Saturday, December 05, 2015

WRF 2/e

As 2015 draws to a close, so does my work on "Windows Registry Forensics, 2/e".  My schedule has the manuscript completed just before the end of the year, and from what I've seen, the book itself is supposed to be available in April, 2016.  As it is, I got the final material in to the publisher yesterday, three weeks ahead of schedule.

Note: The OFFICIAL (re: ONLY) location of RegRipper is the GitHub repository.  Do not send me emails about the Google Code site, or about the Wordpress page. Please stop referring to the Wordpress site, and please stop referring others (i.e., your students) to the site.

Goals
What I hoped to do with this edition is spend much less time focused on the basics of the Registry (where the files are located) and how to extract data from the Registry, and spend more time on data interpretation.  I retained the basic material, as I think it's important to have that foundation before proceeding, but in chapters 3 and 4, I wanted to spend more real estate talking about how the available data needs to be interpreted correctly.

What it is
The second edition is a significant (albeit not complete) rewrite of the first edition.  Some of the material remains the same because quite frankly, it doesn't change.  There's some new stuff in there (new keys/values, AmCache.hve, etc.), and some stuff has been updated.

There is some discussion that includes new versions of Windows, and there are examples specific to Windows 8, 8.1, and 10.

In this edition, I separated various Registry artifacts by category, in hopes that it would be easier to follow, or visualize.  We'll see...

Throughout the book, as with my other books, I've used examples of how Registry analysis has had a significant impact on the analysis I've done.  Unfortunately, most of the stories are from analysis I've done.  Prior to starting the book, I held an online contest to see if folks from the community would be willing to send in little stories and vignettes about how Registry analysis had impacted their analysis; I offered a free copy of the book, once it was published, for any and all submissions that appeared in the book.  I got one submission.

There is more content in this book that discusses using RegRipper.  In fact, there's an entire chapter just on RegRipper.

There is discussion of "new" plugins that I've written and added to the GitHub repository.  In fact, here's a blog post that describes a couple of the ones I wrote and added to the repository; these plugins are meant to be run intentionally, and I did not add them to any of the profiles.

Speaking of new plugins, I'd like to ask that if you have a question about RegRipper, please do not post it to a forum first...because doing that makes it likely that you won't get an answer.  Here's an example of a blog post where someone decided that RegRipper didn't do something, and instead of asking about it, just announced it.  If there is something you'd like RegRipper to be capable of, please feel free to reach to me first...most times that results in RegRipper being able to do just that, usually within a few hours.

What it is NOT
This edition is NOT a complete compendium of all possible Registry keys and values that may be of interest to an analyst, in part because...quite simply...I don't know everything.  

I did not address all devices that contain Windows Registry hives, for the simple reason that I could not...I do not have access to Windows phones or other devices that include hives.  I do get those questions (i.e., "What about Registry files from ....?"), so I thought I'd just go ahead and answer them ahead of time.

As for the rest of the questions, like, "...did you cover this?", and "...did you talk about this?", you're SOL and missed your chance to get it included in the book, my friend...sorry.

What's next?
I've been thinking for some time now about a scanner, where I'd be able to point the tool at a mounted image or shadow volume, make a couple of simple choices, and have the tool spit out the data.  I like the idea of basing this on artifact categories and an analysis matrix.

Resources
InfoSecInstitute - Registry Forensics

1 comment:

Corey Harrell said...

Congrats on the achievement of publishing another book. I can only imagine how much time and research goes into preparing and then writing a book. At times doing a basic blog post can be very consuming and this is nothing compared to what a book entails.

I like that you are presenting the registry information using categories. Grouping artifacts by categories and then analyzing them in this manner is an effective way to perform an analysis. I'm looking forward to checking it out once it is released.