Just me, back from the blogging dead again for another drive-by blog post! I wanted to mention a couple of books I've read recently that I wanted to recommend. Notice I said "mention" the books, not review. Frankly, I suck at doing book reviews, so I'm just going to talk about them briefly without going into a full scale breakdown. If you want to read well written book reviews, I refer you to the master of that domain, Richard Bejtlich
The first book I wanted to mention I actually finished quite a while back. There aren't many books (or anything else) that I pre-order. I usually figure that I'll get it when it comes out, no need to pre-order. However, I also have certain favorite authors whose work I look so forward to that I want it as soon as possible after it becomes available. One of those author's is my friend, Harlan Carvey.
Many of us in the computer forensics world consider Harlan's blog as one of those "must read" blog's. His interest and knowledge in the area of the Windows Registry is well known, with his RegRipper tool one of those many of us (including me) use on pretty much every case. So when I heard he was going to be writing a new book called Windows Registry Forensics, I placed my order at the first opportunity.
If you're looking for a book that will teach you step by step how to use some commercial tool, this isn't it. For that, I am thankful. When Harlan first started talking about doing this book, I remember some people asking in comments on his blog if he was going to cover this commercial tool or that for registry analysis. I replied in a comment that if it were up to me, no commercial tools would be concentrated on in the book. Frankly, I'm going to learn a lot more about the registry by actually studying the registry itself, not a commercial tool I likely may never have. In my opinion, it's far better to concentrate on the registry and get my hands dirty, looking under the hood with open source tools, leaving it to the various commercial vendors to teach you how to use their particular tools . Fortunately, Harlan felt the same way and took the approach I had hoped he would take, resulting in a book I've already referred back to on several occasions while doing case work.
The book is just over 200 pages and divided up into four chapters. The author makes it clear that he isn't going to provide you with every single registry key that may come in handy some day. Rather, he takes the "teach a man to fish" approach and starts you down the path of registry forensic analysis, giving you the knowledge to continue on your own.
Chapter One is a good introduction to just what registry analysis is and reasons you might do it. One thing I liked in this chapter was that he points out the importance of preparing yourself ahead of time, deciding what the goals of your analysis are instead of wasting time just grabbing everything. I know after reading this book that I have changed the way I approach all of my investigative work, not just that which involves the registry.
Chapter Two covers the various free and free open source tools available for doing registry analysis. I had already used some of them, but others were new to me. Examining the registry on a live machine, as well as post-mortem analysis are discussed in this chapter and good examples are given. Tools available for documenting changes to the registry after certain actions are performed (e.g.: using RegShot after running a program) are also covered. I thought this chapter did a good job of covering those tools that are out there for anyone to use, such as RegRipper, Regshot, Autoruns and so on.
I was pleased with the whole book, but I have to say I especially enjoyed the final two chapters. Chapter Three is titled "Case Studies: The System," while Chapter Four is "Case Studies: Tracking User Activity." I love reading examples of just how I might put all that I've learned thus far into practical use. I also like "war stories" if you will; real stories of registry analysis telling just how the analysis was conducted and how it turned out. These two chapters do all of that, with real world cases discussed and examples of how to accomplish your goals.
I most certainly recommend Windows Registry Forensics to anyone who wants to learn more about the Windows registry and how it can help you make or break a case. The book is suitable for all forensic examiners, both in the public and private sectors, as well as students and others who simply want to learn more on the subject.
The other book I wanted to mention briefly is Kingpin, by Kevin Poulsen. I just finished reading this book the night before last and must say I really enjoyed it. The book details the criminal exploits of Max Butler, aka Max Vision, who is now doing time in federal prison for the crimes detailed in this book. Butler became a leader in the underground marketing of stolen credit card information, among other "cyber" crimes.
I liked the fact that Poulsen didn't just report the facts, but rather looked at who Max Butler is and perhaps what led to his eventual downfall. Butler's motivations were an important part of the story and I thought all of that was covered well. I have read where others have somewhat criticized Poulsen's approach, as they felt it made Butler more of a sympathetic character than he deserved, but I disagree with that assertion.
Max Butler founded the website Carders Market, where stolen credit card data was traded openly and also where vendors of equipment, such as card skimmers and such could offer their products for sale. Butler took the unprecedented step of taking down rival sites and absorbing those sites members without their permission or desire to do so in the spirit of bringing the entire carding world together on one site. I remember hearing about this when it happened and found it very interesting indeed. Kevin Poulsen did a great job telling the story of how it all came to be, as well as the stories of the law enforcement agents that finally brought Butler down.
I recommend this book to pretty much anyone who enjoys a great story. One need not be overly techno savvy to enjoy it, though I'll admit having some passing knowledge of some of the terminology used in the world of computers and networks doesn't hurt.
That's about all I have time for now. I hope to be back with more posts on a semi regular basis soon, but I don't make any promises.