Saturday, March 26, 2011

Windows Registry Forensics-Review

I read Harlan Carvey's "Windows Registry Forensics" on a flight to Florida last week so I thought I'd write up a little review.

If you haven't already read "Windows Forensic Analysis" I highly recommend you do so.

First of all I have a tremendous amount of respect for someone who is willing to put their thoughts to paper when it comes to digital forensics. It's a very difficult topic because things are always evolving. It also takes a tremendous amount of time to write a book,  I'm trying to help a buddy with just a few chapters in a book he started and it's extremely difficult.

I will admit that I was expecting a little more book when I first purchased it, the registry is such a large piece of the Windows OS that I really thought the book would be encyclopedic. That being said, I was not disappointed  by the content.

The book is layed out in 4 chapters: Analysis, Tools, Case Studies:System and Case Studies: User tracking.

The Analysis chapter covers the binary structure of the registry as well as it's main purpose to the operating system and to the users. A considerable amount of this section was review for me (ten years of sysadmin work) but I've never read anything that tears down into the physical on-disk structure of the registry at the lowest level. Harlan obviously spent some time in this section tearing the registry down to it's nuts and bolts.

The tools chapter: If you don't read Harlan's blog or keep up with who is doing what in the industry you'll be expecting him to spend 50 pages talking about EnCase. Instead he uses the chapter to talk about a myriad of other tools which are just as useful if not more so than EnCase. He spends a fair amount of time explaining his own Perl tool "Regripper" and how it came to be as well as encouraging readers to develop their own plugins for regripper. I personally use regripper on every case I work so I know how useful it is and have spent a fair amount of time trying to figure out how it odes what it does. The book helped explain a little bit of the "behind the curtain" thought process that went into it's design.

Case Studies: System. Here's where the book starts to really pick up. 72 pages of nuts and bolts and "Here's why I've spent the last 150 pages explaining all this crap to you."  I read this section twice.  The registry contains so much information about the state of a given system that it is imperative a good investigator knows what they are looking at, what is normal, and why. After reading Harlan's case studies I have a better understanding of the pieces I already knew about and some insight into other chunks of the registry that have never caught my eye. Excellent chapter.

Case Studies: Tracking user activity.  The most useful chapter in the book! I am familiar with registry artifacts found during an investigation. For the most part I know how to use those artifacts to forward or disprove a theory. Even with that knowledge this section caught me off guard with how little I really know. Especially good was the dissection of all the areas of the registry that can be used for malware persistence and the write up on "shellbags". I have run across these artifacts a dozen or more times in my supertimelines but never payed them all that much attention, I knew that they represented user activity of some kind, but it didn't seem related to any type of malicious activity. Now I know that I was correct in my assumption but I also know that those shellbags are definitive proof of an interactive session.

All in all, I enjoyed reading the book. Harlan keeps it personable while maintaining an air of technicality. So many books like this are so dry that they can't be read for more than 15 minutes. Not so in this case. I have absolutely no regrets on the purchase price and just like "Windows Forensic Analysis" I will be referring to this book for years to come and I'm glad I have it as a resource.


  1. Grayson,
    Another good post. I really like your honesty and how you communicate. It's like we're sitting across the table in a coffee shop and you're telling me all about it.

  2. @itauditsecurity,

    I couldn't agree more. Amazing Books here I come!