REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Mar 7, 2005.

  1. BKWNFOIR.RVW 20041224

    "Windows Forensics and Incident Recovery", Harlan Carvey, 2005,
    0-321-20098-5, U$49.99/C$71.99
    %A Harlan Carvey
    %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D 2005
    %G 0-321-20098-5
    %I Addison-Wesley Publishing Co.
    %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
    %O tl a rl 1 tc 2 ta 2 tv 1 wq 2
    %P 460 p. + CD-ROM
    %T "Windows Forensics and Incident Recovery"

    Chapter one is an introduction, both to the book and to the ideas
    behind it. For once, the author does, indeed, try to define what an
    incident is. The definition is broad, but so are the possibilities.
    The intended audience is stated to be anyone interested in the
    security of Microsoft Windows, but it is instructive that, in listing
    specific groups, forensic specialists and security professionals are
    *not* mentioned. Carvey notes that a great many people would like to
    know the information that Windows forensics can provide, since the
    platform is nearly ubiquitous, but few have the knowledge of system
    internals that is necessary to find the relevant bits. Based on the
    definition of an incident as an event that violates security policy,
    chapter two demonstrates some of the ways that policy failures, and
    therefore attacks, can occur. (The rationale behind the inclusion of
    eleven pages of Perl source for a program to detect null sessions
    escapes me.)

    Chapter three reviews a number of places to hide data, but all of
    these are at the user interface level, such as setting hidden file
    attributes, placing data in unused keys in the Registry, NTFS (NT File
    System) alternate data streams (ADS), and the extra information stored
    in data files by applications like Microsoft Word. There is no
    mention of the lower level caches: slack space (whether in terms of
    zero padding, extra space in sectors, or the timing margins on hard
    disks) or page files. In addition, for those locations that are
    mentioned, specific programs for extracting particular data are
    listed, but no details of structural internals (for example formats
    for NTFS, OLE/COM, or Word) are provided for analysis with more
    general utilities. This is not to say that Carvey does not do a good
    job of explaining what he does cover: the tutorial on NTFS ADS is
    clear and complete. The material in chapter four addresses the issue
    of preparation by suggesting various means of hardening systems and
    networks against attack. The content is unusual, and deals with
    functions and activities that are frequently left out of security
    texts. At the same time, it does not touch on some common suggestions
    for system security: this should be seen as a complement to, rather
    than a replacement for, other Windows security works. A wealth of
    utilities for deriving all manner of information from Windows systems
    are listed and described in chapter five.

    Chapter six presents suggestions for the methods and procedures to be
    used in responding to a potential incident, but it does so in the form
    of a number of fictional examples. The stories can be instructive,
    but it does take a long time to sort through the material to find the
    relevant points to use. Various indications that can be evidence of
    the existence of malware (particularly network-based remote access
    trojans) are examined in chapter seven. The author's Forensic Server
    Project, a tool for managing forensic data collection, is presented in
    chapter eight. Chapter nine describes an assortment of network
    scanning and data capture tools.

    Although a number of areas are addressed, the text will be of greatest
    use to those who are concerned about network malware, especially of
    the remote access type. The intended audience, of experienced but
    non-specialist Windows administrators and law enforcement
    professionals with some technical background, will find a number of
    valuable indicators that will point out whether a system will reward
    further scrutiny. The professional, and particularly one with
    experience in forensic analysis, will find some very useful
    information on newer operations of Windows, but may be frustrated at
    the lack of detail. (I'm still not sure who is going to get a lot out
    of all the Perl source code ...)

    copyright Robert M. Slade, 2004 BKWNFOIR.RVW 20041224


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Mar 7, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Review: Battalion-101~ S Notebook Review

    Silverstrand, Jun 20, 2005, in forum: The Lounge
    Jun 20, 2005
  2. Silverstrand
    Jun 20, 2005
  3. Thad

    DP Review Leica Digilux 2 Review

    Thad, May 11, 2004, in forum: Digital Photography
    May 12, 2004
  4. Mike McGee
    Mike McGee
    Dec 4, 2003
  5. Replies:

Share This Page