Monday, May 02, 2016

Thoughts on Books and Book Writing

The new book has been out for a couple of weeks now, and already there are two customer reviews (many thanks to Daniel Garcia and Amazon Customer for their reviews).  Daniel also wrote a more extensive review of the book on his blog, found here.  Daniel, thanks for the extensive work in reading and then writing about the book, I greatly appreciate it.

Here's my take on what the book covers...not a review, just a description of the book itself for those who may have questions.

Does it cover ... ?
One question I get every time a book is released is, "Does it cover changes to ?"  I got the with all of the Windows Forensic Analysis books, and I got it when the first edition of this book was released ("Does it cover changes in Windows 7?").  In fact, I got that question from someone at a conference I was speaking at recently.  I thought that was pretty odd, as most often these questions are posted to public forums, and I don't see them.  As such, I thought I'd try to address the question here, so that maybe people could see my reasoning, and ask questions that way.

What I try to do with the books is address an analysis process, and perhaps show different ways that Registry data can be incorporated into the overall analysis plan.  Here's a really good example of how incorporating Registry data into an analysis process worked out FTW.  But that's just one, and a recent one...the book is full of other examples of how I've incorporated Registry data into an examination, and how doing so has been extremely valuable.

One of the things I wanted to do with this book was not just talk about how I have used Registry data in my analysis, but illustrate how others have done so, as well.  As such, I set up a contest, asking people to send me short write-ups regarding how they've used Registry analysis in their case work.  I thought it would be great to get different perspectives, and illustrate how others across the industry were doing this sort of work.  I got a single submission.

My point is simply this...there really is not suitable forum (online, book, etc.) or means by which to address every change that can occur in the Registry.  I'm not just talking about between versions of Windows...sometimes, it's simply the passage of time that leads to some change creeping into the operating system.  For example, take this blog post that's less than a year old...Yogesh found that a value beneath a Registry key that contains the SSID of a wireless network.  With the operating system alone, there will be changes along the way, possibly a great many.  Add to that applications, and you'll get a whole new level of how would that be maintained?  As a list?  Where would it be maintained?

As such, what I've tried to do in the book is share some thoughts on artifact categories and the analysis process, in hopes that the analysis process itself would cast a wide enough net to pick up things that may have changed between versions of Windows, or simply not been discussed (or not discussed at great length) previously.

Book Writing
Sometimes, I think about why I write books; what's my reason or motivation for writing the books that I write?  I ask this question of myself, usually when starting a new book, or following a break after finishing a book.

I guess the biggest reason is that when I first started looking around for resources the covered DFIR work and topics specific to Windows systems, there really weren't least, not any that I wanted to use/own.  Some of those that were available were very general, and with few exceptions, you could replace "Windows" with "Linux" and have the same book.  As such, I set out to write a book that I wanted to use, something I would refer to...and specifically with respect to the Windows Registry Forensics books, I still do.  In fact, almost everything that remained the same between the two editions did so because I still use it, and find it to be extremely valuable reference material.

So, while I wish that those interested in something particular in a book, like covering "changes to the Registry in ", would describe the changes that they're referring to before the book goes to the publisher, that simply hasn't been the case.  I have reached out to the community because I honestly believe that folks have good ideas, and that a book that includes something one person finds interesting will surely be of interest to someone else.  However, the result has been...well, you know where I'm going with this.  Regardless, as long as I have ideas and feel like writing, I will.


Brett Shavers said...

You hit the nail on the head with "reason or motivation for writing" being writing about something that is needed to be written but not yet has been. I completely agree. The books I wrote were for the same reason. They are books that I would have bought if someone else had written them first.

Keep having ideas. Keep writing. I'll keep reading (and writing too).

randomaccess said...

maybe I missed it, but did you post how you were going with WRF? I remember seeing the contest and then the next post was that you'd finished it early?
Maybe as an idea you can provide updates on how your next book (I'm assuming) is going when you're writing it, and where you're stuck.
Asking for volunteers to provide specific assistance may provide more results (ie a call out on twitter for some Windows X hives to compare say comdlg or shellbags etc to see if anything has changed).
I guess I'm thinking of you moving into a mentoring role to get the community moving in the direction you're taking us anyways with your books.

Daniel G said...

No problem ;) thanks and keep on blogging and writing books. I use your books and others as reference and they have definitely helped on casework.

Harlan Carvey said...


"...did you post how you were going with WRF?"

I talked about the issue I see with book writing on 20 Oct 2014; three days later, I posted about the contest.

I don't usually convey any sort of status regarding the book, as the there are all sorts of opportunities for the community to provide input. There's the proposal review stage, and in the case of the WRF 2/e book, I did ask several times for input, including specific input (i.e., the contest).

Honestly, I'm not sure how asking for specific input is going to be any different. I might reconsider if, when I have asked for input previously, folks had said, "...hey, we need something a little more specific." Over the years, there's a significant reticence amongst the community to provide any kind of support at all.

"... I'm thinking of you moving into a mentoring role..."

I'm not sure how that's going to work. Something like that takes two things...someone who wants to mentor (me), and someone who wants to be mentored.

Right now, there's only half of that equation in place.

Harlan Carvey said...

@Daniel G,

"... keep on blogging and writing books..."

Like I've said before, with no input from the community, it's what comes to mind for my use. Keep on blogging...about what? Keep writing books...about what?