Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKWNFOIR.RVW 20041224 Windows Forensics and Incident Recovery , Harlan Carvey, 2005, 0-321-20098-5, U$49.99/C$71.99 %A Harlan Carvey %C P.O. Box 520, 26
    Message 1 of 1 , Mar 7, 2005
    • 0 Attachment
      BKWNFOIR.RVW 20041224

      "Windows Forensics and Incident Recovery", Harlan Carvey, 2005,
      0-321-20098-5, U$49.99/C$71.99
      %A Harlan Carvey
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2005
      %G 0-321-20098-5
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321200985/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321200985/robsladesin03-20
      %O tl a rl 1 tc 2 ta 2 tv 1 wq 2
      %P 460 p. + CD-ROM
      %T "Windows Forensics and Incident Recovery"

      Chapter one is an introduction, both to the book and to the ideas
      behind it. For once, the author does, indeed, try to define what an
      incident is. The definition is broad, but so are the possibilities.
      The intended audience is stated to be anyone interested in the
      security of Microsoft Windows, but it is instructive that, in listing
      specific groups, forensic specialists and security professionals are
      *not* mentioned. Carvey notes that a great many people would like to
      know the information that Windows forensics can provide, since the
      platform is nearly ubiquitous, but few have the knowledge of system
      internals that is necessary to find the relevant bits. Based on the
      definition of an incident as an event that violates security policy,
      chapter two demonstrates some of the ways that policy failures, and
      therefore attacks, can occur. (The rationale behind the inclusion of
      eleven pages of Perl source for a program to detect null sessions
      escapes me.)

      Chapter three reviews a number of places to hide data, but all of
      these are at the user interface level, such as setting hidden file
      attributes, placing data in unused keys in the Registry, NTFS (NT File
      System) alternate data streams (ADS), and the extra information stored
      in data files by applications like Microsoft Word. There is no
      mention of the lower level caches: slack space (whether in terms of
      zero padding, extra space in sectors, or the timing margins on hard
      disks) or page files. In addition, for those locations that are
      mentioned, specific programs for extracting particular data are
      listed, but no details of structural internals (for example formats
      for NTFS, OLE/COM, or Word) are provided for analysis with more
      general utilities. This is not to say that Carvey does not do a good
      job of explaining what he does cover: the tutorial on NTFS ADS is
      clear and complete. The material in chapter four addresses the issue
      of preparation by suggesting various means of hardening systems and
      networks against attack. The content is unusual, and deals with
      functions and activities that are frequently left out of security
      texts. At the same time, it does not touch on some common suggestions
      for system security: this should be seen as a complement to, rather
      than a replacement for, other Windows security works. A wealth of
      utilities for deriving all manner of information from Windows systems
      are listed and described in chapter five.

      Chapter six presents suggestions for the methods and procedures to be
      used in responding to a potential incident, but it does so in the form
      of a number of fictional examples. The stories can be instructive,
      but it does take a long time to sort through the material to find the
      relevant points to use. Various indications that can be evidence of
      the existence of malware (particularly network-based remote access
      trojans) are examined in chapter seven. The author's Forensic Server
      Project, a tool for managing forensic data collection, is presented in
      chapter eight. Chapter nine describes an assortment of network
      scanning and data capture tools.

      Although a number of areas are addressed, the text will be of greatest
      use to those who are concerned about network malware, especially of
      the remote access type. The intended audience, of experienced but
      non-specialist Windows administrators and law enforcement
      professionals with some technical background, will find a number of
      valuable indicators that will point out whether a system will reward
      further scrutiny. The professional, and particularly one with
      experience in forensic analysis, will find some very useful
      information on newer operations of Windows, but may be frustrated at
      the lack of detail. (I'm still not sure who is going to get a lot out
      of all the Perl source code ...)

      copyright Robert M. Slade, 2004 BKWNFOIR.RVW 20041224

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Heaven goes by favour. If it went by merit, you would stay out
      and your dog would go in. - Mark Twain
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.