Tuesday, October 04, 2005

Book Report

I haven't blogged in a while, and I came across something worth blogging about. While I don't have the actual numbers in front of me, I've received word from my publisher that my book has only shipped 3500 copies domestically since it was published in July, 2004. From the numbers I received in April of this year, 3055 of those copies were in the first couple of months.

So what does this mean? I have no idea at this point, other than it doesn't seem to be enough justify another book. That's right...given all the material I've produced in the 15 or so months since the first book was published, I've already started putting another book together - an advanced version of the first one, with more technical, detailed information.

The last bit I got from the publisher is that it's up to me to find out what you, the readers, want in another book in order to get the final, published product to move off of the shelves. From what you've told me so far, it just about amounts to incident response war stories, case studies, and maybe even challenges you can work through. All that I can do...but again, it really doesn't sound promising.

I guess I need to start looking around for another avenue for publication. Fortunately, I got one good pointer at lunch today that I need to follow up on...

Addendum 5 Oct: I thought maybe I should give a brief description of what I was looking to provide in the next book. I wasn't planning for my next effort to be a second edition of the first...rather, my thought was to use the first as a stepping stone and launch off into a more advanced effort. I'd like to go more deeply into actual forensic analysis, with the focus being on analysis. Too many times, I've read papers and books that talk about analysis, and for the most part will only go so far as to say "run this tool, and if you see this in the output, something may be amiss..." I'd like to address data correlation and analysis, across the board...use multiple sources of information (i.e., file system, Registry, Event Log, etc.) to build out as complete a view of the issue as possible. I think that the best way to do that is to present the information, and then present examples via live case studies. This book would be interspersed with "war stories", case studies, and examples. I'd also like to include challenges, and exercises for the reader to work. This one would cover both live and post-mortem analysis.

If you've followed this blog, you're familiar with some of what's going to appear in the book...the tools I've released, things I've mentioned here (with more detailed research and analysis) will all be part of the book.

What do you think of something like this? Is this a pipe dream, or is it something you'd like to have on your reference shelf?

4 comments:

Anonymous said...

It sounds like you've got a lot of really good ideas for your next book. It seems that case studies and war stories are popular these days seeing how well the "Stealing the Network" books have done.

Maybe a different title would make the book appeal to more people. Personally, a title like "Windows forensics and Incident Recoverty" sounds like a very technical and boring book, but something like "Case Studies and Windows Forensics" or something might catch more search requests?

Anyway, I just found your blog and look forward to reading your past articles.

H. Carvey said...

Thanks for your comments.

How does "Practical Windows Forensic Analysis" sound?

Anonymous said...

Personally I'd rather hear from experience rather than imagination. Something like The Cuckoo's Egg instead of something like Stealing The Network. Either way though it sounds like it's going to offer a whole lot more than a good story so I'd buy it.

-Adam

H. Carvey said...

In all honesty, experience can be boring. The reason for this is because most of the really good, interesting cases can't be discussed...even if they're scoured. In real life, many investigations are keyword searches, etc. Things get interesting when different languages are used.

Some things can be disclosed, others can't. I've linked to some "investigations" here in my blog, for what it's worth.

Rather than a book, what would you think about a course?