Harlan Carvey - Windows Forensic Analysis Toolkit, Third Edition: Advanced Analysis Techniques for Windows 7

I am not an expert. I have never claimed to be an expert at anything (at least not seriously done so), least of all an expert in digital forensic analysis of Windows systems. I am simply someone who has found an interest in my chosen field of employment, and a passion to dig deeper. I enjoy delving into and extending the investigative process, as well as exploring new ways to approach problems in the field of digital forensic analysis. It was more than 13 years ago that I decided to focus on Windows systems specifically, in large part because no one else on the team I worked with at the time did so. We had folks who focused on routers and firewalls, as well as those who focused on Linux; however, almost no effort, beyond enabling configuration settings in the vulnerability scanner we used, was put toward really understanding Windows systems. As I moved from vulnerability assessments into incident response and digital forensic analysis, understanding what was happening under the hood on Windows systems, understanding what actions could create or modify certain artifacts, became a paramount interest. I am not an expert.

When I sat down to write this book, I wanted to take a different approach from the second edition; that is, rather than starting with the manuscript from the previous edition and adding new material, I wanted to start over completely and write an entirely new book, creating a companion book to the second edition. As I was writing the second edition, Windows 7 was gaining greater prominence in the marketplace, and there has been considerably more effort dedicated toward and developments as a result of research into Windows 7 artifacts. Even now, as I write this book (summer 2011), Windows 8 is beginning to poke its head over the horizon, and it likely wont be too awfully long before we begin to see Windows 8 systems. As such, theres a good deal more to write about and address, so I wanted to write a book that, rather than focusing on Windows XP and looking ahead now and again to Windows 7, instead focused on Windows 7 as an analysis platform and target, and refer back to previous versions of Windows when it made sense to do so.

Therefore, regardless of the title, this book is not intended to replace the second edition, but instead to be a companion edition to be used alongside the second edition. Let me say that againif you have the second edition of Windows Forensic Analysis, you will not want to get rid of it and replace it with this book. Instead, youll want to have both of them (as well as Windows Registry Forensics and Digital Forensics with Open-Source Tools) on your bookshelf or Kindle (or whichever ebook platform youre using). In fact, if you have just purchased this edition, you will want to also purchase a copy of the second edition, as well.

I will say upfront that there are some things not covered in this book. When writing this book, I did not want to reiterate some of the information available in other media, including previous editions of Windows Forensic Analysis. As such, while mentioning how physical memory can be collected from a Windows system, this book does not go into detail with respect to memory analysis; truthfully, this is a topic best covered in a book of its own. In this book, we also discuss malware detection within an acquired image, but we do not discuss malware analysis, as this topic has been addressed extremely well in its own book.