Right to the point, aka TL:DR
This is a good book. If the title fits with what you are currently doing or want to do, then this book is for you and worth it. I recommend that this be one of your books on your DFIR book shelf.
About the book (not the content, but the book):
I’ll get to the one thing about Investigating Windows Systems (IWS) right off the bat. The book is physically small. I am only coming right out about the size because I have read comments online about the size, and personally, when I first saw the book, my thought was “Wow. It’s small.”
Print quality is very good, better in fact than many similar books. The layout, callouts, and information boxes are all well done. Graphics are in black & white and could only be better if they were in color. Color is more expensive, so black & white works to keep book prices under control.
The text is easy on the eyes, and the separated sections with bold section headers are helpful when flipping back to previous pages to review content.
The important part: Contents!
I have to address the size again, only because of comments that I have read and a conversation that I had about the size where some were judging the contents by the size of the book. This is my take on the size of a book:
If a book weighs 10 pounds, is 10 inches wide, cost 10 dollars, but the information value is only worth 10 cents, then that book is a rock.
Conversely, if a book is small, full of valuable content, then that book is a gold nugget regardless of cost or size.
IWS is a gold nugget. Small but packs a punch. This is not a book for anyone who judges a book by its cover or its weight or its price. This is a book judged by its content.
The most important aspect of this book that I like, is that of Harlan Carvey’s thoughts being in text. Thoughts, as in, what he thinks and what his objectives are in addressing an analysis. Coupled with using publicly available images and open source tools, you get a full picture of “What would Harlan do?” in the images he has chosen.
But do not misunderstand my point. I do not mean that Harlan is right, or that his plans and objectives are best, or that he is even on the right track. I mean that he lays out the methods and processes that he uses so that you can at least see and feel how someone else does what you will probably do differently. This is a good thing for more reasons that I can describe, because every examiner is different, every case is different, and every day is different in how you will approach a problem. IWS gives you the perspective of someone else working cases and how they think.
This is one of the things that I find missing in many DFIR texts . The “how to” is always an easy thing to teach, to write, and to do. Click here. Click there. Copy here. Paste there. I am always on the lookout for the books that guide you in how to ‘think’, not ‘what to do’. The ‘what to do’ changes like the wind depending on the circumstance. Knowing how to think handles any changes you come across.
As one example, Harlan uses the CFReDS hacking case image (from NIST). He states the analysis goals, things to consider, an analysis plan, works through the exercises, and talks about lesson learned. Every case should be a lesson learned. There has not been a case that I have not reflected back on and learned something. This is a point to be made in any DFIR teachings. Reflect back and learn. You should know and accept, that if you re-worked any case that you worked before, you could do it better this time. That doesn’t mean you did a bad job, it just means that you learned and will do better on the next case, and the next case, and the next case.
I wrote about this concept in a blog post ( https://brettshavers.com/brett-s-blog/entry/i-don-t-need-to-learn-just-give-me-the-answer ) about figuring things out yourself. To clarify a little more, I don’t mean that we should flounder on the floor trying to figure out everything without help, but that when given guidance on “how to think”, we can figure out practically anything on our own. That is where IWS shines in the aspect of thought processes.
I must confess something about every DFIR book that I have ever read. Of all the books that contained exercises, I have not done every exercise. I have actually just read them and took for granted that the author was correct in showing how the exercises are done. I have done some exercises, but certainly not all. This was the first book that I did every exercise. Partly because all the evidence files and tools are readily available, partly because I could follow along in the book, but mostly because I wanted to see if my thought processes were the same, similar, or completely different. My result was that some of my thought process were the same, some were similar, and some were completely different.
Harlan mentions in the book that he set out to learn something, but ended up learning something that he had not planned on. That’s the way it works when you do it right.
If you have read anything that I have written, or been in a class or presentation that I have given, then you probably have heard me say that if you learn “one thing” that makes a world of difference in your life or work, then the time you spent learning that “one thing” was worth it. Whether you learned it in a classroom, book, video, conference, or working a case doesn’t matter. As long as you learned that “one thing”. This book certainly has that one thing for you.