Every one on Windows knows how important is the role of Registry and keys that it holds to many answers when it comes to forensic analysis. Yet this mysterious part of Windows Registry has not been fully exposed publicly and new comer is often left with few nitty gritty details here and there.
Here is the finest attempt to expose those intrinsic details of registry by Harlan through his invaluable book – “Windows Registry Forensics”.
Here is the core information about the book,
- Title: Windows Registry Forensics
- Author:Harlan A. Carvey
- Publisher: Syngress
- Pages: 248
- Release Date: Feb 7, 2011
Here is the table of contents
Chapter 1. Registry Analysis
What Is “Registry Analysis”?
What Is the Window Registry?
Chapter 2. Tools
Chapter 3. Case Studies: The System
Security and SAM Hives
Chapter 4. Case Studies: Tracking User Activity
Tracking User Activity
First chapter is more useful for beginners showing what registry is, crucial information held by it, hive files associated with registry, how to view the contents using various tools etc. It also explains internal technical details of registry hive file structure in very simplified manner.
Next chapter is all about registry tools, starting with regedit, autoruns author showcases very useful & advanced tools such as RegRipper, RegSlack, MiTeC Registry File Viewer covering their strengths and limitations. One of the limitation imposed by some of the built-in tools is that they don’t show up Last written time which is very important when it comes to forensic analysis to build the time line of events. So author shows how to write simple Perl script to get around it along with other tools to achieve the same.
I found third chapter more interesting, here author starts with dissecting SECURITY & SAM hive files recovering user account information and then covering cracking of user password using tools like cain & abel, ophcrack and pwdump. It also covers SYSTEM hive file recovering information on installed/deleted services. Also on discovering USB and other portable devices attached to the system. It talks about some of the interesting registry keys related to browser helper objects, auto start locations, network interfaces, PendingFileRenameOperations, PersistentRoutes etc explaining how malwares or trojans make use of them.
Final chapter is dedicated to tracking user activities by analyzing various registry key locations MRU registry entries, Search terms, connected devices, startup entries (RUN, RUNOnce etc).Throughout chapter 3 & 4 author mentions about real assignments explaining how he has used specific registry information to get the job done.
It would have been better if author would have put up the approach or step by step procedure one should follow while analysing live & offline system. Author has mentioned some of these things in brief and ad-hoc manner. Putting things straight and then discussing relevant tools at each step will be more beneficial.
Overall the book is well written, easy to read and filled with the technical examples & pictorial illustrations. However if you are expecting to cover all those important registry locations then you will be disappointed and it is not feasible in one book. Each chapter ends with FAQ and references to tools and other research work that can help you to build further.
In nutshell, this is the must have book for any Windows Forensic Analyst !!!