Publishing DFIR Books

I recently received notification that Syngress is interesting in publishing a second edition of Windows Registry Forensics.  I submitted my proposed outline, the reviews of which were apparently favorable enough to warrant a second edition.

I've blogged before regarding writing DFIR books, and that effort seems to have fizzed a bit.  I wanted to take the opportunity to give another shot and see if I couldn't resurrect this topic, or a portion of it, just a bit.  So, the purpose of this blog post is two-fold: to set expectations of the upcoming edition, as well as offer those in the community who are interested to have input into the development (what goes in it) of the book.

Based on the reviews of my proposed outline, as well as some of the online reviews (Amazon, SecurityXploded, etc.), I wanted address a few of the comments I  tend to see more frequently than most, and then allow those who read this post to make their own comments.

From the SecurityXploded review:

It would have been better if author would have put up the approach or step by step procedure one should follow while analyzing live & offline system.

...and...

Putting things straight and then discussing relevant tools at each step will be more beneficial.

This is always an interesting statement to pursue, in part because I see it pretty often in things I've written (such as the HowTo blog posts from July 2013), as well as course materials and presentations I, and others, have put together.  As I'm sure others have done, I try to write something that is general enough to apply across multiple situations, and hope that the reader is able to extrapolate what I've written so it can be used in their specific situation.  My thinking...and it may be wrong...is that analysts must be able to take what they've learned from white papers, presentations, training courses, and other sources, and apply that information and knowledge to what they have available to them.  Not everything that an analyst encounters is going to fit neatly into a training course or whitepaper; there's always going to be some twist or variation, based on the goals of the examination, the data available, etc.  As such, analysts need to be able to build on core principles and basic knowledge to be able to meet the challenges before them.

For example, an analyst should be able to review the SANS checklist for analyzing USB devices on Windows 7, read this HowTo (Correlate an attached device to a user) and this HowTo (Determine user access to files), and be able to determine the files a user may have accessed from a thumb drive that had been attached to their system.  Part of this entails that there has to be some point at which a common, baseline level of knowledge must be assumed.  For example, do you assume that most folks know what the Registry is, or how to determine the CurrentControlSet from a System hive extracted from an acquired image?

This is why I advocate that analysts must share their experiences; no one of knows everything, but together, we can know more than any one of us.  None of us is going to have the same experiences as everyone else, but we can all learn from each other's experiences.

Another comment from the SecurityXploded blog post:

However if you are expecting to cover all those important registry locations then you will be disappointed and it is not feasible in one book. 

This is exactly right, and goes back to one of the core things I learned about writing DFIR books...you're not going to make everyone happy.  Someone's always going to be disappointed about what they didn't find in the book.  But you know what...that's okay.  It has to be...if someone tried to write a book that covered everything, that book would never be completed.

I've been working directly in the DFIR field for a little more than 14 years, and I will be the first to admit, I have not seen everything there is to see.  I've done DFIR in an internal, FTE position, as well as as a consultant.  For a bit more than three years, I did PCI response while at IBM ISS.  While my work has evolved over time, there is still a great deal that I haven't seen, and when I write books or blog posts, I most often base what I write about my own direct experiences.  Now and again, someone will share data with me, and I will learn a little something from their experiences.  I like to sprinkle those indirect experiences in, as well, because they broaden the reach of the material.

In WRF 2/e, I do plan to provide examples of analysis processes I've used, based on goals I've been given, as well as things that I've seen during analysis.  However, no one should expect to pick up this book (or any other DFIR book, for that matter) and find the answer to their specific issue or question.  This is particularly true if no effort is made to contact the author while the book was being written.

From the WRF 2/e outline reviews, as well as from other sources, I've seen this little gem:

You need to provide a chapter on Windows Phone 8.

Anyone remember this blog post?  There were two important take-aways from that blog post.  One was that RegRipper does work with the Windows Phone 8 Registry, and what's needed is sample data and input into what examiners find important, so that plugins can be written.  The second is that the hive files were provided to me...I do not own a Windows Phone 8, nor do I have access to these devices, through work or any other means.  Cindy Murphy did send me some hive files extracted from a Windows Phone 8, but that's one system and a very limited amount of data.  I can't write about what I don't know and didn't experience, and can't provide screen captures illustrating data that I do not have.  Would I like to write more about the Windows Phone 8, particularly the Registry?  Sure.  Without a doubt.  But without actual data, I can't really be expected to write much of anything, can I?

Okay, those are just a few of the comments/statements I've seen in reviews, and like I said, I only wanted to address those that I see regularly.  If you have any thoughts or comments about the content that should appear in WRF 2/e, I'd be glad to hear and consider them.  Thanks.