[ISN] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey

[InfoSec News]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKWNFOIR.RVW   20041224

"Windows Forensics and Incident Recovery", Harlan Carvey, 2005,
0-321-20098-5, U$49.99/C$71.99
%A   Harlan Carvey
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-321-20098-5
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 bkexpress at aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321200985/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321200985/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321200985/robsladesin03-20
%O   tl a rl 1 tc 2 ta 2 tv 1 wq 2
%P   460 p. + CD-ROM
%T   "Windows Forensics and Incident Recovery"

Chapter one is an introduction, both to the book and to the ideas
behind it.  For once, the author does, indeed, try to define what an
incident is.  The definition is broad, but so are the possibilities. 
The intended audience is stated to be anyone interested in the
security of Microsoft Windows, but it is instructive that, in listing
specific groups, forensic specialists and security professionals are
*not* mentioned.  Carvey notes that a great many people would like to
know the information that Windows forensics can provide, since the
platform is nearly ubiquitous, but few have the knowledge of system
internals that is necessary to find the relevant bits.  Based on the
definition of an incident as an event that violates security policy,
chapter two demonstrates some of the ways that policy failures, and
therefore attacks, can occur.  (The rationale behind the inclusion of
eleven pages of Perl source for a program to detect null sessions
escapes me.)

Chapter three reviews a number of places to hide data, but all of
these are at the user interface level, such as setting hidden file
attributes, placing data in unused keys in the Registry, NTFS (NT File
System) alternate data streams (ADS), and the extra information stored
in data files by applications like Microsoft Word.  There is no
mention of the lower level caches: slack space (whether in terms of
zero padding, extra space in sectors, or the timing margins on hard
disks) or page files.  In addition, for those locations that are
mentioned, specific programs for extracting particular data are
listed, but no details of structural internals (for example formats
for NTFS, OLE/COM, or Word) are provided for analysis with more
general utilities.  This is not to say that Carvey does not do a good
job of explaining what he does cover: the tutorial on NTFS ADS is
clear and complete.  The material in chapter four addresses the issue
of preparation by suggesting various means of hardening systems and
networks against attack.  The content is unusual, and deals with
functions and activities that are frequently left out of security
texts.  At the same time, it does not touch on some common suggestions
for system security: this should be seen as a complement to, rather
than a replacement for, other Windows security works.  A wealth of
utilities for deriving all manner of information from Windows systems
are listed and described in chapter five.

Chapter six presents suggestions for the methods and procedures to be
used in responding to a potential incident, but it does so in the form
of a number of fictional examples.  The stories can be instructive,
but it does take a long time to sort through the material to find the
relevant points to use.  Various indications that can be evidence of
the existence of malware (particularly network-based remote access
trojans) are examined in chapter seven.  The author's Forensic Server
Project, a tool for managing forensic data collection, is presented in
chapter eight.  Chapter nine describes an assortment of network
scanning and data capture tools.

Although a number of areas are addressed, the text will be of greatest
use to those who are concerned about network malware, especially of
the remote access type.  The intended audience, of experienced but
non-specialist Windows administrators and law enforcement
professionals with some technical background, will find a number of
valuable indicators that will point out whether a system will reward
further scrutiny.  The professional, and particularly one with
experience in forensic analysis, will find some very useful
information on newer operations of Windows, but may be frustrated at
the lack of detail.  (I'm still not sure who is going to get a lot out
of all the Perl source code ...)

copyright Robert M. Slade, 2004   BKWNFOIR.RVW   20041224


======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
       When you tell the truth, you don't have to remember anything.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade