Monday, June 20, 2016

New Book

So, yeah...I'm working on another book (go figure, right?).  This one is different than the previous books I've written; rather than listing the various artifacts available within an acquired image, the purpose of this book is to provide a walk-through of the investigative process, illustrate how the various artifacts can be used to complete analysis, and more importantly, illustrate and describe the various decisions made throughout the course of the examination.  The focus of this book is the process, and all along the way, various "analysis decisions" will be highlighted and detailed.

The current table of contents, with a short description of each chapter, is as follows:

Chapter 1 - Introduction
Introduction to the core concepts that I'll be reinforcing throughout the remaining chapters of the book, including documentation (eeewww, I know, right?).

Chapter 2 - Malware Detection Scenarios
In Ch 2, there are two malware detection scenarios.  Again, these are detection scenarios, not analysis scenarios.  I will discuss somethings that an analyst can do in order to move the analysis along, documenting and confirming the malware that they found, but there are plenty of resources available that discuss malware analysis in much greater detail. One of the analysis scenarios that I've seen a great deal of during my time as a DFIR analyst has been, "...we don't for sure, but we think that this system may have malware on it..."; as such I thought that this would be a great scenario to present.

In this chapter, I will be walking through the analysis process for two scenarios, one using a WinXP image that's available online, the other using a Win7 image that's available online.  That way, when reading the book, you can download a copy of the image (if you choose to do so) and follow along with the analysis process.  However, the process will be detailed enough that you won't have to have the image available to follow along.

Chapter 3 - User Activity Scenarios
This chapter addresses tracking user activity during an examination, determining/following the actions that a user took while logged into the system.  Of course, a "user" can also be an intruder who has either compromised an account, or created one that they're now using.

As with chapter 2, I'll be walking through two scenarios, one using a WinXP image, the other using a Win7 image, both of which are available online.

The purpose of chapters 2 and 3 is to illustrate the end-to-end analysis process; its not about this tool or that tool, its about the overall process.  Throughout the scenarios, I will be presenting analysis decisions that are made, describing why I decided to go a certain direction, and illustrating what the various findings mean to the overall analysis.

Chapter 4 - Setting up and using a test environment
Many times, an analyst may need to test a hypothesis in order to confirm (or deny) the creation of an artifact or indicator.  Or, the analyst may opted to test malware or malicious documents to determine what occurred on the system, and to illustrate what the user saw, and what actions the user had to have taken.  In this chapter, we'll walk through setting up a virtual environment that would allow the analyst to test such things.

This may seem like a pretty obvious chapter to many...hey, this sort of thing is covered in a lot of other resources, right?  Well, something I see a great deal of, even today, is that these virtual testing environments are not instrumented in a way that provides sufficient detail to allow the analyst to then collect intelligence, or propagate protection mechanisms through their environment.

This chapter is not about booting an image.  There are plenty of resources out there that address this topic, covering a variety of formats (i.e., "...what if I have an *.E01 image, not a raw/dd image...?").

Chapter 5 - RTFM for DFIR
If you're familiar with the Red Team Field Manual, chapter 5 will be a DFIR version of this manual.  Like RTFM, there will not be detailed explanations of the various tools; the assumption is made that you (a) already know about the tool, or (b) will put in the effort to go find out about the tool.  In fact, (b) is relatively easy...sometimes just typing the name of the CLI tool at the prompt, or typing the name followed by "/?", "-h", or "--help" is all you really need to do to get a description of the tool, its syntax, and maybe even example command lines illustrating how to use the tool.

Okay, so, yeah...I know that this is a bit different from the way I've done things in the past...most often I've just posted that the book was available.  With my last book, I had a "contest" to get submissions for the book...ultimately, I just got one single submission.

The reason I am posting this is due to this post from the ThisWeekIn4n6 blog, specifically this statement...

My only comment on this article is that maybe he could be slightly more transparent with how he’s going in the book writing process. I recall seeing a couple of posts about the competition, and then the next one was that he had completed the book. Unfortunately I missed the boat in passing on some research into the SAM file (by several months) however Harlan posted about it here.
With that in mind, I imagine he will be working on an update to Windows Forensic Analysis to cover some additional Windows 10 artifacts (and potentially further updates to other versions). Maybe a call out (yes, I know these haven’t been super successful in the past; maybe a call out to specific people? Or universities?)....

With respect to the Windows Registry Forensics book, I thought I was entirely "transparent"...I asked for assistance, and in the course of time...not just to the "end" of the contest time limit, but throughout the rest of the time I was writing the book...I received a single submission.

The "Ask"
Throughout the entire time that I've written books, the one recurring question that comes up over and over again is, "...does it cover Windows ?"  Ever time the question is asked, I have the same, because I don't have access to that version of Windows.

This time, in an attempt to head off those questions, I'm putting out a request to the DFIR community at large.  Specifically, if you have access to an image of a Windows 10 system (or to an image of any of the server versions of Windows after 2003) that have been compromised in some manner (i.e., malware, unauthorized access, etc.), and are worth of investigation, can you share them?  The images I'm using in this book are already available online, and I'm not asking that these images also be available online; if you don't mind sharing a copy of the images with me, I will walk through the analysis and include it in the book, and I will destroy/return the images after I'm done with them, whichever you would like.  

Anyone who shares an image of a Windows server version beyond (not including) Windows 2003, or an image of a Windows 10 system, for which I can include the analysis of that image in my book will receive a free, signed (yes, by me...) copy of the book once it comes out.

Addendum: Something that I wanted to add for clarity...I do not have, nor do I have access to, any system (or an image thereof) running Cortana, or anything special.  The laptop that I write the books (and blog posts) from is a Dell Latitude E6510.  My point is that if you have questions such as, "what are the artifacts of someone using Cortana?" or of any other application specific to Windows 10, please understand that I do not have unlimited access to all types of equipment.  This is why I made the request I did in this blog post.


B!n@ry said...

Good luck Harlan, hope it comes out as you want.

Expect an email from me very soon in reference to this post ;)


burro said...

harlan hello ... we can work on the translation into Spanish for the Latin American market your book. we are forensic experts in Argentina. We have even developed a data analysis tool that fits well in your book on forensic analysis with opensource tools. do you think of it?

Bruno Constanzo said...

How can I get in touch? I'm interested in seeing if I can help in any way with this.

Harlan Carvey said...


Thanks for the email.


"we can work on the translation into Spanish for the Latin American market your book."

I appreciate that, but that's not up to need to contact the publisher for that. They own the rights, and handle things like foreign language translations.


Email works fine...keydet89 at yahoo dot com.

Do you have images such as I've requested available?


Daniel G said...

Hi Harlan,
Would the images requested needed only be from actual incidents or can they be from simulated incidents? Reason I ask is I am getting ready to make some demos for my own training purposes and possibly a blog post using adversary tactics. I have access to win 7 to 10, server 2003 to 2012 and can provide either an image of the virtual disk or live response package. Besides this if there's any other way I can help I am open to it. Thanks

Harlan Carvey said...


Would the images requested needed only be from actual incidents or can they be from simulated incidents?

Simulated would be fine. Thanks.

Chunduru Eswara Sai Prasad said...

I am having an issue and I request your help. I am working on an image of a HDD. The registry analysis shows the last shutdown date and time as 15th July 2013 18:11 Hrs IST. The agency wants to know any files have been accessed after the shutdown date and time. I have analysed the registry last write times, event logs, $MFT parsed entries. Every where I found the MAC timings are with in the last shutdown date and time. In link files I observed two .doc files having last accessed and last written timings later to shutdown time with a gap of 39 minutes. These link files indicate they are not resident of this disk. Surprisingly no reference of the volume serial number/volume name in the parsed USB list. Another link file related to googlesync.exe native to this disk also has last accessed and last written timings later to last shutdown time with a gap of 50 minutes.
Now I am in jig to conclude whether the disk was accessed after last shutdown date and time or otherwise.
if so how otherwise why this time anamoly in link files.
Please help me.

Harlan Carvey said...


An email would've been a bit better (keydet89 at yahoo dot com); nonetheless, I'll try to answer your question here the best I can...

First, I think it would help to understand what version of Windows you're looking at, as not all versions of Windows update the file system last access times as a result of user activity.

Did you happen to review the time stamps in the $FILE_NAME attributes in the MFT entries for the .lnk files in question?

I think that at this time, there are simply too many unknowns to even attempt to provide an answer...