I want to take a moment to correct an oversight I made earlier while discussing Windows forensics resources.
That error was the failure to mention one of the foremost experts in the field: Harlan Carvey. Harlan's books have provided me a wealth of information in the field of digital forensics. In addition, he maintains a terrific and much perused blog: Windows Incident Response. Harlan has a wealth of investigative experience and if you wonder what the background for a forensics pro looks like, you really should take a moment to read an interview he conducted in May 2007. The insight is far above anything I could ever hope to provide. For those of you (and I know there are many) just venturing into this exciting line of security work, Harlan's expertise is more than you could get from any classroom.
As I mentioned his two books are a terrific resource and should be in every forensic bookcase:
I should also mention that for some of you computer "purists" that Harlan isn't just running a stack of commercial tools. He has actually created a large number of Perl scripts (included on the DVD with the book) and he provides the code in the book, so you can really see what's going on. "Well crap Kai, Perl won't run on a Windows box by default." You're right! But the Windows Forensics and Incident Recovery book has a whole chapter titled Installing Perl on Windows. (Good thing too....cuz I probably wouldn't have figured it out). He mentions a free Perl port for Windows called ActivePerl from ActiveState.com. (For you cutting edge types, they do have x64 bits as well). Pulls down in a nice little .MSI package. Now I feel like a true computer guy! (BTW, I did check with Joe Stagner, one of my most respected and opinionated Developer security buddies, to see if Microsoft had anything like ActivePerl. Joe's answer: "I use ActivePerl.")
Harlan, please accept my apologies for the oversight and I hope to meet you in the future! Maybe we can get Harlan to come speak at Tech-Ed 2008???