The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site

Book details of 'Windows Forensics and Incident Recovery'

Cover of Windows Forensics and Incident Recovery
TitleWindows Forensics and Incident Recovery
Author(s)Harlan Carvey
PublishedJuly 2004
PublisherAddison-Wesley Professional
Web links for this book
Search at
Wikipedia booksources
Shop for this book
As an Amazon Associate I earn from qualifying purchases

Back to shelf Computer security


Vote for this book

The Virtual Bookcase Reviews of 'Windows Forensics and Incident Recovery':

Reviewer Rob Slade wrote:
Chapter one is an introduction, both to the book and to the ideas behind it. For once, the author does, indeed, try to define what an incident is. The definition is broad, but so are the possibilities. The intended audience is stated to be anyone interested in the security of Microsoft Windows, but it is instructive that, in listing specific groups, forensic specialists and security professionals are *not* mentioned. Carvey notes that a great many people would like to know the information that Windows forensics can provide, since the platform is nearly ubiquitous, but few have the knowledge of system internals that is necessary to find the relevant bits. Based on the definition of an incident as an event that violates security policy, chapter two demonstrates some of the ways that policy failures, and therefore attacks, can occur. (The rationale behind the inclusion of eleven pages of Perl source for a program to detect null sessions escapes me.) Chapter three reviews a number of places to hide data, but all of these are at the user interface level, such as setting hidden file attributes, placing data in unused keys in the Registry, NTFS (NT File System) alternate data streams (ADS), and the extra information stored in data files by applications like Microsoft Word. There is no mention of the lower level caches: slack space (whether in terms of zero padding, extra space in sectors, or the timing margins on hard disks) or page files. In addition, for those locations that are mentioned, specific programs for extracting particular data are listed, but no details of structural internals (for example formats for NTFS, OLE/COM, or Word) are provided for analysis with more general utilities. This is not to say that Carvey does not do a good job of explaining what he does cover: the tutorial on NTFS ADS is clear and complete. The material in chapter four addresses the issue of preparation by suggesting various means of hardening systems and networks against attack. The content is unusual, and deals with functions and activities that are frequently left out of security texts. At the same time, it does not touch on some common suggestions for system security: this should be seen as a complement to, rather than a replacement for, other Windows security works. A wealth of utilities for deriving all manner of information from Windows systems are listed and described in chapter five. Chapter six presents suggestions for the methods and procedures to be used in responding to a potential incident, but it does so in the form of a number of fictional examples. The stories can be instructive, but it does take a long time to sort through the material to find the relevant points to use. Various indications that can be evidence of the existence of malware (particularly network-based remote access trojans) are examined in chapter seven. The author's Forensic Server Project, a tool for managing forensic data collection, is presented in chapter eight. Chapter nine describes an assortment of network scanning and data capture tools. Although a number of areas are addressed, the text will be of greatest use to those who are concerned about network malware, especially of the remote access type. The intended audience, of experienced but non-specialist Windows administrators and law enforcement professionals with some technical background, will find a number of valuable indicators that will point out whether a system will reward further scrutiny. The professional, and particularly one with experience in forensic analysis, will find some very useful information on newer operations of Windows, but may be frustrated at the lack of detail. (I'm still not sure who is going to get a lot out of all the Perl source code ...) copyright Robert M. Slade, 2004

Add my review for Windows Forensics and Incident Recovery
Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (120)
Cars and driving (53)
Cartoons (45)
Children's books (180)
Computer (475)
Computer history/fun (113)
Computer networks (382)
Computer programming (215)
Computer security (272)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (71)
History (138)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (85)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (56)
Technology (14)
Travel guides (308)
War and weapons (29)
World Wide Web (213)
Zen (5)
Other books (89)

The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail
Site credits
Copyright © 2000-2020 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement