of data – that is important, but how the computer has been used. In many criminal cases, for instance, showing when a user carried out certain actions can be just as important. So the next chapter deals with compiling timelines, and crucial to this is understanding which resources on the system can yield this kind of information. And finally, Carvey moves away from the operating system, providing a brief chapter on application analysis. Throughout the book, Carvey offers copious examples of how you use tools to get the information you need, frequently supported by screenshots of the kinds of results you can expect and case studies detailing how these techniques have proved effective in the real world. The previous editions of this title became standard works on the subject and it’s a safe bet that the new edition will become a fixture on the shelves of forensic analysts everywhere. – SM-D
June 2012
Reviews BOOK REVIEW
Windows Forensic Analysis Toolkit Harlan Carvey. Third edition published by Syngress (ISBN: 978-1-59749-727-5). Price: $69.95, 272pgs, paperback. his is the third edition of this book, now updated to encompass Windows 7. In fact, calling it a third edition is slightly misleading. Rather than simply updating the second edition, author Harlan Carvey says he decided to start afresh, writing this version from scratch in order to focus entirely on Windows 7. If your interest extends to earlier versions of Windows, particularly XP, you’ll also want to get the second edition. There are other reasons for wanting both editions. Carvey explains that some subjects, such as memory analysis, are not fully covered in this newer title because they are already covered in depth in the earlier edition. In that specific case, you’re told how to collect the memory data you need under Windows 7, but the job of analysing it hasn’t changed so there is little point in repeating the material. This approach has two effects: if you want to cover Windows forensics in proper depth, you’re definitely going to need both editions. At the same time, by not covering the same ground twice Carvey has given himself lots of room in the new book to really go into detail on the specifics of Windows 7. So, what ground does he cover? Those who like to roll up their sleeves and start hacking away will have to delay their gratification just a little. The book starts at a conceptual level, because Carvey believes
T
4
Network Security
it’s important to understand the ‘why’ of what you’re doing as much as the ‘how’. This, he says, helps when things don’t go quite according to plan. There are tools and procedures in forensics that will produce predictable results every time, but equally you will encounter systems and situations that aren’t covered by the manuals. This is when you need to have a conceptual grasp of what you’re doing so you can improvise tactics for getting to the information you need in a safe and legally valid way. Some of the principles he covers are very much about attitude – for example, being strict about documenting only what you find, rather than what you think you’ve found. Speculation is not part of a forensic analyst’s work, he insists. Other principles are to do with procedure – such as emphasising process over tools, which means you are not constrained by what your main toolset gives you but will have the flexibility of thought to switch tools as appropriate. Carvey also briefly outlines setting up an analysis system. While he does mention a number of specific tools, the main message here is that he recommends that you use a Windows system. There are many fine forensic tools available on other platforms, and his point really isn’t about the quality or quantity of the tools themselves. His argument is that using Windows as your platform – working with it day in and day out – will give you a better grasp of the system. The remaining seven chapters are where things get practical and technical. Each takes a different part of the analysis job, starting with the immediate response. From the moment an incident is detected, the forensics analyst’s job becomes harder. As Carvey points out, even an apparently idle Windows system is actually very active and files that are essential to the analyst’s work are being overwritten, modified or deleted. So the second chapter is all about how you can respond as quickly as possible, and what your first steps should be. The book then devotes a whole chapter to Volume Shadow Copies (VSCs). These were introduced with XP and then substantially updated with Vista and Windows 7. The Volume Shadow Copy Service (VSS) is part of the system restore capability, creating automatic backups so that a user can rollback the system to an earlier restore point when issues are encountered – for example, if
a patch causes problems. In the process, this effectively preserves data that, for example, a user might think has been deleted. Carvey believes that, while forensic analysts are aware of VSCs, not all fully appreciate their forensic significance, which is why he’s devoted a whole chapter to the subject. The following chapters cover more familiar ground. A chapter of file analysis takes us through the Master File Table (MFT), logs, prefetch files, the recycle bin, hibernation files and so on. Then we move to the registry. Carvey eschews a keyby-key analysis because, as he points out, this subject has been covered extensively elsewhere – not just in the second edition of this book but also titles such as the Malware Analyst’s Cookbook. Instead, he examines a few key analysis questions through the use of case studies. Nevertheless, it’s a meaty chapter that will help you get to grips with both the nature of the registry and its value to forensic analysts. Then it’s the turn of malware – specifically, looking for the effects that malware may have had on the system. With all the fuss about Advanced Persistent Threats (APTs), malware is assuming an ever-greater significance in hacking attacks, so tracking the path of malware through the system is very important. As most analysts are aware, it’s not just what is on the system – in terms of data – that is important, but how the computer has been used. In many criminal cases, for instance, showing when a user carried out certain actions can be just as important. So the next chapter deals with compiling timelines, and crucial to this is understanding which resources on the system can yield this kind of information. And finally, Carvey moves away from the operating system, providing a brief chapter on application analysis. Throughout the book, Carvey offers copious examples of how you use tools to get the information you need, frequently supported by screenshots of the kinds of results you can expect and case studies detailing how these techniques have proved effective in the real world. The previous editions of this title became standard works on the subject and it’s a safe bet that the new edition will become a fixture on the shelves of forensic analysts everywhere. – SM-D
June 2012