Monday, September 17, 2018

IWS is out!

My latest book, Investigating Windows Systems (Amazon, Elsevier) is out, and it seems that some have already received their ordered copies.  Very cool.  For anyone who's ordered a copy, I thank you and I hope you find some value in it.

I've blogged about the book several times (beginning here) since I started writing it, and I wanted to take a moment, now that it's out, to maybe clear up what may be some misconceptions about the book, because this book isn't at all like any of my previous books.

My goal in writing the book was to demonstrate the analysis process, and provide the analysis decisions I made during that process.  I wanted to write a book like this, because as with my other books, I hadn't seen anything out there (blogs, books, etc.) that provided something similar.  When I've had time to reflect on and look back over my own analysis engagements, this is something that has interested and fascinated me.  It's also made its way into conversations, but has also been something that has proven difficult when engaging with others; that is, understanding what led a particular analyst down a particular investigative route, to choose a particular tool, or to pivot on a particular artifact or piece of data.

As such, this book does not cover things like the basic usage of the mentioned or described tools, as these topics have been covered before, and anyone can look the usage up.  Also, the very basics of constructing a timeline are not addressed, as that topic has been covered extensively in other resources.

While writing the book, I used available images from several online sources (and with permission) as a backdrop against which to demonstrate the analysis process, as well as to illustrate the analysis decisions made during that process.

What the book is not is a walk-through of each CTF or forensic challenge employed.  That is to say, when engaging in analysis of a particular image, I do not simply walk through the posted challenge.  There's nothing wrong with the posted challenges at all, and most of the ones I've seen are quite good.  However, in two decades of performing DFIR work, I have yet to engage with a client that had 37 questions they wanted me to answer. I wanted to present the analysis based on (in my experience) as close to real world engagements as I could.

As I said, I used available images as the basis for the analysis I was performing.  I did this intentionally, as it provides an opportunity for the reader to follow along, or to try their own hand at analyzing the images.  The images range from Windows XP to Windows 7 and 10, and there's even a Windows 2008 image in there, as well. 

In addition, the tools used in the book are all free and open source tools.  The reason for this was two-fold; first, I wanted readers to see (as much as possible) and understand what was being done, so that when it came time to decide upon a commercial forensic suite to use, they could make better educated decisions.  Second, being just one person, I do not have access to commercial forensic suites.  The same goes for the images used; I do not have access to MSDN, nor other compromised images, and decided to make use (again, with permission) of what was available.

For anyone who purchased the book, thank you.  I hope you find value in it, enough so that you opt to write a review, or simply provide feedback.  Thanks.

No comments: