Saturday, July 11, 2009

Windows Registry Forensic Analysis

Based on some comments I received from folks who reviewed WFA 2/e, I am strongly considering writing a book on Windows Registry Forensic Analysis...and I'll probably use that as the title! ;-)

I'm working on a proposal now, and one of the things I'm doing is including those things from previous books that have been successful...in particular, writing style, use of demonstrations, short case studies, and generally trying to show how this information can be used to further an investigation. My goal is to be a thorough as possible, providing information on format and structure, how to monitor the Registry, and provide as much information as I can with respect to keys and values that are (should be) of interest for examinations.

One of the issues I'm sure I'll run into is that same one I've run into with respect to WFA 2/e...there are folks out there who expect certain things to be in the book, but don't (a) realize that I can't do everything without assistance, or (b) don't voice that expectation until after the book is published.

So, here's your chance...if you were shopping for a book on Registry Analysis, what would you be looking for with respect to content?

I've already received emails from folks who say that they're looking for information on P2P applications, without saying which ones. There's already information available on a lot of topics such as P2P artifacts, and I understand that part of the problem is that this information isn't all in one place...but the way to make things like this a real success is to get input from folks in the community. As was discussed at the Summit last week, there really hasn't been a great number of requests for plugins or anything over at the RegRipper site...

6 comments:

Craig Ball said...

I'd like to see the book structured to include application scenarios where the Registry data is used to shed light on real world scenarios. To that end, it would be nice to see a balance struck between incident response/intrusion matters and civil lawsuit scenarios.

Great job at the Summit. You were a highlight: http://www.eddupdate.com/2009/07/sans-summit-summary.html

Stacey said...

Harlan,

In regards to topics about registry analysis, I would like to see more information about the Shellbags. There is a lot of helpful information in this area, such as directories viewed from external devices. There is an old tool (Windows Registry Analyzer) that is no longer supported, but has a great capability in browsing the Shellbags. However, there is definitely more development needed in this area. I have tried to do some of my own testing on this, but keep running out of extra time (doesn't everyone?). I'd be happy to help with additional testing of the shellbags area as I get extra time. Anyway, that's one area that I would suggest for the book.

H. Carvey said...

Craig,

I'd like to see the book structured to include application scenarios where the Registry data is used to shed light on real world scenarios.

I do some of that in WFA 2/e...is that what you're referring to?

To that end, it would be nice to see a balance struck between incident response/intrusion matters and civil lawsuit scenarios.

I haven't done any work to support civil lawsuits...could you elaborate?

Stacey,

...I would like to see more information about the Shellbags

So would I. I can't find anything definitive on this topic.

Thanks!

Anonymous said...

Here's another vote for more info on Shellbags. I've asked about these keys on the forums before, and you indicated that you were talking with Allan Hay about revisiting the issue. Any news on that?

H. Carvey said...

Yes, the first question I asked back to Mr. Hay caused everything to fall apart. By that, I mean that the information available from some sources doesn't appear to be consistent with even a limited number of test samples.

PE00 said...

Hi Harlan,

I'm not sure this is the right place to put comments on your book WFA/2e.

As stated at page 318...executing ADS on Vista (an later) returns different results..(does not work anymore when invoked from the CLI or the shell).

BUT, nevertheless, you can copy an executable into an ADS (like in the past, using the prompt, etc..) and start it programmatically!

This works pretty well.

I can post a few lines of code If needed.

Best

Marc Ochsenmeier
www.winitor.net