I’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review. Also, Harlan has a post on updated book contents here: http://regripper.wor...er-download-2/
Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…
The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more. Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.
The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software. Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.
Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.
Those examiners who conduct investigations, not just an analysis of a machine, will enjoy the guidance on tracking user activity, writing reports, drawing conclusions, correlating data, and making inferences. Those topics are my personal favorites.
Harlan writes in this book that sharing helps us to know what is possible. That makes sense, because how can you know what you don’t know.
I can say unequivocally that writing a digital forensics book is primarily, if not solely, to share information. Few (no one?) gets rich writing a computer technical book in the niche of digital forensics. The market for a digital forensic book is probably a fraction of a fraction of a fraction when compared to a Tom Clancy or JK Rowling book. With that, consider that when Harlan says he writes to share, he really means that he writes to share, just like all other forensic book writers.
The personal risk to sharing, which everyone knows, is that you could be totally wrong, slightly inaccurate, poorly written, disproved later, or maybe you “discovered” something that everyone else already knew. This risk of sharing keeps the majority of examiners quiet and makes it seem that there are only a few examiners that share information. That is why we see the same names popping up online and conferences through the years. But in the audiences listening to these same names, there are smarter people, better examiners, and great investigators. They just don’t speak up or share information. (nudge..nudge…feel free to share…no one will bite you).
That is one of Harlan’s premises to keep going and he reiterates it in the book and his blog and when he speaks. We all get ‘smarter’ when we share. None of us move forward when we don’t share. To share is to take a risk of being wrong and embarrassed. Worse still is the fear to be wrong and get attacked online. However, for all those that share, either by asking questions, giving suggestions, or describing methods you have created or use, my hat goes off to you. It takes guts to put yourself out there, knowing that the sharks are circling and sniffing for blood.
Back to my personal interest in this book. When I have found a method or tool that I like, I want everyone to use it. I don’t hold it close to my chest or hide it. I share it. I become an evangelist to that tool or method to get the word out. The reason? The more examiners in the field that use it, the more chance the method/tool becomes an industry standard. Then it gets improved upon, further developed, “court accepted” in that the results obtained by that tool/method are accepted into a court, and I get to use the tool/method more.
The best personal example I can give to prove this point is with WinFE (https://winfe.wordpress.com). From a two-page Word document typed by Troy Larson of Microsoft, I marketed that little ingenious tool as if I was making a million bucks off it. It’s now in use by every country that does forensics and in just about every agency or company in those countries. It’s even taught in forensic training programs in both the public and private sector. So now, anyone can create and use WinFE without worry of using a non-industry accepted tool. This happened only because those that used WinFE, shared the knowledge of how to use and when to use it. Imagine if we did that with every “new” effective method or tool.
The key point in the prior two paragraphs is that Harlan’s book has lots of those types of ideas that he has shared. He gives credit to ideas created by others along with sharing his own ideas.
My only negative words on WFA/4 is…maybe X-Ways Forensics could have been put in it…but that’s what we have the XWF Guide for..
My suggestion on WFA/4…buy the book. You will not regret it. My other favorite books are here https://winfe.wordpress.com/books/.
View the full article
