Windows Forensics And Incident Recovery

The purpose of this book is to explain some technical information about Microsoft Windows systems with a focus on forensics audits and incident recovery. The author did a good job and by the end of the book you will know how to prepare your system to prevent and detect incidents, how to analyze live forensics data, and more.

Author: Harlan Carvey
Pages: 480
Publisher: Addison-Wesley
ISBN: 0321200985

Available for download is chapter 8 entitled “Using the Forensic Server Project”.


If you are responsible for Windows systems and you want your system to be secure you must expand your knowledge to various areas of computer security. Every system is a target and the only way to be prepared for an incident is to know what a perpetrator would change and where to look for evidence. This book promises to guide you into a part of computer security some consider to be exotic – forensics.

About the author

Harlan Carvey is an instructor and course developer. He developed curriculum for a two-day, hands-on course addressing incident response and “live” forensics in the Windows environment. This course is extremely technical in nature and kept continually up to date. Harlan has presented at USENIX, DefCon9, Black Hat, GMU2003 on various topics specific to issues on Windows platforms, such as data hiding.

Inside the book

For those who work or want to work in forensics, it is important to understand the mechanism by which incidents occur. The author writes about why incidents occur and what are their characteristics. He covers four types of incidents: local, remote, manual and automatic. Every type is presented with basic characteristics and some examples of their occurrence.

Every attack on a system leaves some trace of evidence. Once a system has been compromised, there is a number of ways to hide data and that’s exactly what Carvey discusses. Knowledge of how to hide data makes it possible to develop mechanisms for detecting hidden data. The first and easiest way to hide data is to change the file attributes. The author shows you some simple steps on how to check if the system you are watching has some hidden files.

A file signature is one of the attributes that says a lot about a file and Carvey shows you a Perl script for performing file signature analysis. This is a good way of detecting the presence of hidden files if their file extensions are altered. An important data for investigation is file time: time of creation, modification and access. The registry is also a good place to hide data. It’s important to know all the methods of hiding data as you have to extensively inspect your system after an incident. It was interesting to see how much data can be hidden into Excel and Word documents. Of course, due to the length of the book, not all methods of hiding data are presented but what the author does is make you think creatively and that enables you to find more data on your own.

How fast and how well a system will be recovered from an incident depends on how well it is prepared for one. A good starting point is to deploy perimeter devices while limiting company exposure on the Internet. What you also see here is information about host configuration.

When it comes to preparing your network for an incident, two very important things you have to deal with are group policies and user rights. Remember, the insider threat is very much underrated. You learn about Windows XP user privileges and logon rights. “The Principle of Least Privilege” is an issue every administrator should apply in order to efficiently manage their system. Other topics Carvey brings forward are patch management, antivirus solutions and monitoring.

In order to do any job efficiently one needs the appropriate tools. The author continued to dwell into the subject by describing Perl scripts and a variety of tools divided in three main categories: tools used to collect volatile information, tools for collecting non-volatile information and tools used for file analysis. Tools are covered with a short description and an example of usage.

One of the most important things you have to do in order to respond to an incident in the proper way is to follow a methodology. Every network is specific and what goes for one may not be acceptable for another. The author guides you through the development of a methodology related to incident reporting and incident handling. To point out the importance of a methodology, Carvey describes five scenarios in a few days of Andy the administrator. Andy goes through one incident and tries to resolve the problem in five different ways. After each try the author brings some conclusion and gives you advice. These real world examples are the true value of this book.

To determine whether a Windows system has been compromised and/or has some sort of malware installed, one must understand how such things affect a system and where to look for evidence. The majority of attackers, if they know what they are doing, will use a combination of methods to hide their presence on the system. Carvey provides you with knowledge on malware footprints and persistence, rootkit examples and method of detection, and all of this is here for one goal only – to show you what to look for.

What follows next is a discussion on data collection, a very important skill that enables you to determine the nature of the incident. The author introduces the Forensic Server Project (FSP) whose purpose is to provide a framework for performing forensically sound data collection from potentially compromised systems. It covers data collection, correlation and analyzing. FSP presents a quick and easy way to do the data job.

In previous chapters the main subject was collecting evidence from the system. Beside the system, the network holds valuable information about an incident as well. To analyze a network, an investigator will use specialized tools known as sniffers. Carvey presents several port scanners and network protocol analyzers with command line examples.

While this book contains a few Perl scripts, the author covers the process of installing Perl on a Windows system in appendix A. Appendix B provides a list of web sites with some interesting information about incident handling. Appendix C provides answers to the questions posed in an earlier chapter.


The CD-ROM that comes with this book contains incident response and forensics code developed by the author. Sample network packet captures are also added and need to be opened in Ethereal, as well as data collected from compromised systems using the Forensic Server Project.

My 2 cents

The purpose of this book is to explain some technical information about Microsoft Windows systems with a focus on forensics audits and incident recovery. The author did a good job and by the end of the book you will know how to prepare your system to prevent and detect incidents, how to analyze live forensics data, and more.

Carvey has a good way of explaining things. He starts by describing an incident, and then explains how to resolve that particular situation. The book is written in plain English so it’s easy to understand. It’s intended for a Windows system administrator but also for anyone interested in Windows security. Highly recommended.