Monday, July 16, 2007

Book Review

Donald Tabone posted a review of my book, Windows Forensic Analysis, here.

In his review, Mr. Tabone included this:

What I dislike about the book:

- No mention of Steganography techniques/tools which Chapter 5 could have benefited from.

Back in the fall of '06, while I was writing the book, I sent out emails to a couple of lists asking folks what they would like to see in a book that focuses on forensic analysis of Windows systems; I received very few responses, and if memory serves, only one mentioned steganography. In this book, I wanted to focus specifically on issues directly related to the forensic analysis of Windows systems, and I did not see where steganography fit into that category.

Interestingly enough, Mr. Tabone did not mention what it was he wanted to know about steganography. Articles have already been written on the subject (SecurityFocus, etc.) and there are sites with extensive lists of tools, for a variety of platforms.

I would like to extend a hearty "thanks" to Mr. Tabone for taking the time and effort to write a review of my book, and for posting it.

Incidently, Hogfly posted a review of my book, as well. Be sure to read the comments that follow the review, as well.

10 comments:

chigo58 said...

Hi Harlan,

Just a brief clarification on the point of steganography. Indeed one of the things I loved about your book are your personal experiences and how they were tackled with various tools. The approach is very professional and it would have been useful to share and know of your experiences when it comes to data that was hidden.

Understandably delving into the world of steganography is quite something and possibly one could have written a whole chapter however I realise that this could intentionally omitted. In my opinion, Chapter5 could have benefited from the mention of insertion and substitution techniques that are being employed these days. Again; in my opinion; steganalysis is a section of forensic analysis that should be mentioned independently of the platform. That said, I have a very high opinion of your book and thoroughly recommend it to all digital forensic investigators.

H. Carvey said...

In my opinion, Chapter5 could have benefited from the mention of insertion and substitution techniques that are being employed these days.

Understood...but I think that "techniques that are being employed these days" is open to opinion, as well. I would state that from my experience, and the experience of several analysts that I have spoken with, none of us have seen or had reason to suspect steganography.

Chapter 5 focuses primarily on the analysis of files from Windows systems systems...steg'd files aren't specific to Windows. As you said, "...steganalysis is a section of forensic analysis that should be mentioned independently of the platform."

I have a very high opinion of your book...

And I do thank you and great appreciate the effort you put into your review.

Now...if we could just get more reviews, particularly on other sites, such as Amazon, and slashdot.

PaulM said...

Agreed. I've never seen stego in the wild, and the use case for it on a userland machine is pretty poor. Encryption, file streams, and deallocated blocks are all typically a better options (but especially encryption).

Anonymous said...

Steg is sexy. It's Get Smart and cool. But until most investigators can find the basic stuff right there in the data files and file systems, I think the attention need to stay where you put it: core Windows forensics.

You did an excellent job on the book. I bought the Redmond NetSec team several copies.

H. Carvey said...

Troy,

Thanks for your comments, and thanks for purchasing the books! Having never actually met you, I need to rely on others' (Rob H.) sightings...like the Loch Ness Monster or the Yeti. One day, I hope to be on the left coast and sit with you long enough to have a beer and say "thank you".

Anonymous said...

I don't think that steg would have fit within the framework of your book. After all, if you're going in that direction, would you stop there? If you did, someone would criticize you're failure to discuss EFS, PGP, etc. I think that the registry section was actually some added frosting on the cake! Insofar as probing file systems is concerned, I'd point my colleagues to Brian Carrier's Forensic File System Analysis. I do, however, think that most of my colleagues already can adequately find evidence, or its absence, in files and systems.

I've added a comment to Don's critique. After all, I think that your blog followers are "preaching to the choir" for the most part. :-)

Anonymous said...

Harlan, Thanks for writing the book. I ordered the book and had to wait nearly a month for it to come in, but it was worth the wait. Chapter 3, Windows Memory Analysis really blew me away. Having only used strings on memory dumps in the past, I was really surprised at how much I've been missing.

Great job!

Brett Shavers said...

Harlan, you did an outstanding job on this book. It is interesting that the majority of computer forensic books continue to cover the same basics over and over again, particularly when there is so much to the field to write about.

It takes a book like this to remind you that no matter how much you know, you really have a long way to know it all (if that is even really possible...). You made a great decision to not talk about the basics of computer forensics such as evidence procedures. I didn't have to skip any chapters as nothing was regurgitated material, it was all fresh and nicely done.

Vice nice job Harlan!

Brett Shavers

Anonymous said...

I and many of my friends at web design company have placed separate orders for the book and had to wait nearly a month for it to come in, but it was worth the wait. Really amazing..... that's for that.......

H. Carvey said...

Sean,

Thanks. I'm not sure how you ordered them (Amazon, or from somewhere else) but thanks for doing so.

Any chance I could get something a bit more substantial from you? If you don't want to post a review on Amazon, perhaps something you could send me and I'd post off of my blog?

Thanks,
H