Saturday, October 01, 2011

WFA 3/e update

I posted a bit ago on WFA 3/e, and as I get closer to completing rewrites of reviewed chapters and getting the manuscript submitted, I wanted to provide an update of how things have progressed thus far...

I also wanted to talk a little bit more about what this edition is all about.  Specifically, this edition is NOT a follow-on to the second edition; instead, it's a companion book.  That is to say, if you have the second edition on your bookshelf, you will also want to have this edition, as well. In fact, ideally, you'll have both WFA editions along with Windows Registry Forensics, as well, in order to make a complete set.

There have also been a couple of changes, perhaps the biggest one being that I completely rewrote chapter 2; rather than being "Live Response", I retitled it to "Immediate Response" (the need for which was covered in this article by Garry Byers), as the previous topic had been covered to some extent in WFA 2/e, and one of the points of the third edition is to not rehash what's already been covered.  Instead, I wanted to write about the need for organizations that have identified (or been notified) that an incident has occurred within their infrastructure to immediately collect and preserve data, and do so from the perspective of a third-party consultant/responder.  I think we've seen enough in the media in the last 9 or 10 months to clearly demonstrate that no organization is immune from being compromised; add to that the ethereal nature of "evidence" and you can see why organizations must be ready to begin collecting data as soon as know that something has happened.  The perspective I wanted to take was that of a responder who gets a call, and after the contract has been negotiated, travels to the site and begins working with the local IT staff to develop an understanding of the infrastructure and the nature of the incident...all while digital evidence continues to expire and fade away.

During the rewrites, I'll be adding some specific information that has developed since specific chapters were originally written.  For example, in chapter 4, I fleshed out information regarding Jump Lists, and I added some additional information to the chapter on Registry Analysis.

Now, there are some things I don't cover in the book.  For example, memory analysis and browser analysis are two of the most notable topics; these are not covered in the book because there are covered elsewhere, and in a much better manner that I could have done.

Finally, with WRF, I started posting the code for the books on my Google Code site, and I will do the same with WFA 3/e.  Throughout the book I mention tools and checklists, and I'll have those posted to the Google code site before the book is actually published.

No comments: