Thoughts on Books and Book Writing
The new book has been out for a couple of weeks now, and already there are two customer reviews (many thanks to Daniel Garcia and Amazon Customer for their reviews). Daniel also wrote a more extensive review of the book on his blog, found here. Daniel, thanks for the extensive work in reading and then writing about the book, I greatly appreciate it.
Here's my take on what the book covers...not a review, just a description of the book itself for those who may have questions.
Does it cover ... ?
One question I get every time a book is released is, "Does it cover changes to ?" I got the with all of the Windows Forensic Analysis books, and I got it when the first edition of this book was released ("Does it cover changes in Windows 7?"). In fact, I got that question from someone at a conference I was speaking at recently. I thought that was pretty odd, as most often these questions are posted to public forums, and I don't see them. As such, I thought I'd try to address the question here, so that maybe people could see my reasoning, and ask questions that way.
What I try to do with the books is address an analysis process, and perhaps show different ways that Registry data can be incorporated into the overall analysis plan. Here's a really good example of how incorporating Registry data into an analysis process worked out FTW. But that's just one, and a recent one...the book is full of other examples of how I've incorporated Registry data into an examination, and how doing so has been extremely valuable.
One of the things I wanted to do with this book was not just talk about how I have used Registry data in my analysis, but illustrate how others have done so, as well. As such, I set up a contest, asking people to send me short write-ups regarding how they've used Registry analysis in their case work. I thought it would be great to get different perspectives, and illustrate how others across the industry were doing this sort of work. I got a single submission.
My point is simply this...there really is not suitable forum (online, book, etc.) or means by which to address every change that can occur in the Registry. I'm not just talking about between versions of Windows...sometimes, it's simply the passage of time that leads to some change creeping into the operating system. For example, take this blog post that's less than a year old...Yogesh found that a value beneath a Registry key that contains the SSID of a wireless network. With the operating system alone, there will be changes along the way, possibly a great many. Add to that applications, and you'll get a whole new level of expansion...so how would that be maintained? As a list? Where would it be maintained?
As such, what I've tried to do in the book is share some thoughts on artifact categories and the analysis process, in hopes that the analysis process itself would cast a wide enough net to pick up things that may have changed between versions of Windows, or simply not been discussed (or not discussed at great length) previously.
Book Writing
Sometimes, I think about why I write books; what's my reason or motivation for writing the books that I write? I ask this question of myself, usually when starting a new book, or following a break after finishing a book.
I guess the biggest reason is that when I first started looking around for resources the covered DFIR work and topics specific to Windows systems, there really weren't any...at least, not any that I wanted to use/own. Some of those that were available were very general, and with few exceptions, you could replace "Windows" with "Linux" and have the same book. As such, I set out to write a book that I wanted to use, something I would refer to...and specifically with respect to the Windows Registry Forensics books, I still do. In fact, almost everything that remained the same between the two editions did so because I still use it, and find it to be extremely valuable reference material.
So, while I wish that those interested in something particular in a book, like covering "changes to the Registry in ", would describe the changes that they're referring to before the book goes to the publisher, that simply hasn't been the case. I have reached out to the community because I honestly believe that folks have good ideas, and that a book that includes something one person finds interesting will surely be of interest to someone else. However, the result has been...well, you know where I'm going with this. Regardless, as long as I have ideas and feel like writing, I will.
Here's my take on what the book covers...not a review, just a description of the book itself for those who may have questions.
Does it cover ... ?
One question I get every time a book is released is, "Does it cover changes to
What I try to do with the books is address an analysis process, and perhaps show different ways that Registry data can be incorporated into the overall analysis plan. Here's a really good example of how incorporating Registry data into an analysis process worked out FTW. But that's just one, and a recent one...the book is full of other examples of how I've incorporated Registry data into an examination, and how doing so has been extremely valuable.
One of the things I wanted to do with this book was not just talk about how I have used Registry data in my analysis, but illustrate how others have done so, as well. As such, I set up a contest, asking people to send me short write-ups regarding how they've used Registry analysis in their case work. I thought it would be great to get different perspectives, and illustrate how others across the industry were doing this sort of work. I got a single submission.
My point is simply this...there really is not suitable forum (online, book, etc.) or means by which to address every change that can occur in the Registry. I'm not just talking about between versions of Windows...sometimes, it's simply the passage of time that leads to some change creeping into the operating system. For example, take this blog post that's less than a year old...Yogesh found that a value beneath a Registry key that contains the SSID of a wireless network. With the operating system alone, there will be changes along the way, possibly a great many. Add to that applications, and you'll get a whole new level of expansion...so how would that be maintained? As a list? Where would it be maintained?
As such, what I've tried to do in the book is share some thoughts on artifact categories and the analysis process, in hopes that the analysis process itself would cast a wide enough net to pick up things that may have changed between versions of Windows, or simply not been discussed (or not discussed at great length) previously.
Book Writing
Sometimes, I think about why I write books; what's my reason or motivation for writing the books that I write? I ask this question of myself, usually when starting a new book, or following a break after finishing a book.
I guess the biggest reason is that when I first started looking around for resources the covered DFIR work and topics specific to Windows systems, there really weren't any...at least, not any that I wanted to use/own. Some of those that were available were very general, and with few exceptions, you could replace "Windows" with "Linux" and have the same book. As such, I set out to write a book that I wanted to use, something I would refer to...and specifically with respect to the Windows Registry Forensics books, I still do. In fact, almost everything that remained the same between the two editions did so because I still use it, and find it to be extremely valuable reference material.
So, while I wish that those interested in something particular in a book, like covering "changes to the Registry in