Thursday, March 13, 2008

New WFA Review Posted

Rob Lee posted a review of Windows Forensic Analysis today...check it out!

I have to tell you, it's a good one! Rob really hits home with some very important points about the book, particularly regarding flow. That's something I'll have to work on for 2/e. That's right...a second edition. I plan to make it more than an update, more than just adding new stuff. One of the problems I see with the current edition is like Rob said...flow. How does one sit down and find something more than just information about a tool or file? Sure, books have indexes (hint, hint) and that's a great place to start, but talking about how Prefetch files or a particular Registry key is useful will only get you so far. What I need to do is figure out a way to tie this all together into something that describes how to use this stuff in an know...examination. After all, that's the point, isn't it?

I do have some thoughts and ideas on where to go, but to be honest, I'd really like to hear from folks regarding what might work.


Anonymous said...

Hey Keydet89,
I'm sure you've thought about it but won't hurt throwing some comments.
What about tell a story wing2wing from a investigation perspective (tools, what that clue leads to, important places to look) for a series of incident types i.e. suspect intrustion, data leakage, fraud, etc...
I love this blog

Keydet89 said...


I can definitely provide case studies which have been scrubbed of all customer-specific information, but readers need to keep in mind that all information pertinent to the decision-making may not be available, and the directions taking in the investigation may not be clearly defined.

Also, I'm aware that lots of folks want to see stories like what you describe, but few of those asking for the stories want to provide their own stories...