Join Us!

Notifications
Clear all

For those who've read my book...  

Page 1 / 2
  RSS
keydet89
(@keydet89)
Community Legend

This is a question for those of you in the forum who've seen my book…those who own it, or have looked at it in a bookstore, etc.

I recently received a second notification of the sales of my book…and the numbers were not a significant increase over the first set of numbers I received 6 months ago. Therefore, the publisher is hesitant to even discuss an advanced copy of the book. What they have done is placed the responsibility of find out what readers want on me. So what I'd like to hear from you, if you have the book or have seen it, is what do you think would make a better second book?

I've posted this on my blog and received surprisingly few responses. Is there an interest for a book that delves deeper into live response and forensic analysis of Windows systems, and in particular, the analysis phase of an investigation? If so, how would this sort of thing be better presented? I've been told that "war stories" are of interest, as are case studies, and challenges. I've got some ideas of exercises and challenges to provide in the different chapters of the book.

For example, when discussing analysis of the Registry, I intend to provide actual Registry files…system, software, ntuser.dat, etc., as well as the code I use…and not just Perl scripts, but compiled EXEs, as well. I will also provide challenges/exercises/questions at the end of chapters, or along the way, where the reader can try their hand at what's just been discussed.

So…what are your thoughts on this?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

Quote
Posted : 17/10/2005 5:25 pm
tmbstone
(@tmbstone)
New Member

Personally, I find actual sameple files to be the best way to learn. You can read techniques forever, but you still need practical experience to apply those techniques and see rtesults.

ReplyQuote
Posted : 17/10/2005 7:28 pm
keydet89
(@keydet89)
Community Legend

tmbstone,

So you like the idea of having sample files to work with? Okay…that's a start, and definitely doable. I do agree with that, particularly with regards to more advanced topics, such as malware analysis. Pulling file version information from an executable is trivial, and there are plenty of sample files on any running Windows system. I guess that in those cases, using "interesting" examples is more beneficial.

Any other thoughts?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 17/10/2005 7:55 pm
psu89
(@psu89)
Active Member

I will also provide challenges/exercises/questions at the end of chapters, or along the way, where the reader can try their hand at what's just been discussed.

I really like the exercises, its how I learn/retain the most information. I expecially liked chapter 9. More of this would be great!

Also, I am having trouble learning/understanding perl script usage. Can you recommend a location for more info? I plan to re-read the book during this current quarter at school (I am taking a Security + class) and hope to get a better handle on it but more would be good. Thanks.

Brian

ReplyQuote
Posted : 17/10/2005 8:28 pm
keydet89
(@keydet89)
Community Legend

I am having trouble learning/understanding perl script usage

In most cases, it's pretty simple…simply run the script from the commandline. When I write scripts, I generally try to provide some kind of usage information, either in a readme, in the comments to the code, or in a "-h" message that's displayed by the script.

Can you recommend a location for more info?

On how to use Perl scripts? Not really…that's very dependant upon the scripts themselves.

Where are you having the trouble?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 17/10/2005 8:39 pm
psu89
(@psu89)
Active Member

I am currently in school for an AA in computer forensics and was basically just trying out some of the scripts to see what they did. I think I figured out some of the problems (I am on a standalone pc- no DC or AD) and did not have dependent scripts installed (ie. using winapimac needs win32apiprototype). I think re-reading the book will help. The first time thru got me familiar with the topics/vocabulary and the second time thru I should be able to really sink my teeth in to it. These are all new subjects for me and for most of, the first time I am learning about it.

Brian

ReplyQuote
Posted : 17/10/2005 8:48 pm
techmerlin
(@techmerlin)
Member

Harlan,

I also own your book, one suggestion I would make is what some others have mentioned with regards to the sample files / exercises. I really find interesting when talking about a situation or event when you can recreate it with the tools provided so as to get an exact replication of the instance instead of going to find other tools and getting slightly different or just different looking results.

As for Forensic books in general, I have read a number of them and to this point I did find yours the most informative from a 'live' perspective. All in all if you can capture the reader and keep them focused on what you are referring to, looking at, items your eyes are focusing on within the results when doing the examinations I think you will get a good solid group of interested and informed readers

Thanks

ReplyQuote
Posted : 17/10/2005 9:05 pm
 Anonymous

i agree. i own the book myself, but it was something that i had to dig around with.. i don't have a windows machine at home so i was doing most of the stuff on a spare box at work. great book none the less.

Harlan,

I also own your book, one suggestion I would make is what some others have mentioned with regards to the sample files / exercises. I really find interesting when talking about a situation or event when you can recreate it with the tools provided so as to get an exact replication of the instance instead of going to find other tools and getting slightly different or just different looking results.

As for Forensic books in general, I have read a number of them and to this point I did find yours the most informative from a 'live' perspective. All in all if you can capture the reader and keep them focused on what you are referring to, looking at, items your eyes are focusing on within the results when doing the examinations I think you will get a good solid group of interested and informed readers

Thanks

ReplyQuote
Posted : 17/10/2005 9:23 pm
keydet89
(@keydet89)
Community Legend

All,

Thanks for your input. So far, the focus seems to be on providing files that can be used…example files to run the tools on, in addition to the tools themselves (where applicable, of course, and in accordance with things like distribution policies).

I've also thought about including challenges, with the results encrypted on the CD with PGP. That way, I could either have the reader email me for the key, or "hide" the key someplace on the CD.

PSU89, I'm not entirely sure where you've having trouble

I am on a standalone pc- no DC or AD

Most of the scripts associated with my book don't require a DC or AD, or even a domain.

…did not have dependent scripts installed

Ah, I guess what you're referring to is the necessary modules. I don't think you would've had any problem had you read Appendix A. In fact, the necessary command to install the Win32APIPrototype module is at the bottom of page 427.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 17/10/2005 10:46 pm
hogfly
(@hogfly)
Active Member

From my perspective, the first book lacked one of the things that you talk about quite a bit. The process. It is not so much the tools used, but the process that gets held under a microscope. I'd like to see a focus on responding to and handling windows OS based incidents that covers process and procedures that will hold up under scrutiny. I'd like to see this from start to finish.

ReplyQuote
Posted : 17/10/2005 11:38 pm
keydet89
(@keydet89)
Community Legend

Hogfly,

You know, you're probably right…I didn't cover that quite enough in the first book. The reason for that brings up an entirely different area of discussion regarding "forensically sound" processes.

I'll go ahead and start another thread on that topic, but what I'm getting at here is that forensics purists will say that there a "forensically sound" process on a live system is impossible. Even if the tools themselves do not write to the hard drive, changes will occur to the system simply because it's still live. At that point, what constitutes "forensically sound"?

I'd like to ask that those interested pursue this thread here, and I'll go start a thread regarding forensically sound processes…

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 18/10/2005 12:28 am
psu89
(@psu89)
Active Member

I hate to hijack your thread but….

I was trying to run a few scripts (like mdmscan.pl and sniffscan.pl) that i discovered needed a file generated by wksdump.pl. I was under the impression that wksdump.pl could only be used in a domain. I had already read Appendix A and was able to install modules, but I could not get rasadmin.ppd installed.

Would you recommend I install most (or all) of the modules mentioned in the book first before continuing?

Brian

ReplyQuote
Posted : 18/10/2005 1:11 am
psu89
(@psu89)
Active Member

From my perspective, the first book lacked one of the things that you talk about quite a bit. The process. It is not so much the tools used, but the process that gets held under a microscope. I'd like to see a focus on responding to and handling windows OS based incidents that covers process and procedures that will hold up under scrutiny. I'd like to see this from start to finish.

As a newbie to the field (actually I am not even in the field yet), I would have to agree- the process would be very helpful.

ReplyQuote
Posted : 18/10/2005 1:16 am
nbeattie
(@nbeattie)
Junior Member

Harlan

I haven't had too much time to read through your book yet (it's my spare time project for the next few weeks), but I agree with the previous responders that sample files & exercises would be very useful.

I would also find it useful if there was information covering instant messengers such as AOL and Yahoo since they are so commonly used these days. Also spool files.

Have you considered delivering an "online course" as backup to the book - say providing a number of exercises for each section, providing support and marking them ?

Neil

ReplyQuote
Posted : 18/10/2005 1:27 am
keydet89
(@keydet89)
Community Legend

Neil,

Have you considered delivering an "online course" as backup to the book - say providing a number of exercises for each section, providing support and marking them ?

Yes, I have. I don't think that finding web space for them would be difficult, but what would I do outside of posting them?

Another concern would be other obligations…putting exercises together, particularly several for each section (assuming increasing the difficulty, etc.), is time consuming. At this point, there's no financial outcome from the effort, since the book is already published. The frequency of the exercises would be reduced by activities that provided renumeration, such as writing articles, teaching courses, etc. I would not reduce the quality of the exercises simply to meet a schedule.

Another issue is feedback for the exercises. Do I simply post them, or do I have some kind of notification of the best or top responses?

Remember, the HoneyNet SotM challengers are hosted by a team of individuals. Compare those in difficulty, frequency, and quality to those from sites like CounterHack.net and the ISC handler who's posted malware analysis challenges.

Thoughts?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 18/10/2005 1:46 am
Page 1 / 2
Share: