Windows Forensics and Incident Recovery

October 28, 2004

Every attack on a computer system leaves a trace behind, no matter whatan attacker might to to cover their steps. Also, data can be hidden byan attacker to use later as a back door. Forensics in part looks atuncovering evidence of this activity.

There are numerous ways of hiding data and the book goes into detailabout just how this is done once a device has been compromised. Knowinghow to hide data should make is possible to develop strategies todetect such information. The book shows the reader simple steps tofinding out if such systems contain hidden files.

The author has included a Perl script that performs analysis on filesignatures to ascertain whether a file has been tampered with. Itstarts with the basics such as file time, or when a file has beenaccesses and goes onto looking at how the registry can be used to hidedata and programs such as Hydan which use redundancy in the instructionset to hide data by changing, for example, "add 1" to "subtract -1".The book cannot go into much detail about the various ways and means ofhiding and discovering data but it is a good jump off point for thereader to do further research of their own.

Later on in the chapters, after the groundwork of the first three, theauthor sets out a framework for a methodology to be used theinvestigation of a Windows machine in a forensic investigation.

Bizarrely, in chapter six there is a dream sequence where the maincharacter, network administrator Andy, has to develop a forensicmethodology following a network incident. This is a clever way ofshowing the reader how to come up with a way of dealing with problems,but we half suspected that the culprit would turn out to be Bobby Ewingin the shower.

Other than that, this is a very useful book to add to the library ofanyone wanting to understand forensic investigation of computersystems. What would be useful now is for the author to follow-up thisbook with one based on Linux.

Product title
Windows Forensics and Incident Recovery
Product info
Name: Windows Forensics and Incident Recovery Description: Price: $49.99
Strength
: Covers the ins and outs of forensics on Windows systems
Weakness
: Only covers Windows systems.
Verdict
: Great addition to the forensic investigator's library.
prestitial ad