Four chapters. You might think that with only four chapters the author could in no way write a book that covers Windows registry forensics. I was a bit skeptical at first too but was quickly proven wrong. I’ve known Harlan for a few years now and I know that his knowledge of the Windows registry is in the 99th percentile when compared to his peers. Do not think of this as a four-chapter book. Think of this as a continuation of the concepts that Harlan presented in Chapter 4 of his Windows Forensic Analysis DVD Toolkit, Second Edition. With only roughly 100 pages in which to describe the valuable artifacts that reside in the Windows registry, Harlan obviously felt that he needed more room to spread his wing – hence the new book.
Chapter 1 provides a very detailed overview of registry analysis. Harlan really wants analysts to first consider the types of information they need prior to starting a forensic exercise. The ‘what’ and ‘where’ of the registry is detailed at great length in addition to its structure. Though this book shows you where to find the registry and some important keys, the author is careful to not present this as the Bible of registry information – knowing full well that the minutiae will change from Windows release to Windows release. What this chapter does provide, however, is a good sense of what types of information can be found within the Windows registry. Chapter 2 provides in-depth coverage of several tools to not only conduct forensic investigations on the Windows registry but also how to interact with the registry (both on the target systems and remotely). The author describes tools that he has crated (and that are freely available) in addition to tools and applications from others.
Perhaps the most valuable chapters in the entire book are the last two chapters. In chapters 3 and 4 the author provides numerous case studies that illustrate the kinds of information that can be found within the Windows registry. The various hives are discussed at length (the treasure chest of Windows artifacts) and numerous steps for tracking user activity are also discussed.
I cannot recommend this book enough. If you’re looking for this book to be the Bible of registry information – you’re not looking at the right book. If you want to know exactly what kind of information is stored within the Windows registry, however, this is an excellent map to get you to the finish line.