Friday, October 16, 2009

Book news and Registry research

I've recently exchanged a number of emails with my editor at Syngress, and opted to put of working on a book on Registry analysis until next year.

Well, more accurately, I won't be submitting a manuscript until after the summer of 2010. One reason for this is because I want to have the time to really dig into the Windows 7 Registry and do some in-depth analysis (and thoroughly document it) to be included in the book. I also need to refine some of the updates I have planned for RegRipper and that set of tools.

However, there were other reasons for putting this project off, as well. I submitted my proposal for the book, and got back almost a dozen reviews...all anonymous. Many of the comments were interesting, but one of the common threads throughout the reviews was a need to compare commercial tools. Sadly, this isn't something I have access to...while some vendors have offered me trial versions of tools, this hasn't been the case with tools that deal with the Registry. I simply don't have access to such tools. Further, these tools are largely just Registry viewers, and don't offer the same sort of functionality or flexibility as RegRipper. I'm not sure, but this may end up being the biggest obstacle to the book.

Finally, I have to come up with a way to present the information I have and develop in the book without making it just a big, long, boring list of Registry keys and values. That'll take some time to develop...

11 comments:

Jesse said...

I would prefer that you delay the book at get it up-to-date rather than put out a book to soon only to have to put out another edition within a few months.

As for commercial tools. I'm honestly up in the air on that. It would be good to have a review of them, but my company doesn't want to fork over the budget for more people much less a tool that may or may not help. Free tools/scrips are more acceptable and theory, methodology, or good practices are much more appreciated.

Either way I haven't found a book of yours that I didn't enjoy.

H. Carvey said...

Jesse,

Thanks. Like I said, the biggest impediments to reviewing commercial tools are (a) I don't have access to them, and (b) there really aren't any commercial tools that compare to RegRipper...

Ken Pryor said...

From the standpoint of having time to review Win 7, I agree with your decision to delay the book. May as well have time to really dig into it before embarking on a new book. I'll be interested to learn what you find.

However, regarding the commercial tools, I have a different opinion than some. I'm far more interested in learning the guts of the registry than I am in learning about the commercial tools. The book and the scripts you write teach what we should know about how our commercial tools do what they do. I'd prefer leaving it to the tool creators to teach about their software instead of having you try to put info about each of them in a single book.

Trying to learn several different tools and cover them would lead to it being too diluted from the point of the book. I think far less would be gained by turning it into a commercial tool review/comparison.

I say, stick to covering the registry itself and let the tool developers worry about promoting/teaching their software. Your insight into the registry alone is well worth the price of any book. I should be able to depend on my tool vendor to tell me how their specific tool functions.
KP

H. Carvey said...

Ken,

My thoughts, exactly.

Anonymous said...

I think it could be nice if you add a chpater about the perl module Win32-TieRegistry and how to use it as a forensics tool.

H. Carvey said...

Anonymous,

Interesting idea...what beyond what's in "Perl Scripting for Windows Security" would you like to see? Can you elaborate just a bit on what else you think should be presented or discussed? Thanks.

Anonymous said...

also you can add a deep explanation /chapter of this perl module Parse::Win32Registry and what can be done with it.

or to introduce both Parse::Win32Registrty and Parse::Win32Registry in one detailed chapter

I think covering commerical tools and comparing them is not so effective those kinds of tool is changed every week but covering the internal of the registry and giving the people a developing tools to develp thier tools could be more effective .

also according to the book perl secripting for windows security its good book but its not orginaized as what it should be i think if this book is orginzied in explaining the modules and the code it could help more ,and there are some lack of some famous perl mdoules to use in windows security like net::pcap if version2 could be more thicker and more detailed and including a new topics like automating debugging with ollyperl ,and pen testing chapter it could be nice.

H. Carvey said...

Anonymous,

Thanks for the comment, but I'm going to need some clarification...

also you can add a deep explanation /chapter of this perl module Parse::Win32Registry and what can be done with it.

What can be done with it is to access raw hive files in an object-oriented manner. I'm not sure I want to reprint the author's documentation simply because someone doesn't want to read it on their own.

Please clarify what you're looking for, if you would.

or to introduce both Parse::Win32Registrty and Parse::Win32Registry in one detailed chapter

I'm sorry, I don't follow at all...you've listed the same module twice.

...and giving the people a developing tools to develp thier tools could be more effective.

I'm sorry, I don't follow this at all...can you clarify?

As far as a second edition, you're asking for a lot of things that I don't have much familiarity with...I haven't used ollyperl at all. Perhaps you could address those comments to the publisher; Perl Scripting for Windows Security actually includes input from another author besides myself...

Thanks again for your comments.

Anonymous said...

Hi again harlan,

It was my mistake ,i didn't explain my self well.

I meant if you add a chapter explaining both Parse::Win32Registry and Win32-TieRegistry the differnece between them and how to use them to develop opensource forensics tools it could be more effective than explaining commerical tools.

H. Carvey said...

Anonymous,

Thanks.

The short story is that Win32::ParseRegistry is used for accessing hives that are not "active", while Win32::TieRegistry is used to access hives that are "active".

I hope that helps for now...

H. Carvey said...

Also, just a quick addition...

I am just one person, and as such, do not have access to the commercial tools. I have tried reaching to AccessData, for example, and have been told that they cannot provide me with a temporary license, even one to simply test the Registry Viewer and compare/contrast with RegRipper.

So it would appear that such things will not be possible, so they are not addressed in the ToC and will not be addressed in the book. I know that my publisher had 7 reviewers for my proposal...all anonymous...and while everyone of them said I should include some discussion of the commercial tools, not one was willing to provide access to same.