Wednesday, May 06, 2009

Is this stuff really useful??

Every now and then I get emails from folks who've found my blog or one of my books useful, whether it has to do with work, school, or a hobby. For the most part, these emails are positive...I haven't really received any negative comments, per se...but I also try to see if there's a way to have these comments made publicly available in some manner. Recently, one of the folks who emailed me consented to allowing me to post the body of their email to my blog...so, here it is...

I'll try to make this short. I have your first book and on more than one occasion, I've referenced it for information. A fellow examiner asked me about it one time and even read through it to some extent. He later commented that it was a pretty good book but the author wasn't even a certified examiner. I let it go because everyone has their opinion. About a week or so ago, he was preparing to testify in a case and the subject of external drives and USB flash drives came up. I showed him your chapters concerning the registry and USB storage. Long story way too long, his newly gained knowledge of the registry and USB helped out enormously during the trial to the point that the other side didn't even have their expert take the stand. He is now a converted HC follower and has plans to purchase your upcoming WFA 2/e as I will be doing the same. Anyhow, I thought you would find this pretty amusing....I did.

Pretty amusing, definitely. Cory Altheide and I conducted the first publicly available research into USB removable storage device artifacts on Windows systems many, many moons ago, and since then, I'd have to say that it's probably the most popular and most asked-about set of artifacts...and maybe even one of the most misunderstood.

6 comments:

KP said...

It's quite funny how some people assume a certification automatically equals more knowledge than the great unwashed uncertified masses.

cutaway said...

Harlan,

Are you even a certificed blogger? I bet you blog isn't even PCI compliant either!!

Cutaway

Anonymous said...

Yes, that was an ignorant commnet by that person, "not certified!". You have written two books on Windows Forensics for crying out loud. I'll take that any day.
Keep up the good work.

Keydet89 said...

Well, to be honest, writing books means absolutely nothing...at least, in my mind. I've seen some pretty crappy books out there, but I still have to give the authors their props for taking the time and effort to put it out there. Some folks appear to feel that a certification is more important, and that's fine. The email reminded me of my favorite superhero, IronyMan (ie, Cory Altheide).

Cory said...

Nice picture of that Altheide dork, what a filthy hippie.

Keydet89 said...

No kidding...you should see when he scratches his belly...and whatnot.