Arts & Photography
Audio CDs
Audiocassettes
Biographies & Memoirs
Business & Investing
Children's Books
Christianity
Comics & Graphic Novels
Computers & Internet
Cooking, Food & Wine
Entertainment
Gay & Lesbian
Health, Mind & Body
History
Home & Garden
Horror
Literature & Fiction
Mystery & Thrillers
Nonfiction
Outdoors & Nature
Parenting & Families
Professional & Technical
Reference
Religion & Spirituality
Romance
Science
Science Fiction & Fantasy
Sports
Teens
Travel
Women's Fiction
|
 |
Windows Forensics and Incident Recovery |
List Price: $49.99
Your Price: $35.51 |
 |
|
|
|
| Product Info |
Reviews |
<< 1 >>
Rating: 
Summary: Invaluable Resource For Any Windows Admin
Review: About a year ago I was investigating a system to try and determine if it was attacked, as well as when and how if it had been. I wrote for help to a list that I am on and Harlan Carvey responded with detailed and useful information that helped me out.
I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.
There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.
Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.
I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).
Rating:
Summary: An Excellent and Informative Book
Review: I am a nuts and bolts kind of guy and this book suits me to a tee. Harlan covers the topics thoroughly and has added to my knowledge of forensic methodology and shown me new techniques to discover information the many recent versions of the Windows operating system. He has done his homework, mixed it up with lots of coding examples, and even added some dream weaving to illustrate his points.
He lays the groundwork in chapters one, two, and three so that anyone reading the book will be sure to understand his purpose and see the framework that will be used for a methodology for Windows incident response.
Chapters four and five cover incident response. Among the preventative tools mentioned are group policies and configuration options that can be used on a Windows system so it can be configured to effectively take advantage of native security features. One of the topics in this chapter is using and extending Windows File Protection (WFP). A useful suggestion found here is the extension of WFP to protect static pages located on the root of a web site - especially since there are web site defacements occurring all the time. In Chapter five he covers the collection of volatile and non-volatile information. Although there are many tools out there for collection of this information, many well known to forensic examiners, Harlan progresses in a logical sequence and enumerates the pros and cons of each in a very understandable way. There are many examples of command lines, screen shots, and perl scripts to explain the concepts. In chapter 5 there are 47 web links that can be used to research the tools mentioned.
I had never imagined a dream sequence in a book about computer forensics - but there it was in chapter six. We follow in the footsteps of Andy, a network administrator unlucky enough to be the victim of a network incident. Andy develops a methodology to prepare for, contain, and analyze network incidents. We can see the consequences of being unprepared and then follow Andy through the development of this methodology. In hindsight, this was a good teaching tool based on experience and it brings the reader through a logical set of steps so they can start to think about developing their own methodology.
Chapter seven covers what to look for when doing incident investigation. Windows, an operating system where most people use the graphical user interface (GUI), hides many of its internals from the user. This chapter covers the functions of these internals, and locations of data and tools that can be used to discover it. There also is a look at the AFT Windows Rootkit 2003. This rootkit hides itself from the casual investigator. Using the proper tools, this rootkit can be discovered.
Harlan's Forensic Server Project (FSP) is discussed in chapter eight. This project takes the elements discussed earlier in the book and brings them together so that an investigator can adapt and customize to fit the needs of their own investigation. The FSP is not an end to itself, but rather furthers forensic techniques and knowledge with the use of open-source tools and a structured methodology. An additional chapter covers scanners and sniffers that can be used for network forensic investigations.
The investigator will find over 200 links to Internet sites for further exploration. It is a good solid start to an ongoing and exciting project that will evolve and grow now that the solid foundation has been published.
Windows is a complex operating system and the fact that it is used in the majority of computers in the world makes it a tempting target. In the future I would expect that the chapter on rootkits would be expanded. There are several varieties of rootkits in the wild and the forensic community will value any light that can be shown on their operation and malicious functions.
Harlan Carvey's book is a valuable addition to my bookshelf.
Rating: 
Summary: Very Informative Read
Review: I see three types of people reading this book: 1) People who make a living in network security, 2) Advanced users who *really* want to know areas where hackers can get in, and 3) Wanna-be "hackers" (learning what not to do by studying what people are looking for). Every chapter is filled with revealing information and "see for yourself" proofs. The book is easy to read and understand, regardless of your previous Windows Security experience.
I only have two issues with the book. The first is that the author almost exclusively uses Perl as the scripting language for all the proof of concept and utility scripts in the book (all very conveniently located on the accompanying CD-ROM). This is understandable in that Windows native scripting languages may not provide the same functionality as easily (if at all) as Perl, but Perl isn't native to the Windows environment. A great many of today's Windows Administrators started off with Microsoft Platforms, and use Microsoft languages to perform tasks. It would have been nice if the author had presented some of his script in Windows native languages, so as to afford those without Perl experience the same level of experience. Secondly, and again understandably, the book makes reference to many utilities only available for download from various third-party web sites. If web sites were permanent, reliable, static resources, this wouldn't be a problem - but when you attempt to download a mentioned utility only to find that the web site no longer exists, or the download removed, it detracts from the value of the book itself. This is not to say that book is full of broken links, only that the nature of the Internet is dynamic and things change over time.
Overall, a welcome addition to your technology library, and well worth the time invested to read. Anyone reading the book will take away something to improve the security of the systems under their charge.
Rating:
Summary: Invaluable Reference for Todays Windows Admins
Review: I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today's Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring.
This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit.
The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring.
Rating:
Summary: Distinctive case studies
Review: Perhaps an overdue book! Inasmuch as satisfying an unmet need goes. Carvey writes this book as a counterpart to those about defending a linux/unix system or network against attacks.
He points out that Microsoft Windows sysadmins often suffer from several disadvantages compared to the other counterparts. There are fewer open source tools for network diagnostics. In part because the Microsoft operating systems are closed, it is harder, though not impossible, to write such tools. Plus, a sysadmin tends to be more dependent on the UI tools that come with the operating system. That is, if the UI tools show nothing anomalous, then the sysadmin thinks everything is hunky dory. But those tools can be fooled by smart attacks. Mind you, similar could also be said of some unix sysadmins, who restrict themselves to a UI.
Carvey wrote this book to remedy these deficiencies. He goes into clear explanations of malware and how, for example, an attacker has various ways to hide a foreign file.
A distinctive part of the book is the chapter on developing a methodology. He walks through several case studies of a sysadmin and his network, and how anomalies arise and can be tracked down. Written in an informal, novelistic style. Very readable and educational. Any sysadmin can easily relate to the flow of events and the logic and decisions the "hero" makes. The chapter is the equivalent of the problem sets at the ends of chapters in other books. You do these to assimilate the chapters. But when discussing network security, it is hard to have that format of questions. Instead, Carvey presents each case study as a logical puzzle. To actually apply what he's covered in the preceding chapters.
Here's a suggestion. The author does not recommend this, but I will. Turn to the above chapter first. Read as much of it as you can. Some details may not be known to you, because they were covered in the earlier chapters, which you skipped. But do at least some of the scenarios make sense or sound familiar? If so, then the book may be well suited for you, and you should read it thoroughly.
Rating:
Summary: Tools for the Microsoft Administrator
Review: Windows Forensics and Incident Recovery is an invaluable resource for a Windows Administrator. The author points out correctly that an investigation into anomalous computer behavior is often cut short due to a lack of understanding what to look for and the time constraints that all IT departments work under. After presenting tools to reveal hidden processes and information, he presents a methodology to quickly and easily retrieve this information from a machine so that an informed decision as to whether patching, rebuilding or further investigation into the machine in question can be made.
Many of the utilities that are presented in the book will be familiar to most IT professionals. These utilities combined with the Perl scripts included on the companion CD make for a potent investigative tool kit. The step by step guide made installing Perl and integrated modules easy to follow. While Perl may not be a familiar language to many, opening the scripts with Note Pad or a Freeware tool such as Crimson Editor reveals detailed notes as to the purpose of each section of the script. After completing the setup for the Forensic Server Project the reader is rewarded with a powerful incident protocol ready for real world use.
There is also a review of several methods to hide data from within programs such as MS Word or Excel and also the operating system itself. On general security fundamentals Carvey discusses and confirms what should be the mantra of any Microsoft Administrator; patch, monitor and be informed. This book is a great resource for any Microsoft Administrator.
<< 1 >>
|
|
|
|
