BooksFeatured

Investigating Windows Systems – Book Review

Investigating Windows Systems by Harlan Carvey

I am writing this review for two reasons:

  1. Investigating Windows Systems by Harlan Carvey is excellent
  2. Our industry does not support the leaders in our industry enough. This is my way of showing support for Harlan and others who put so much time into helping the rest of us learn and understand the various complex topics in DFIR.
Investigating Windows Systems – Book Cover

For any review to be relevant, I think it is important to know the background of the reviewer so that you understand their perspective and if it relates to your background and knowledge.

Background:

  • A. Computer Information Systems
  • Worked as a backend developer for several years specializing in web technologies
  • Changed careers and went into policing
  • After 7+ years in policing (patrol/tactical), went into Digital Forensics
  • 5+ years in Digital Forensics & Cybercrime
  • 1000+ hours of training in DFIR – Lots of courses & certifications
  • Started my own software business within the Digital Forensics industry called Forensic Notes
  • Continuing to expand my knowledge in DFIR

Although I currently work in Digital Forensics and don’t specifically do Incident Response, I have a strong interest in the subject after realizing how cybercrime was beginning to play a role in the majority of financial crimes. As a result, I have read a lot on the subject and try to keep up-to-date on the latest in cybersecurity.

I have been following Harlan’s work for many years reading his blog and his comments across the different social channels like Twitter, forums and LinkedIn. So, when he said he was coming out with a new book, I was excited as I knew he was someone with meaningful insights, always backed up with facts and detailed explanations on why he believes the things he believes.

Prior to reading Harlan’s book, I had the opportunity to take the SANS 508 Advanced Incident Response course. This was a fantastic course taught by Rob Lee. It was a real eye-opener into the world of Incident Response and Cyber Security. In fact, it was the driving force behind a lot of my knowledge into current trends, Advanced Persistent Threats (APTs) and theories on how to respond.

If you ever have a chance to take SANS training, I highly recommend it.

Although the training was great, I did not personally feel like I would be able to go and actually take part in Incident Response situations hands-on, but I was certainly more confident that I could assist in an advisory role. This is no fault of the course, but rather my lack of initial knowledge and training in Incident Response prior to taking the course.

I just didn’t feel like I knew how or why certain decisions were made during the analysis phase to ensure it was done quickly and efficiently. And since Incident Response is all about getting the bad guys out of the systems while reducing the downtime to the organization, this was knowledge I knew I needed.

This brings me to the book review of Investigating Windows Systems. As I stated prior, Harlan is a man who speaks what he thinks and backs it up with experience, knowledge, and facts. This is something that I appreciate.

Anyone can complain and point out that things are not being done properly or analyzed in the right way, but few can provide clear ideas and opinions on how it should be done.

Prior to ordering the book, I had read online some grumblings that some people were not happy with the overall size and cost of the book.

Unfortunately, you can’t make everyone happy.

In a world where many want things bigger, faster and cheaper, we forget that quality counts.

Not to mention that training in DFIR is expensive.

Quality training, likes SANS, easily costs over $1000 USD per day, so a book for approx. $60 that offers so much is a great deal.

The reality is that the book is smaller than your typical book in the computer industry, but I think that is a positive. I have read too many monstrous books that claim to provide all the answers but are limited on practical details and instead list example after example that may or may not provide insight into real-world issues.

Harlan went the opposite direction and wrote a book which provides just the facts and just the information you need to feel more confident in responding to a cyber incident.  A style that has likely served him well in producing reports on the numerous incidents he has investigated.

The book is broken down into 5 parts.

  1. Analysis Process
  2. Finding Malware
  3. User Activity
  4. Web Server Compromise
  5. Setting Up a Test Environment

In the Preface, Harlan starts off by stating “I am not an expert”, but with over 30 years in the information security field, I think it’s safe to say Harlan is being a bit humble.

The reality is that he IS an expert and clearly knows what he is talking about when it comes to incident response.

He continues by stating “…all of my earlier books have included…but little in the way of the thought process and analysis decisions that go into the actual analysis…there are a number of sites you can visit online that describe the use of open source and freely available tools for parsing data sources. However, rather than listing the tools and providing suggestions regarding how those tools might be used, I thought it would be a good idea to provide example analyses, from start to finish, and include the thought processes and analysis decisions along the way with respect to what tool to use, why, and what the analysis of the output of the tool provided, or led to”.

This is where I think Harlan’s book really shines and why I feel so strongly that others should be looking to purchase and read this book.

For someone like me, that feels overwhelmed at the idea of responding to a cyber incident, getting into the mind of an expert who has dealt with countless cyber incidents is extremely valuable.

I have read a lot of technical books that leave me wondering why certain steps were taken only to later determine that the steps were possibly inaccurate or at the least not well thought out, sometimes wasting me hours in attempting to replicate these ill-conceived steps.

Harlan’s book is the opposite.

Each decision is explained and evidence is shown on what step to take next and why to reduce the overall amount of data that you need to process and analyze. His examples flow, allowing you to ‘see’ what Harlan sees as he steps you through the different examples.

With the vast amounts of data and information now available in every cyber incident, Incident Response members have to have a clear plan and take steps to reduce the workload and get the system up and running quickly.

Harlan also stresses the need for proper documentation during every phase of your incident response and to properly interpret the data being analyzed, stating…

“The purpose of digital forensic analysis, and hence, an analyst’s job, is to paint a narrative that informs those who need to make critical business (or legal) decisions. This means that you cannot put a bunch of facts or data points ‘on paper’ and expect whoever is reading it (your client) to connect the dots. The analyst’s job is to build an outline and start filling in the picture, addressing the client’s questions and analysis goals. You do this by collecting the available and appropriate data, and then extracting and interpreting those elements or data points that are pertinent to answering the analysis goals or questions. The keys to this, although not the sum total, are to extract all of the relevant data points, and to interpret them correctly…not interpreting the data correctly will lead to incorrect findings, which in turn will incorrectly inform decision makers”.

An incorrect finding could result in millions in extra costs to the client if the IR team incorrectly determines that a breach occurred months prior to when it actually did occur or was more invasive than what actually occurred.

In my mind, Harlan’s book is a must for folks working in Incident Response.   I strongly encourage you to purchase the book so that you can get into Harlan’s head and see why he makes the decisions he makes during an incident response.

I started off this review stating that his book is excellent and that we must support Harlan and others like him that give so much to the DFIR community. Training within the DFIR field is expensive and if we hope to have Harlan and others produce books like this, which provide so much useful information at a fraction of formal training costs, then we have to support them by purchasing the book and encouraging others to do the same.

Purchase at:

To encourage others in supporting leaders in the field like Harlan, I will give a 6-month Professional membership to Forensic Notes to anyone that writes a detailed review of this book. Simply email me directly with a link to your review.

Happy Reading,

Robert Merriott
Founder – Forensic Notes
www.forensicnotes.com