Forensic Blogs

An aggregator for digital forensics blogs

by

Update: format-bytes.py Version 0.0.9

This new version of format-bytes brings support for TLV records.

Here is an example with certificates in the Windows registry:

More details will be provided in an upcoming blog post.

format-bytes_V0_0_9.zip (https)
MD5: 2F97370D12A7DBB53EB8B30AA0A40463
SHA256: 87C9F3120673C0E92C9562EC2687B60AA93DAF612CE854939E48F6E902BFBBB4

by

IWS Review

A while back, I sent a signed copy of IWS to someone who was willing to write a review, and they've gone about trying to post their review with some difficulty, albeit not for a lack of trying on their part.  I greatly appreciate the effort, not just in reading and engaging with the book, and writing a review, but also trying to get it posted and shared!  So much so, in fact, that I offered to host the review here. 

While the book hasn't been out for a full year yet, I'm still just as nervous as I was the first day, regarding how the book will be viewed by the community.  This book is a pretty radical departure from my previous books, as well as from any other DFIR book I could find.  As such, with something this new (I had pretty much the same feelings regarding Windows Registry Forensics...), I greatly appreciate hearing how folks found the book, as well as if they were able to get anything from it...did it provide value?

Thanks, Dmitri, for taking the time read the book, and for putting in the additional effort to write down and share your thoughts! 

So...a review, by Dmitri...

Investigating Windows Systems - Review

I've read several books by Harlan, and I've never been disappointed. I love his direct way of writing. IWS is thinner and smaller than his other books but no less important, on the contrary.

Harlan writes that IWS is not for beginners, I still see myself as a beginner and should contradict Harlan here, also IWS is a book that is important, or may be, for any beginner, although some pieces in the book are not so easy with an effort of the reader and a search on the Internet everything becomes understandable.

The book is well organized. It teaches you from the beginning that a good analysis plan is important. It teaches you to focus between 'nice to know' and 'need to know'.

The book is divided into several cases (finding malware, user activity, web server compromise). Harlan explains to you how he would deal with these cases himself, and then teaches you how to make a self-reflection. What did you learn from your case, and how would you tackle it next time?

The book is not about the analysis of images themselves, nor about which tools you should use, but about how you should do the analysis, what plan you make. He teaches you to make the difference between a targeted approach and an automated approach.

In the last part, Harlan will teach you how to set up a testing environment, and convince you that testing changes in the file system yourself by deleting files, installing programs, …,  is often more instructive than just asking for help on the net.

I really enjoyed the book.

Dimitri Deryckere
1st Inspector 
Computer Crime Unit – Pz Regio Tielt - Belgium