Some of the topics I've been tossing around include:
- Log analysis - This includes Event Logs, primarily, but will also include IIS, PortReporter, etc.
- Registry Mining - Mining for "gold" in the Registry; this is extremely useful for both "live" analysis (admins can do so remotely with simple tools, or during incident response), as well as during forensic analysis of imaged drives.
- Malware Analysis for the Administrator - A detailed look at how to go about figuring out what that suspicious file does, with walk-throughs, caveats, gotchas, etc.
In this book, I would include more detailed walk-throughs, more case studies, more code and examples, etc.
How does this sound? What other topics could/should I address (keeping in mind that this is Windows-specific)? What are some of the topics of interest, the kinds of things that keep you awake at night, that scare the bejebbers out of you? Drop me a comment here, or email me...
I think logs are one of the most obvious IR tools to use, however many people on MS boxes either only go to them when they have exhausted other options or forget about them altogether. I myself used to be of the former.
ReplyDeleteI have since seen the error in my ways but there is still far too much noise in there and I feel this drives others away. I do like the Windows Logging Blog and have implemented some of the suggestions, bug they just aren't like Unix logs as far as being able to glean information immediately about what you are looking for. Maybe for others it is easier than that, but I know I am not the only one who feels this way.
I also think malware analysis is a great idea. There are few things better than loading up your trusty virtual machine and throttling it with some unknown apps/malware.
I'd like to see more on logs. I was also in Brandon's shoes. Since then, I've been using LogParser 2.2 from MS to dump my logs into a SQL database and remove some of the noise. Turns 20k/day of logs into 400 which is much more manageable.
ReplyDeleteI really enjoyed the first book and would be interested in more advanced versions of the first book.
Would also be interested in covert channels, stego, malware analysis, and IPv6
Thanks for the comments, guys.
ReplyDeleteReducing noise in and getting more from your logs is definitely important, and I'm glad to see that someone's interested in this topic.
Chris, covert channels, stego, and IPv6 really fall outside the scope of the first book, and any follow-ons. I mentioned stego in the first book, only to point it out...there are other books out there that cover it in much more detail.
Again...thanks for the comments.