Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 / Edition 3

Paperback (Print)
Rent from
(Save 75%)
Est. Return Date: 07/25/2015
Buy New
Buy New from
Used and New from Other Sellers
Used and New from Other Sellers
from $52.84
Usually ships in 1-2 business days
(Save 24%)
Other sellers (Paperback)
  • All (17) from $52.84   
  • New (12) from $54.66   
  • Used (5) from $52.84   


Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 provides an overview of live and postmortem response collection and analysis methodologies for Windows 7. It considers the core investigative and analysis concepts that are critical to the work of professionals within the digital forensic analysis community, as well as the need for immediate response once an incident has been identified.
Organized into eight chapters, the book discusses Volume Shadow Copies (VSCs) in the context of digital forensics and explains how analysts can access the wealth of information available in VSCs without interacting with the live system or purchasing expensive solutions. It also describes files and data structures that are new to Windows 7 (or Vista), Windows Registry Forensics, how the presence of malware within an image acquired from a Windows system can be detected, the idea of timeline analysis as applied to digital forensic analysis, and concepts and techniques that are often associated with dynamic malware analysis. Also included are several tools written in the Perl scripting language, accompanied by Windows executables.
This book will prove useful to digital forensic analysts, incident responders, law enforcement officers, students, researchers, system administrators, hobbyists, or anyone with an interest in digital forensic analysis of Windows 7 systems.

  • Timely 3e of a Syngress digital forensic bestseller
  • Updated to cover Windows 7 systems, the newest Windows version
  • New online companion website houses checklists, cheat sheets, free tools, and demos
Read More Show Less

Editorial Reviews

From the Publisher
"Harlan has done it again! Continuing in the tradition of excellence established by the previous editions, Windows Forensics Analysis Toolkit 3e is an indispensable resource for any forensic examiner. Whether you're a seasoned veteran or just starting out, this work is required reading. WFA3e will maintain a perennial spot on my core reference bookshelf!"—Cory Altheide, Google

"Windows Forensic Analysis Toolkit 3rd Edition provides a wealth of important information for new and old practitioners alike. Not only does it provide a great overview of artifacts of interest on Windows 7 systems, but it also presents plenty of technology independent concepts that play an important role in any investigation. Feel free to place a copy on your shelf next to WFA 2ed and WRF."—

"The third edition of this reference for system administrators, digital forensic analysts, students, and law enforcement does not replace the second edition, but rather serves as a companion. Coverage encompasses areas such as immediate response, volume shadow copies, file and registry analysis, malware detection, and application analysis. Learning features include b&w screenshots, tip and warning boxes, code (also available on a website), case studies, and 'war stories' from the field. The tools described throughout the book are written in the Perl scripting language, but readers don't need to be experts in Perl, and most of the scripts are accompanied by Windows executables found online. For this third edition, a companion website provides printable checklists, cheat sheets, custom tools, and demos."Reference and Research Book News, Inc.

"There is a good reason behind the success of the previous editions of this book, and it has to do with two things: new Windows versions are different enough from previous ones to warrant a new edition and, most importantly, the author is simply that good at explaining things. This edition is no different."—HelpNetSecurity

Read More Show Less

Product Details

  • ISBN-13: 9781597497275
  • Publisher: Elsevier Science
  • Publication date: 2/10/2012
  • Edition description: Older Edition
  • Edition number: 3
  • Pages: 296
  • Sales rank: 384,699
  • Product dimensions: 7.44 (w) x 9.18 (h) x 0.78 (d)

Meet the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms.
Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Read More Show Less

Read an Excerpt

Windows Forensic Analysis Toolkit

Advanced Analysis Techniques for Windows 7
By Harlan Carvey


Copyright © 2012 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-728-2

Chapter One

Analysis Concepts

CHAPTER OUTLINE Introduction 1 Analysis Concepts 3 Windows Versions 4 Analysis Principles 6 Goals 6 Tools Versus Processes 8 Locard's Exchange Principle 8 Avoiding Speculation 9 Direct and Indirect Artifacts 10 Least Frequency of Occurrence 14 Documentation 15 Convergence 16 Virtualization 17 Setting Up an Analysis System 19 Summary 22


• Analysis Concepts

• Setting Up an Analysis System


If you've had your eye on the news media, or perhaps more appropriately the online lists and forums, over the past couple of years, there are a couple of facts or "truths" that should be glaringly obvious to you. First, computers and computing devices are more and more a part of our lives. Not only do most of us have computer systems, such as desktops at work and school, laptops at home and on the go, we also have "smart phones," tablet computing devices, and even smart global positioning systems (GPSs) built into our cars. We're inundated with marketing ploys every day, being told that we have to get the latest-and-greatest device, and be connected not just to WiFi, but also to the ever-present "4G" (whatever that means ...) cellular networks. If we don't have a phone-type device available, we can easily open up our laptop or turn on our tablet device and instantly communicate with others using instant messaging, email, Twitter, or Skype applications.

The second truth is that as computers become more and more a part of our lives, so does crime involving those devices in some manner. Whether it's "cyberbullying" or "cyberstalking," identity theft, or intrusions and data breaches that result in some form of data theft, a good number of real-world physical crimes are now being committed through the use of computers, and as such, get renamed by prepending "cyber" to the description. As we began to move a lot of the things that we did in the real world to the online world (e.g., banking, shopping, filing taxes, etc.), we became targets for cybercrime.

What makes this activity even more insidious and apparently "sophisticated" is that we don't recognize it for what it is, because conceptually, the online world is simply so foreign to us. If someone shatters a storefront window to steal a television set, there's a loud noise, possibly an alarm, broken glass, and someone fleeing with their stolen loot. Cybercrime doesn't "look like" this; often, something isn't stolen and then absent, so much as it's copied. Other times, the crime does result in something that is stolen and removed from our ownership, but we may not recognize that immediately, because we're talking about 1s and 0s in cyberspace, not a car that should be sitting in your driveway.

These malicious activities also appear to be increasing in sophistication. In many cases, the fact that a crime has occurred is not evident until someone notices a significant decrease in an account balance, which indicates that the perpetrator has already gained access to systems, gathered the data needed, accessed that bank account, and left with the funds. The actual incidents are not detected until well after (in some cases, weeks or even months) they've occurred. In other instances, the malicious activity continues and even escalates after we become aware of it, because we're unable to transition our mindset from the real world (lock the doors and windows, post a guard at the door, etc.) to the online world, and effectively address the issue.

Clearly, no one and no organization is immune. The early part of 2011 saw a number of high-visibility computer security incidents splashed across the pages (both web and print) of the media. The federal arm of the computer consulting firm HBGary suffered an embarrassing exposure of internal, sensitive data, and equally devastating was the manner in which it was retrieved. RSA, owned by EMC and the provider of secure authentication mechanisms, reported that they'd been compromised. On April 6, Kelly Jackson Higgins published a story (titled "Law Firms Under Siege") at that revealed that law firms were becoming a more prevalent target of advanced persistent threat (APT) actor groups. The examples are numerous, but the point is that there's no one specific type of attack that is used in every situation, or victim that gets targeted. Everyone's a target.

To address this situation, we need to have responders and analysts who are at least as equally educated, armed, and knowledgeable as those committing these online crimes. Being able to develop suitable detection and deterrence mechanisms depends on understanding how these online criminals operate, how they get in, what they're after, and how they exfiltrate what they've found from the infrastructure. As such, analysts need to understand how to go about determining which systems have been accessed, and which are used as primary jump points that the intruders use to return at will. They also need to understand how to do so without tipping their hand and revealing that they are actively monitoring the intruders, or inadvertently destroying data in the process.

In this book, we're going to focus on the analysis of Windows computer systems—laptops, desktops, servers—because they are so pervasive. This is not to exclude other devices and operating systems; to the contrary, we're narrowing our focus in order to fit the topic that we're covering into a manageable volume. Our focus throughout this book will be primarily on the Windows 7 operating system (OS), and much of the book after Chapter 2 will be tailored specifically to the analysis of forensic images acquired from those systems.

In this chapter, we're going to start our journey by discussing and understanding the core concepts that set the foundation for our analysis. It is vitally important that responders and analysts understand these concepts, as it is these core concepts that shape what we do and how we approach a problem or incident. Developing an understanding of the fundamentals allows us to create a foundation upon which to build, allowing analysts to be able to address new issues effectively, rather than responding to these challenges by using the "that's what we've always done" methodology, which may be unviable.


Very often when talking to analysts—especially those who are new to the field—I find that there are some concepts that shape not only their thought processes but also their investigative processes and how they look at and approach the various problems and issues that they encounter. For new analysts, without a great deal of actual experience to fall back on, these fundamental analysis concepts make up for that lack of experience and allow them to overcome the day-to-day challenges that they face.

Consider how you may have learned to acquire images of hard drives. Many of us started out our learning process by first removing the hard drive from the computer system, and hooking it up to a write-blocker. We learned about write-blockers that allowed us to acquire an image of a hard drive to another, "clean" hard drive. However, the act of removing the hard drive from the computer system isn't the extent of the foundational knowledge we gathered; it's the documentation that we developed and maintained during this process that was so critical and foundational. What did we do, how did we do it, and how do we know that we'd done it correctly? Did we document what we'd done to the point where someone else could follow the same process and achieve the same results, making our process repeatable? It's this aspect that's of paramount importance, because what happens when we encounter an ecommerce server that needs to be acquired but cannot be taken offline for any reason? Or what happens when the running server doesn't actually have any hard drives, but is instead a boot-from-SAN server? Or if the running laptop uses whole disk encryption so that the entire contents of the hard drive are encrypted when the system is shut down? As not every situation is going to be the same or fit neatly into a nice little training package, understanding the foundational concepts of what you hope to achieve through image acquisition is far more important than memorizing the mechanics of how to connect source and target hard drives to a write-blocker and perform an acquisition. This is just one example of why core foundational concepts are so critically important.

Windows Versions

I've been told by some individuals that there are three basic computer operating systems that exist: Windows, Linux, and Mac OS X. That's it, end of story. I have to say that when I hear this I'm something a bit more than shocked. This sort of attitude tells me that someone views all Windows versions as being the same, and that kind of thinking can be extremely detrimental to even the simplest examination. This is due to the fact that there are significant differences among Windows versions, particularly from the perspective of a forensic analyst.

The differences among Windows versions go beyond just what we see in the graphical user interface (GUI). Some of the changes that occur among Windows versions affect entire technologies. For example, the Task Scheduler version 1.0 that shipped with Windows XP is pretty straightforward. The scheduled task (.job) files have a binary format, and the results of the tasks running are recorded in the Task Scheduler log file (i.e., "SchedLgU.txt"). With Vista and Task Scheduler version 2.0, there are significant differences; while the Task Scheduler log file remains the same, the .job files are XML format files. In addition (and this will be discussed in greater detail later in the book), not only do Vista and Windows 7 systems ship with many default scheduled tasks, but information about the tasks (including a hash of the .job file itself) is recorded in the Registry.

On Windows XP and 2003 systems, the Event Log (.evt) files follow a binary format that is well documented at the Microsoft web site. In fact, the structures and format of the .evt files and their embedded records are so well documented that open-source tools for parsing these files are relatively easy to write. Beginning with Vista, the Event Log service was rewritten and the Windows Event Log (.evtx) framework was implemented. Only a high-level description of the binary XML format of the logs themselves is available at the Microsoft site. In addition, there are two types of Windows Event Logs implemented; one group is the Window Logs and includes the Application, System, Security, Setup, and ForwardedEvent logs. The other group is the Application and Services logs, which record specific events from applications and other components on the system. While there are many default Application and Services logs that are installed as part of a Windows 2008 and Windows 7, for example, these logs may also vary depending on the installed applications and services. In short, the move from Windows XP/2003 to Vista brought a completely new logging format and structure, requiring new tools and techniques for accessing the logged events.

From a purely binary perspective, there is no difference among the Registry hive files of the various Windows versions, from Windows 2000 all the way through to Windows 7 (and even into Windows 8). In some cases, there are no differences in what information is maintained in the Registry; for the most part, information about Windows services, as well as the contents of the USBStor key, continue to be similar for versions between Windows 2000 and Windows 7. However, there are significant differences between these two Windows versions with respect to the information that is recorded regarding USB devices, access to wireless access points, and a number of other areas. Another example of a difference in what's recorded in the Registry is that with Windows XP, searches that a user performed through the Explorer shell (e.g., "Start->Search") are recorded in the ACMru key. With Vista, information about searches is moved to a file, and with Windows 7, user searches are recorded in the WordWheelQuery key.


Excerpted from Windows Forensic Analysis Toolkit by Harlan Carvey Copyright © 2012 by Elsevier Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

1. Analysis Concepts

2. Incident Preparation

3. Volume Shadow Copies

4. File Analysis

5. Registry Analysis

6. Malware Detection

7. Timeline Analysis

8. Application Analysis

Read More Show Less

Interviews & Essays

A Letter from Harlan Carvey, author of Windows Forensic Analysis Toolkit, 3rd edtion

I am not an expert. I really, enthusiastically enjoy performing digital forensic analysis of Windows systems and will get up early (for me..."early" is a relative term) to work on an examination. I enjoy not just finding new things in my analysis, but finding new combinations of things, looking for those hidden patterns to jump out of the data. I enjoy writing code to parse the binary contents of a file so that I can then see how the various teeth of the operating system and application gears mesh together, and in seeing what primary, secondary, and tertiary artifacts are left by various events that occur on a system.

When I first started writing books, I did so because I could not find something that would fit what I saw as my needs. Sure, there were books available that covered some aspects of digital forensic analysis of Windows systems, but there wasn't anything available that really went into depth on analyzing Windows as a system of interconnected components. There were books that covered some of the really obvious indications of an intrusion or malware infection, but how often are our examinations really about finding the obvious artifacts? I knew I couldn't be the only one looking for something like this, and writing a book not only provided a reference for myself and others, but the act of writing required me to polish and hone my thoughts. I hope you enjoy the finished product, and that it leads you beyond the obvious.

I hope you find my attempt to contribute to the digital forensics analysis community to be useful and thought-provoking. Thank you.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted March 4, 2012


    Do you have an interest in developing a greater understanding of digital forensic analysis, specifically of Windows 7 systems? Author Harlan Carvey, has done an outstanding job of writing a third edition of a book that discusses the core concepts that sets the foundation for digital forensic analysis. Author Carvey, begins by addressing the core investigative and analysis concepts that are so critical. In addition, the author discusses the need for immediate response once an incident has been identified. He then addresses how analysts can access the wealth of information available in VSCs without having to interact with the live system, and without having to purchase expensive solutions. The author then focuses not only on the analysis of some of the usual files available on Windows systems, but also files and data structures that are new to Windows 7, and have been identified and better understood through research and testing. The author continues by addressing some of the information provided through other sources, most notably Windows Registry Forensics, and takes that information a step further, particularly with respect to the Windows 7 systems. He then discusses a specific type of analysis that is becoming very prominent within the digital forensic community. The author then shows you the process of creating a timeline of system activity for analysis. Finally, he discusses a number of concepts and techniques that are usually associated with dynamic malware analysis, but take a more general approach. This most excellent book covered a number of artifacts and resources that analysts can turn to within a Windows system to help address the issues and goals they are facing. Perhaps more importantly, this book focused on the fact that application analysis is, in some ways, similar to malware analysis, as some of the same techniques can be used to gather information regarding the effect that an application has on the environment, either through installation or normal user interaction.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)