Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
by Harlan Carvey

Syngress 2011.
ISBN 978-1-56749-580-6 . amazon.com USD 62.95

Reviewed by  Richard Austin   3/12/2011 

In his last book Windows Forensic Analysis, 2ed (reviewed in the July, 2009 Cipher), Carvey introduced registry analysis in a single chapter. In the four chapters of this short book, he provides a much expanded view of the capabilities of registry analysis in both incident response and forensic investigation (though those two activates are definitely starting to merge). Carvey is a pleasure to read because of his deep knowledge of the material gained through sustained practice of the techniques and a knack for organizing and communicating technical detail in a comprehensible manner.

In Chapter 1, "Registry Analysis", Carvey explains what the registry is, the treasure trove of information that is contained within it and tantalizing glimpses of what its analysis may reveal about the history of a system and the activities of its users (covered in detail in later chapters). The reader may be tempted to skip ahead (Chapter 4 was a definite magnet) but the foundational material is quite important to later topics.

In Chapter 2, "Tools", Carvey offers a tour of a variety of tools (mostly Open Source) that are used in registry analysis. This chapter introduces "RegRipper", the tool that Carvey developed for his own use and has made available to the community. Written as Perl scripts (but also made available as .EXE files on the companion CD), these tools are both easy to use and extremely useful in making sense of registry contents. I contrast to the classic "tool catalog", the tools are presented in the context of how they are used, the information they provide and the overall part they play in an analysis.

Chapter 3, "Case Studies: The System", begins the real "meat" of the book: how you actually use registry analysis in practice. As Carvey notes, much written about "registry analysis" consists of long lists (or worse, spreadsheets) of registry keys with no real insight provided in how they relate to one another or how they're used in answering questions of fact about actions in the real world. In contrast, he explores the system-related hives in the context of particular types of information (e.g., firewall policies) and shows what information the registry stores and how it can be retrieved in intelligible form. Sidebars are sprinkled through the chapter providing insights from real investigations on how that information fitted into the overall scenario.

Chapter 4, "Case Studies: Tracking User Activity", focuses on what the registry can tell an analyst about the activities of a system's user(s). From searches to "the Trojan defense", Carvey walks the reader through how user activities leave traces in the registry record and how an analyst can use those traces to reconstruct the story of what likely happened in the real world.

For the incident responder or forensic analyst, this is a must-read book that will equip them to make use of the wealth of information in the Windows registry to be more effective in accomplishing their daily tasks. In addition to the details of registry analysis, Carvey sprinkles much worthwhile detail about the investigative process itself throughout the book. The tools CD contains many of the tools mentioned in the book and I heartily compliment Carvey on providing both Perl scripts and their compiled version (is your humble correspondent the only one who always seems to be missing one required Perl library or another?).

The book does have some minor flaws in the text (some typos, mismatched and mislabeled figures, etc) that should have been caught by the copy editor but they are at worst minor distractions from an excellent and worthwhile read.

Before beginning life as an itinerant university instructor and security consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu