| Welcome to vBulletin FAQ |
vBulletin FAQ Navigation
Getting Started
Customizing your vBulletin
Search Engines & SEO
Making Money with a Forum
Promoting your Community
|
| Get your own vBulletin Today |
|
| Webmaster Help |
|
|
|
Windows Forensics and Incident Recovery (Addison-Wesley Microsoft Technology Series)
vBulletin Book Store > vBulletin books beginning with W
|
Windows Forensics and Incident Recovery (Addison-Wesley Microsoft Technology Series) |
Author: Harlan Carvey
Published: 2004-07-31 |
List price: $59.99
Our price: $40.85
|
Usually ships in 24 hours
As of: October 14th, 2008 01:36:56 AM
|
|
|
Customer comments on this selection.
 Over rated.
I'm surprised to see the rate of this book so high. I was expecting it to be much better and more updated. The tools that are used are not new, things that somebody in the security field knows and use for years. I was not happy also to realize that many pages include code listings of perl scripts.
Maybe a nice book for somebody who is starting now in the field of security nothing new for the rest.
Nicolas Krassas CISSP
 Invaluable Resource For Any Windows Admin
About a year ago I was investigating a system to try and determine if it was attacked, as well as when and how if it had been. I wrote for help to a list that I am on and Harlan Carvey responded with detailed and useful information that helped me out.
I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.
There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.
Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.
I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.
(...)
An Excellent and Informative Book
I am a nuts and bolts kind of guy and this book suits me to a tee. Harlan covers the topics thoroughly and has added to my knowledge of forensic methodology and shown me new techniques to discover information the many recent versions of the Windows operating system. He has done his homework, mixed it up with lots of coding examples, and even added some dream weaving to illustrate his points.
He lays the groundwork in chapters one, two, and three so that anyone reading the book will be sure to understand his purpose and see the framework that will be used for a methodology for Windows incident response.
Chapters four and five cover incident response. Among the preventative tools mentioned are group policies and configuration options that can be used on a Windows system so it can be configured to effectively take advantage of native security features. One of the topics in this chapter is using and extending Windows File Protection (WFP). A useful suggestion found here is the extension of WFP to protect static pages located on the root of a web site - especially since there are web site defacements occurring all the time. In Chapter five he covers the collection of volatile and non-volatile information. Although there are many tools out there for collection of this information, many well known to forensic examiners, Harlan progresses in a logical sequence and enumerates the pros and cons of each in a very understandable way. There are many examples of command lines, screen shots, and perl scripts to explain the concepts. In chapter 5 there are 47 web links that can be used to research the tools mentioned.
I had never imagined a dream sequence in a book about computer forensics - but there it was in chapter six. We follow in the footsteps of Andy, a network administrator unlucky enough to be the victim of a network incident. Andy develops a methodology to prepare for, contain, and analyze network incidents. We can see the consequences of being unprepared and then follow Andy through the development of this methodology. In hindsight, this was a good teaching tool based on experience and it brings the reader through a logical set of steps so they can start to think about developing their own methodology.
Chapter seven covers what to look for when doing incident investigation. Windows, an operating system where most people use the graphical user interface (GUI), hides many of its internals from the user. This chapter covers the functions of these internals, and locations of data and tools that can be used to discover it. There also is a look at the AFT Windows Rootkit 2003. This rootkit hides itself from the casual investigator. Using the proper tools, this rootkit can be discovered.
Harlan's Forensic Server Project (FSP) is discussed in chapter eight. This project takes the elements discussed earlier in the book and brings them together so that an investigator can adapt and customize to fit the needs of their own investigation. The FSP is not an end to itself, but rather furthers forensic techniques and knowledge with the use of open-source tools and a structured methodology. An additional chapter covers scanners and sniffers that can be used for network forensic investigations.
The investigator will find over 200 links to Internet sites for further exploration. It is a good solid start to an ongoing and exciting project that will evolve and grow now that the solid foundation has been published.
Windows is a complex operating system and the fact that it is used in the majority of computers in the world makes it a tempting target. In the future I would expect that the chapter on rootkits would be expanded. There are several varieties of rootkits in the wild and the forensic community will value any light that can be shown on their operation and malicious functions.
Harlan Carvey's book is a valuable addition to my bookshelf.
Invaluable Reference for Todays Windows Admins
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today's Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring.
This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit.
The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring.
Tools for the Microsoft Administrator
Windows Forensics and Incident Recovery is an invaluable resource for a Windows Administrator. The author points out correctly that an investigation into anomalous computer behavior is often cut short due to a lack of understanding what to look for and the time constraints that all IT departments work under. After presenting tools to reveal hidden processes and information, he presents a methodology to quickly and easily retrieve this information from a machine so that an informed decision as to whether patching, rebuilding or further investigation into the machine in question can be made.
Many of the utilities that are presented in the book will be familiar to most IT professionals. These utilities combined with the Perl scripts included on the companion CD make for a potent investigative tool kit. The step by step guide made installing Perl and integrated modules easy to follow. While Perl may not be a familiar language to many, opening the scripts with Note Pad or a Freeware tool such as Crimson Editor reveals detailed notes as to the purpose of each section of the script. After completing the setup for the Forensic Server Project the reader is rewarded with a powerful incident protocol ready for real world use.
There is also a review of several methods to hide data from within programs such as MS Word or Excel and also the operating system itself. On general security fundamentals Carvey discusses and confirms what should be the mantra of any Microsoft Administrator; patch, monitor and be informed. This book is a great resource for any Microsoft Administrator.
|
|
Our vBulletin book picks:
|
|
Find more vBulletin related products of interest.
|
