I recently finished reading the third edition of Harlan Carvey’s Windows Forensic Analysis Toolkit. This edition, as he clearly states throughout the text, is not meant to be a re-write of previous editions. Instead, it serves as a companion to both the second edition of the same text and Windows Registry Forensics. That being said, Harlan did a great job of relating Windows 7 artifacts to their more familiar Windows XP brethren when appropriate. As an analyst who, until recently, primarily dealt with Windows XP systems, this was a welcome aspect of the book.
Having read WFA 2ed, I was somewhat surprised to see the first two chapters of this edition dedicated to non-technical topics. However, I do believe that the coverage is warranted, and that the topics are relevant to new and experienced practitioners alike. Keeping the analysis concepts included in the first chapter fresh in your mind will help ensure you’ve carried out the best and most efficient investigation possible. One point that I wholeheartedly agree with is the statement that “goals of our analysis are perhaps the most important aspect of what we do.” Having clear goals for an examination will scope your work, alter your process, and present at least the initial artifacts that may be useful in your analysis. Nothing is more frustrating than receiving a hard drive from a customer without any description. Worse yet, when asking the customer what they want to know, the answer should not be “nothing specific, just whatever you find”! Most analysts cannot afford to jump down a rabbit hole looking for traces of any action that could be potentially of interest. Another point that I enjoyed was the description of a tool versus a process. This is one topic that I’m always concerned with. A process should accommodate any tool that could be used to reach an end goal. Additionally, if an analyst doesn’t have a particular tool at her disposal, she should still be able to conduct an analysis. Along these lines, I constantly wonder why so many job descriptions (and resumes) put such an emphasis on specific tools. If an analyst can describe a process to reach the same end goal, the specific tools used within the organization can be learned. One of my largest peeves is seeing a resume that has a vomit-list of every tool the applicant has ever used. Not only is it likely the person can’t still use those tools, but it doesn’t show the applicant actually understands what they’re doing. the last point in this chapter that I particularly enjoyed (though it doesn’t mean the other points are any less important) was the reference to direct and indirect artifacts. I often find it useful in my reports to allude to this fact in order to make statements more clear. For instance, stating that a particular event occurs for all applications can help clarify why a particular artifact exists. This helps to avoid questions as to “why the malware did that” when if fact the malware itself didn’t.
Chapter 2, Immediate Response, correctly portrays the important of the planning phase in incident response. As the author states, every organization has or will experience an incident at some point in time. Ignoring this fact and not planning for it is, at the risk of being cliche, planning for failure. In all seriousness, if you don’t plan for at least the initial phases of an incident, you will run in to trouble sooner or later. For instance, practicing acquiring an image on all the systems within your organization is key. Assuming that your acquisition methods will work on every system is going to leave you in a bad place when you hit the system it doesn’t work on. Chances are, if you didn’t test the methods beforehand, you probably don’t have a plan b to use in case you encounter difficulties.
The remainder of the text is more similar in nature to the previous editions of WFA. As a newer analyst, I found that the use of case studies throughout the text was beneficial in demonstrating how the concepts applied in a real-world scenario. The two chapters I found the most beneficial were Volume Shadow Copies and Timeline Analysis. I attribute this to the fact that the concepts described within these chapters are the most new or novel of the chapters. That is, in general, the concepts associated with the remaining chapters are more similar to the previous edition. Don’t get me wrong, the specific artifacts discussed in the remaining chapters are not any less important than any other chapter, but I personally gained the most from chapters 3 and 7. The potential benefits that can be realized from Volume Shadow Copy analysis are immense, as is demonstrated by the progress made in their analysis within the community. The book provides a great introduction to the topic for those that don’t have any previous experience in VSCs and explains why the community progress (such as Corey Harrell’s at the journey into incident response blog) is so important. With regards to the timeline chapter, I particularly liked the attention paid to the multiple uses for timelines, as well as the wealth of potential data sources to include within them. I think timelines are another area in which having a goal is important. Again, the goal will determine the scope of your timeline and the specific artifacts you’re looking for. Additionally, I’ll now be looking for opportunities in which providing a micro-timeline will aid in the presentation of my findings.
Verdict: Windows Forensic Analysis Toolkit 3rd edition provides a wealth of important information for new and old practitioners alike. Not only does it provide a great overview of artifacts of interest on Windows 7 systems, but it also presents plenty of technology independent concepts that play an important role in any investigation. Feel free to place a copy on your shelf next to WFA 2ed and WRF.