Monday, March 02, 2009

WFA 2/e is on its way!

Windows Forensic Analysis, second edition, is on its way!

Today is the day that everything was due, and for the most part I think that everything is in. At this point, all that's really left to do is for me to wait to see if the publisher sends me any mastered chapters in PDF format to review, but beyond that, it's simply a matter of waiting. As soon as I know when the book will be available, and in what formats, I'll let you know.

Eoghan Casey deserves a great big, huge thanks for his efforts as a technical editor. He put in a lot of work and had a lot of great suggestions, not all of which I had the time to really take advantage of; nonetheless, I greatly appreciate Eoghan's efforts in reviewing the materials, and I'm sure the readers will, too.

Now, a lot of you are going to ask me (and have been asking me) , what's new in this edition? First off, this isn't a new book, it's a second edition, so I used the first edition as a starting point. All of the chapters have been updated to some degree; some just a bit, because the information still holds, and others were pretty heavily updated (ch. 3, 4, and 5) due to changes that have occurred since the first edition was published.

For example, there are a lot of references to and discussion of Matt Shannon's F-Response, particularly the Enterprise Edition. I spent a good deal of time writing a step-by-step process for deploying F-Response EE remotely, and then just as I was getting ready to send that chapter in to the publisher, Matt came up with the FEMC! With the FEMC, any analyst or responder with an F-Response EE dongle now has an enterprise capability that is as easy to deploy remotely (and in a steathy manner) as it is to play Solitaire!

Chapter 3 on Memory Analysis has been heavily updated to include tools such as Volatility, HBGary's Responder and Mandiant's Memoryze. Unfortunately, all three went through some updates fairly recently, after the chapter was sent in to the publisher.

Chapter 4, Registry Analysis, has been very heavily updated, particularly since RegRipper plays such an important part in that chapter. Beware, Eoghan feels that this chapter is a bit of a "marathon" for the reader, and I agree...but there simply wasn't enough time to address that...so consider it a reference tome. ;-)

Chapter 5, File Analysis was pretty heavily updated, to include more information on some topics (such as SQL injection in IIS web server logs), as well as information on files from Vista, etc.

Yes, I've added more information on Vista and even dipped a bit into Windows 7.

I've also added two additional chapters; chapter 8 is Tying It All Together, is meant to bridge the gap imposed by many of the chapters. For example, one chapter talks about memory analysis, another about the Registry, and yet another about files on the system...but chapter 8 is where I've added case studies or war stories, illustrating how these different areas of analysis can be tied together to build a comprehensive picture of your incident or case.

Chapter 9, Performing Analysis on a Budget, isn't meant to tell the reader not to use commercial forensic analysis applications; not at all...I still like ProDiscover. However, the fact is that analysis isn't about the tool, it's about the process. Some folks need to see what tools are out there in order to expand their process...that's cool. Others may want to know what's possible, and then be able to pick from a list of tools (or like me, develop their own...). This chapter is not only meant for hobbyists who want to learn more, university students, and maybe LE, but it's also meant to show everyone that there are other things out there besides...well...fill in the name of your favorite application. ;-)

Now, some of the things that aren't in the book...first, any updates to the material that is in the book that occurred in the last week or so. This includes some of the stuff I've blogged about, such as Moyix's new and amazing feats! Another thing that really isn't in the book is the timeline analysis stuff I've been blogging about...I only got time to work on that after the manuscript was sent in. And finally, the stuff you're just now thinking about isn't in the book...sorry! ;-)

That being said, as soon as I get more information about when the book will actually be available and in bookstores, I'll let you know.

10 comments:

Claus said...

Harlan - Congrats! I know you have been hard at work on this and it's a pleasure I'm looking forward to!

Kudos for this: "...the fact is that analysis isn't about the tool, it's about the process. Some folks need to see what tools are out there in order to expand their process...that's cool. Others may want to know what's possible, and then be able to pick from a list of tools ..."

I'm certainly not a forensics guy buy any stretch of the imagination, however as a sysadmin, many of the processes used in your field of expertise are easily translated into diagnostics and troubleshooting; particulary in root-cause analysis. Having a wide variety of solid tools and techniques allows me multiple approach angles to a given situation.

Experience determines which ones I will execute first.

Thanks for sharing your experience with us!

--Claus V.

Keydet89 said...

...many of the processes used in your field of expertise are easily translated into diagnostics and troubleshooting

Dude! I am SO glad to see that someone else gets it!! I've been saying this for a long time...a LOT of the work that a responder or analyst does is really just diagnostics and/or troubleshooting, but with a process (ie, not hit or miss).

Andrew Hay said...

Congrats buddy :)

JL said...

Congratulations!

I can't wait to read it :-)

Keydet89 said...

Oddly enough, after working on it for so long...neither can I! There's a big difference between writing something and then seeing it published...very exciting!

Philip Elder SBS MVP said...

Pingback: http://blog.mpecsinc.ca/2009/03/needed-books-in-sbsers-repertoire.html

Thank you for the great work and way to go on the book!

And, I agree on your last comment about writing something and seeing the finished product in hand! :)

Philip

Ken Pryor said...

Congratulations Harlan! I'm truly looking forward to the 2nd edition and, like Jamie, I can't wait to read it! The first edition has already been a big help to me and I can't wait to see what new goodies are to come.
KP

Paco said...

Great news but... what if someone (me) had just bought a copy of the first edition (2 weeks ago)??? sigh, sigh... that's bad luck

Keydet89 said...

Paco,

Sorry, my friend, I don't know what to say...I've been blogging about this edition of the book being in process and on it's way for some time:
http://windowsir.blogspot.com/2008/12/flippin-sweet.html

Paco said...

I pay the fact that in the last months I didn't manage to follow constantly the blog... I would have knew!!!
Anw, congratulations because the quality of your work is amazing!!!
It's so good that I'll buy anw the 2nd ed.