Thursday, June 22, 2006

New Forensics Book

I've found a publisher who wants to publish my second book. I've got a contract on my desk
right now. Our goal is to have this book on the shelves in late spring 2007.

This book will cover a variety of topics specific to information collection and analysis under live response and post-mortem conditions,
specifically for Windows systems. However, with the tools and techniques presented in this book, the analyst will
not be restricted solely to Windows as the analysis platform (many of the tools I created for this book
have been successfully testing on Windows, Linux, and Mac OS/X platforms).

This book will not cover topics that are not specific to Windows, such as imaging procedures, etc.

I've included a brief, conceptual outline below. My goal is to make this a valuable resource, full of
explanations, examples, and exercises. This will include sample memory captures, and links to images.
Some have suggested including sample system images on DVDs with the book, but in order to do so, I'd have to
include several DVDs. Talking with the publisher, most publishing systems are set up to press a single CD or
DVD for inclusion with the book...including additional media will drive the price of the book out of the range
of the intended audience.

I'd appreciate your input/comments on this, as well.

Some of the comments I've received from other sources include:

- Cover mobile devices: I'd love to...but I'm a one-man shop. I can't afford to purchase
mobile devices just for testing, nor can I afford the software to image such devices.

- Steganography: while not specific to Windows, it is definitely worth mentioning...but I'd
like to get some input from folks as to what needs to be addressed/discussed.

Chapter 1 – Introduction
- Purpose of the book, intended audience, what the book does/does not address

*Live Response section
Chapter 2 – Collecting Volatile Data
- Address live response, volatile data collection (ie, what to collect, how to collect it)

Chapter 3 – Analyzing Volatile Data
- How to understand what you've collected; data reduction/correlation techniques for volatile data

Chapter 4 – Windows Memory Analysis
- Description of \\.\PhysicalMemory, how to dump it, how to parse\analyze it.

*Post-Mortem section
Chapter 5 – Registry Analysis
- An explanation/description of the Windows Registry, how to locate information, etc. This chapter will
have many subsections covering specific areas, such as USB removable storage devices, etc.

Chapter 6 – Log/File Analysis
- Covers descriptions of files maintained by Windows for logging, etc. Covers several directories, explaining why/how they're used.

Chapter 7 – Malware analysis for Administrators
- PE file analysis for Administrators/investigators. This is not a debugger/disassembler training guide.

Chapter 8 – Rootkits and rootkit detection
- Descriptions of rootkits, detection techniques, etc.


debaser_ said...


In regards to the problem of distributing large amounts of data on DVD - Have you thought about using bit torrent to distribute the images via your website? BT does have legitimate uses. I am sure you would find people to help seed the files. It is a book for tech savvy folks, so i think they wouldnt mind the download if it kept the cost of the book down.

Anonymous said...

Harlan -- I think you should close the PRE or FONT tag you inserted above the book outline. It's make the rest of your blog appear as courier.

Anonymous said...

Can you just tell me a li'l bit about these torrents. Sometimes when isearch for videos i get these torrents hardly a few kilobytes but i do not know how to utilize these to download the videos.

Work From Home Information Provider

debaser_ said...

In response to S.K - I hope you arent being sarcastic. I was being serious about using torrents to distribute data (legit data) and not be a huge burden on one person. In the event you are being serious, you will need a client to interpret the torrent files and download the data you want. I personally use utorrent.

CMSS said...

Your first book was excellent, as is the toolkit. With respect to what tools other than the main packages used, I like the Sysinternals tools and the Helix Knoppix distro for the targeted tasks. One thing I was toying with but never got around to writing were intentions-based tutorials (fancy word for scenarios). Basically, forensics around how to go step-by-step to answer a particular question, e.g.

- What programs where installed on this machine?
- Were there any viruses or similar malcode present on this box?
- What images and movies are present on this system?

Basically, they would help the analyst that knows the techniques but needs to know how to apply them to the common questions we have to answer in the forensic space.

Keydet89 said...


Thanks for the comment.

Several of the scenarios you point out are really pretty straightforward, and covered by a variety of resources. However, I do appreciate you pointing them out, so I'll take a stab at answering them here:

> - What programs where installed on this machine?

Assuming "installed" means via an MSI installer, then the contents of the Uninstall key maintain this list...what's seen in the "Add/Remove Programs" list. However, this does not cover things like nmap.exe, which are "installed" by copying an .exe to a directory.

> - Were there any viruses or similar malcode present on
> this box?

This can be handled via A/V scans, hash comparisons, as well as analyzing specific Registry keys for their contents.

> - What images and movies are present on this system?

You can do this by using a file listing by extension, file signature analysis, as well as checking the Recent key.

Thanks for the comments...I've been thinking of adding an appendix to the book that is a FAQ which addresses questions like this.



Anonymous said...

What about Encrypted Drive (BitLocker)? I have not found a solution (forensically) to get around this issue. Maybe you should look into it and put it in your book.

Just a suggestion. Cant wait for the book to come out!