Windows Forensics and Incident Recovery
: Covers the ins and outs of forensics on Windows systems
: Only covers Windows systems.
: Great addition to the forensic investigator's library.
Every attack on a computer system leaves a trace behind, no matter what an attacker might to to cover their steps. Also, data can be hidden by an attacker to use later as a back door. Forensics in part looks at uncovering evidence of this activity.
There are numerous ways of hiding data and the book goes into detail about just how this is done once a device has been compromised. Knowing how to hide data should make is possible to develop strategies to detect such information. The book shows the reader simple steps to finding out if such systems contain hidden files.
The author has included a Perl script that performs analysis on file signatures to ascertain whether a file has been tampered with. It starts with the basics such as file time, or when a file has been accesses and goes onto looking at how the registry can be used to hide data and programs such as Hydan which use redundancy in the instruction set to hide data by changing, for example, "add 1" to "subtract -1". The book cannot go into much detail about the various ways and means of hiding and discovering data but it is a good jump off point for the reader to do further research of their own.
Later on in the chapters, after the groundwork of the first three, the author sets out a framework for a methodology to be used the investigation of a Windows machine in a forensic investigation.
Bizarrely, in chapter six there is a dream sequence where the main character, network administrator Andy, has to develop a forensic methodology following a network incident. This is a clever way of showing the reader how to come up with a way of dealing with problems, but we half suspected that the culprit would turn out to be Bobby Ewing in the shower.
Other than that, this is a very useful book to add to the library of anyone wanting to understand forensic investigation of computer systems. What would be useful now is for the author to follow-up this book with one based on Linux.