Tuesday, January 31, 2012

WFA 3/e

Okay, Windows Forensic Analysis 3/e is out and on it's way to those who've already purchased it through Syngress, as well as on it's way to the Amazon distribution centers.

I've posted previously in this blog regarding WFA 3/e (here, and here...).  As I've written each successive book, I've tried (with the help of folks like Jenn Kolde) to improve my writing and approach to the books, not just in the content, but in how the content is presented.  Sometimes, there just isn't enough time to put all that I would want into the book, and other times, you don't become aware of something until after the manuscript for that chapter is sent to the printer.

This post discusses the chapters and what they cover, so if you're wondering whether this is a book you'd be interested in or need, I hope that post (and this one) help convince you.  I'm linking it here again for those folks who want to know...well...what the chapters are and what they cover.  ;-)  Seriously...I think that this is an important factor to address because WFA 3/e does NOT replace the second edition.  In fact, WFA 3/e is a companion book to the second edition.  That's right...the way I wrote the third edition, you will want to have both editions (as well as Windows Registry Forensics) on your bookshelf.  The third edition doesn't address some of those things that haven't changed from the second edition (for example, the PE file format) and covers things that are specific to Windows 7; for example, StickyNotes and Jump Lists.

There are a couple of minor changes.  For example, chapter 2 is now "Immediate Response" (rather than "Live Response"), and focuses on the need for organizations to organically develop some capability for immediate response.  This is necessary, not only because it's mandated by many of the compliance and regulatory guidelines, but because it just makes sense...the sooner you can start the information collection and the quicker you can react, the better off you'll be during an incident.  Also, I was able to do some additional research and coding regarding Jump Lists after I finished writing, so I included some Jump List parsing code in the archive. 

The companion tools for the book can be found here, in "wfa3e.zip".  Now, I've put the tools together in the archive by chapter, and there isn't a lot of explanation. This isn't because I'm lazy (even though I am, in fact, lazy...); rather, it's due to the fact that the tools are discussed in the book.  Now, I know many folks are going to think, "hey, this is just a ploy to drive up the sales of your book!"  This may be an artifact of my decision, but the reason I didn't provide detailed explanations of the tools is simply because I have already spent a considerable amount of time and effort writing about them once, and I don't want to spend a lot of time doing it again.  So, nothing nefarious or mysterious or under-handed about that...and honestly, folks who write books like these don't make a lot of money, anyway.  And, if I were in it for the money, why would I have retweeted Syngress's discount code to get the book for half off, and re-posted that to every social media site for which I have an account?

Also, there are tools mentioned in chapter 4 of the book that you won't find in that folder within the archive.  This is because the tools are also discussed, albeit in a different capacity, in chapter 7 of the book.  You will find the tools in the ch. 7 folder in the archive.

Finally, now that the book is done and the code is available, there are opportunities to continue to develop and expand on much of what's in the book.  There are RegRipper plugins to be written, and new things to develop with respect to timeline creation and analysis.

4 comments:

Brett Shavers said...

WFA 3/e, another good book to have a place on my desk! And on the point with plugin information, it only makes sense to have the book that details the plugins...

Anonymous said...

Mr. Carvey,

I've just bought your new book by Amazon (kindle edition).Honestly, I don't need read it to know that it is an excellent book. Why ? Because your are a sincere and very skilled author.

Actually, I was waiting for your new book to complement the previous one with Windows 7 information.

I'm sure you will have much success again with this new book and I believe you deserve it.

Someday, if you want to, you are welcome to Brazil (next World Cup and Olympic Games). I think that IT professionals of my country (includes me) need to learn much more of Digital Forensics.

I've looked your email address up in everywhere, but I didn't found it to send this messages.

Have a nice day and, once more, congratulations.

Alexandre Borges.

linkedin: http://br.linkedin.com/in/aleborges

email: alex_sun@terra.com.br

Unknown said...

Harlan,
Received my copy of WFA 3/e today and grabbed the code off the WFA project page. Looking forward to reading it. At first look, it seems to be organized similar to WRF, which I like. I'll definitely post a review. Thank you for writing what appears to be another great companion to my DFIR library!

H. Carvey said...

Brad,

Thanks. If you do choose to write a review, I would greatly appreciate you thoughts on the content of the book.

Thanks.