Notifications
Clear all

For those who've read my book...

17 Posts
8 Users
0 Likes
1,136 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

This is a question for those of you in the forum who've seen my book…those who own it, or have looked at it in a bookstore, etc.

I recently received a second notification of the sales of my book…and the numbers were not a significant increase over the first set of numbers I received 6 months ago. Therefore, the publisher is hesitant to even discuss an advanced copy of the book. What they have done is placed the responsibility of find out what readers want on me. So what I'd like to hear from you, if you have the book or have seen it, is what do you think would make a better second book?

I've posted this on my blog and received surprisingly few responses. Is there an interest for a book that delves deeper into live response and forensic analysis of Windows systems, and in particular, the analysis phase of an investigation? If so, how would this sort of thing be better presented? I've been told that "war stories" are of interest, as are case studies, and challenges. I've got some ideas of exercises and challenges to provide in the different chapters of the book.

For example, when discussing analysis of the Registry, I intend to provide actual Registry files…system, software, ntuser.dat, etc., as well as the code I use…and not just Perl scripts, but compiled EXEs, as well. I will also provide challenges/exercises/questions at the end of chapters, or along the way, where the reader can try their hand at what's just been discussed.

So…what are your thoughts on this?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 17/10/2005 4:25 pm
(@tmbstone)
Posts: 9
Active Member
 

Personally, I find actual sameple files to be the best way to learn. You can read techniques forever, but you still need practical experience to apply those techniques and see rtesults.

 
Posted : 17/10/2005 6:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

tmbstone,

So you like the idea of having sample files to work with? Okay…that's a start, and definitely doable. I do agree with that, particularly with regards to more advanced topics, such as malware analysis. Pulling file version information from an executable is trivial, and there are plenty of sample files on any running Windows system. I guess that in those cases, using "interesting" examples is more beneficial.

Any other thoughts?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 17/10/2005 6:55 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I will also provide challenges/exercises/questions at the end of chapters, or along the way, where the reader can try their hand at what's just been discussed.

I really like the exercises, its how I learn/retain the most information. I expecially liked chapter 9. More of this would be great!

Also, I am having trouble learning/understanding perl script usage. Can you recommend a location for more info? I plan to re-read the book during this current quarter at school (I am taking a Security + class) and hope to get a better handle on it but more would be good. Thanks.

Brian

 
Posted : 17/10/2005 7:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I am having trouble learning/understanding perl script usage

In most cases, it's pretty simple…simply run the script from the commandline. When I write scripts, I generally try to provide some kind of usage information, either in a readme, in the comments to the code, or in a "-h" message that's displayed by the script.

Can you recommend a location for more info?

On how to use Perl scripts? Not really…that's very dependant upon the scripts themselves.

Where are you having the trouble?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 17/10/2005 7:39 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I am currently in school for an AA in computer forensics and was basically just trying out some of the scripts to see what they did. I think I figured out some of the problems (I am on a standalone pc- no DC or AD) and did not have dependent scripts installed (ie. using winapimac needs win32apiprototype). I think re-reading the book will help. The first time thru got me familiar with the topics/vocabulary and the second time thru I should be able to really sink my teeth in to it. These are all new subjects for me and for most of, the first time I am learning about it.

Brian

 
Posted : 17/10/2005 7:48 pm
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
 

Harlan,

I also own your book, one suggestion I would make is what some others have mentioned with regards to the sample files / exercises. I really find interesting when talking about a situation or event when you can recreate it with the tools provided so as to get an exact replication of the instance instead of going to find other tools and getting slightly different or just different looking results.

As for Forensic books in general, I have read a number of them and to this point I did find yours the most informative from a 'live' perspective. All in all if you can capture the reader and keep them focused on what you are referring to, looking at, items your eyes are focusing on within the results when doing the examinations I think you will get a good solid group of interested and informed readers

Thanks

 
Posted : 17/10/2005 8:05 pm
(@Anonymous)
Posts: 0
Guest
 

i agree. i own the book myself, but it was something that i had to dig around with.. i don't have a windows machine at home so i was doing most of the stuff on a spare box at work. great book none the less.

Harlan,

I also own your book, one suggestion I would make is what some others have mentioned with regards to the sample files / exercises. I really find interesting when talking about a situation or event when you can recreate it with the tools provided so as to get an exact replication of the instance instead of going to find other tools and getting slightly different or just different looking results.

As for Forensic books in general, I have read a number of them and to this point I did find yours the most informative from a 'live' perspective. All in all if you can capture the reader and keep them focused on what you are referring to, looking at, items your eyes are focusing on within the results when doing the examinations I think you will get a good solid group of interested and informed readers

Thanks

 
Posted : 17/10/2005 8:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

All,

Thanks for your input. So far, the focus seems to be on providing files that can be used…example files to run the tools on, in addition to the tools themselves (where applicable, of course, and in accordance with things like distribution policies).

I've also thought about including challenges, with the results encrypted on the CD with PGP. That way, I could either have the reader email me for the key, or "hide" the key someplace on the CD.

PSU89, I'm not entirely sure where you've having trouble

I am on a standalone pc- no DC or AD

Most of the scripts associated with my book don't require a DC or AD, or even a domain.

…did not have dependent scripts installed

Ah, I guess what you're referring to is the necessary modules. I don't think you would've had any problem had you read Appendix A. In fact, the necessary command to install the Win32APIPrototype module is at the bottom of page 427.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 17/10/2005 9:46 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

From my perspective, the first book lacked one of the things that you talk about quite a bit. The process. It is not so much the tools used, but the process that gets held under a microscope. I'd like to see a focus on responding to and handling windows OS based incidents that covers process and procedures that will hold up under scrutiny. I'd like to see this from start to finish.

 
Posted : 17/10/2005 10:38 pm
Page 1 / 2
Share: