Windows Registry Forensics, Second Edition

The book provides a detailed discussion on the structure of the registry, its keys and relevancy to digital forensics & incident response(DFIR). The author also focuses on presenting examples and use cases on how the reader can leverage information in the registry as part of an analysis. Discussion of tools is given and the tools presented are free and some are open source which you can modify if you understand the programming language they are written to fit your needs. The author dedicates a chapter on regripper a tool that he wrote to parse registry hives and serves as a mini manual. After reading the previous chapters, hopefully the reader will understand the flexibility of the tool and how one can expand functionality. Overall the author does a great job in presenting the information, although short (191 pages) the content is targeted at what can bring value to the reader/analyst. I recommend to all who work in the DFIR field or are starting to. A longer review will be posted on my blog and i will update this review in the future.

Really great book.

Great book.

Drills down into depths of Registry.

Good book.

There are few DF practitioners I know of (some I know personally) that when a book is written, I buy it without even considering if it will be a good read simply because I know it will be. Harlan's books are in that group of books I know will be worth the money to buy and time to read. Windows Registry Forensics/2E is no different.If for no other reason but to learn to use RegRipper, buy this book. In the DFIR field, books are expensive and by the time you have read a few dozen books and worked dozens (hundreds...) of cases, you have pretty seen most of what you will ever see. So when you find one chapter in a book that makes a difference in the way you work, that makes the book worth it. The RegRipper chapter is one of those chapters for those who 'use' RegRipper but could actually exploit RegRipper to more potential with a few key points laid out in the book.As for me, any book that helps me do something faster, easier, and with more accuracy is worth it. And if any book has just one golden nugget to help me to that, it's a keeper. Just as Harlan's previous books are a keeper, so is this one. I recommend it for any practitioner. Actually, I would not expect that it not be on every practitioner's shelf. When you can get into the mind and theory of someone like Harlan through a book, do it. You won't regret it.

This is Harlan's best literary work in the collection of books I own. The quality of its writing in meaningful detail about the registry, its structure, technology overview and considerations in forensics were a pleasant attention grabber in evey chapter.I felt as if I were in a productive environment discussing forensic science and the fundamental role of the registry in the right stages of being faced with analysis, or challenges of an investigation. I also felt many of the questions I would naturally need answered by an expert were met by the book in each chapter.Let me be clear, I wasn't looking for tools or command line switches in this book, I was looking for Core Knowledge, analysis considerations and sound judgement on how to approach the Windows Registry as a DataSource for forensic focus, how to assess the likelihood of its value towards my own investigations, and more importantly how to pinpoint the outcome of what I am looking for in the context of my analysis.Lastly, the part I enjoyed the most was the natural writing style provided by Harlan when recognizing other talented individuals in the industry and their research, tools and approaches to expanding the capability of DFIR practitioners when looking at the Registry.This led me to appreciate the literary work as I have noted here. It is a book that in every forensic shop, we must own and have handy to mentor younger talent, as well as, leverage for our methodlogies/scripts

It's an ok book for some. But, I want to see much more detail on making changes and maybe a whole book of nothing but explainations ofeach part of the Binary. And, tons of examples of what changes when the data is altered and what each change makes. Real time effects for actual changes in Windows 7, 8, & 10. XP is over with. A lot of actual examples would be helpful and very useful. This would make for a book Icould really use on a regular basis.

Great book. Great price.

Harlan provides expert knowledge on the registry that you will find yourself using in investigations. It's written in a notebook style, detailing his own research and experience of registry artefacts. It's very much a follow on from the previous version. It's a little pricey but for the knowledge it contains, you'll thank yourself for the investiment in your career.

I found this book not helpful at all for understanding the registry. Overpriced for what it has to offer.