Investigating Windows Systems

Investigating Windows Systems

1st Edition - August 14, 2018

Write a review

  • Author: Harlan Carvey
  • eBook ISBN: 9780128114162
  • Paperback ISBN: 9780128114155

Purchase options

Purchase options
DRM-free (EPub, Mobi, PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


Unlike other books, courses and training that expect an analyst to piece together individual instructions into a cohesive investigation, Investigating Windows Systems provides a walk-through of the analysis process, with descriptions of the thought process and analysis decisions along the way. Investigating Windows Systems will not address topics which have been covered in other books, but will expect the reader to have some ability to discover the detailed usage of tools and to perform their own research. The focus of this volume is to provide a walk-through of the analysis process, with descriptions of the thought process and the analysis decisions made along the way. A must-have guide for those in the field of digital forensic analysis and incident response.

Key Features

  • Provides the reader with a detailed walk-through of the analysis process, with decision points along the way, assisting the user in understanding the resulting data
  • Coverage will include malware detection, user activity, and how to set up a testing environment
  • Written at a beginner to intermediate level for anyone engaging in the field of digital forensic analysis and incident response


Digital forensic professionals and analysts, information security professionals, researchers, and practitioners. Students in digital forensics programs at community college or university

Table of Contents

  • 1. Introduction
    2. Malware Detection
    3. User Activity
    4. Test Environment
    5. Field Manual

Product details

  • No. of pages: 136
  • Language: English
  • Copyright: © Academic Press 2018
  • Published: August 14, 2018
  • Imprint: Academic Press
  • eBook ISBN: 9780128114162
  • Paperback ISBN: 9780128114155

About the Author

Harlan Carvey

Mr. Carvey is a digital forensics and incident response analyst with past experience in vulnerability assessments, as well as some limited pen testing. He conducts research into digital forensic analysis of Window systems, identifying and parsing various digital artifacts from those systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. He is the developer of RegRipper, a widely-used tool for Windows Registry parsing and analysis. Mr. Carvey has developed and taught several courses, including Windows Forensics, Registry, and Timeline Analysis.

Affiliations and Expertise

DFIR analyst, presenter, and open-source tool author

Ratings and Reviews

Write a review

Latest reviews

(Total rating for all reviews)

  • DimiDer Mon Jul 01 2019

    Investigating Windows Systems

    I've read several books by Harlan, and I've never been disappointed. I love his direct way of writing. IWS is thinner and smaller than his other books, but no less important, on the contrary. Harlan writes that IWS is not for beginners, I still see myself as a beginner and should contradict Harlan here, also IWS is a book that is important, or may be, for any beginner, although some pieces in the book are not so easy with an effort of the reader and a search on the Internet everything becomes understandable. The book is well organized. It teaches you from the beginning that a good analysis plan is important. It teaches you to focus between 'nice to know' and 'need to know'. The book is divided into several cases (finding malware, user activity, web server compromise). Harlan explains to you how he would deal with these cases himself, and then teaches you how to make a self-reflection. What did you learn from your case, and how would you tackle it next time? The book is not about the analysis of images themselves, nor about which tools you should use, but about how you should do the analysis, what plan you make. He teaches you to make the difference between a targeted approach and an automated approach. In the last part, Harlan will teach you how to set up a testing environment, and convince you that testing changes in the file system yourself by deleting files, installing programs, is often more instructive than just asking for help on the net. I really enjoyed the book.

  • Robert M. Sun Mar 03 2019

    Excellent Book - Get into the mind of an expert in DFIR!

    I am writing this review for two reasons: 1. Investigating Windows Systems by Harlan Carvey is excellent 2. Our industry does not support the leaders in our industry enough. Harlan is a man who speaks what he thinks and backs it up with experience, knowledge, and facts. This is something that I appreciate. Anyone can complain and point out that things are not being done properly or analyzed in the right way, but few can provide clear ideas and opinions on how it should be done that others will less experience can follow. This book is smaller than your typical book in the computer industry, which is a positive. I have read too many monstrous technical books that claim to provide all the answers but are limited on practical details and instead list example after example that may or may not provide insight into real-world issues. Harlan went the opposite direction and wrote a book which provides just the facts and just the information you need to feel more confident in responding to a cyber incident. The book is broken down into 5 parts 1. Analysis Process 2. Finding Malware 3. User Activity 4. Web Server Compromise 5. Setting Up a Test Environment In the Preface, Harlan starts off by stating “I am not an expert”, but with over 30 years in the information security field, I think it’s safe to say Harlan is being a bit humble. The reality is that he IS an expert and clearly knows what he is talking about when it comes to incident response which is very apparent in this book. For someone like me, that feels overwhelmed at the idea of responding to a cyber incident, getting into the mind of an expert who has dealt with countless cyber incidents is extremely valuable. Each decision is explained and evidence is shown on what step to take next and why to reduce the overall amount of data that you need to process and analyze. His examples flow, allowing you to ‘see’ what Harlan sees as he steps you through the different examples. In my mind, Harlan’s book is a must for folks working in Incident Response. I strongly encourage you to purchase the book so that you can get into Harlan’s head and see why he makes the decisions he makes during an incident response. I started off this review stating that his book is excellent and that we must support Harlan and others like him that give so much to the DFIR community. Training within the DFIR field is expensive and if we hope to have Harlan and others produce books like this, which provide so much useful information at a fraction of formal training costs, then we have to support them by purchasing the book and encouraging others to do the same. Full Book Review at:

  • Luis M. Wed Oct 31 2018

    Really exciting content from a highly respectable investigator

    I was anxiously awaiting the release of this book, since the summer. I knew I had to have it for one reason - the book's author. I've read Windows Forensic Analysis Toolkit (one of Harlan's other books), and was not disappointed. One section in that book, in particular, appealed to me - the report writing/documentation section. This is an area of digital forensics for which I do not find many resources. So, when I opened Investigating Windows Systems, and realized the content was divided into various scenarios (each scenario was basically written in report-format) my eyes almost popped out of my head (that's a good thing). Harlan provides great perspective on a myriad of topics, and sparks a lot of thought on how an investigation can be handled. It'll also spark thought on other items of interest, based on the reader's experience (I'm sure). One overarching concept I identified in the book was this - a practitioner must give value to findings, by documenting the meaning of particular artifacts, as a function of context (ie given a scenario, an artifact means 'x'; in another scenario, the same artifact still proves 'x', and may prove 'y'. Additionally, the concept of drilling down, and making sense of digital evidence, must be part of a practitioner's feedback (to a prosecutor, client, or student of the trade). Harlan's method of conveying examination/analytical details, makes sense to me, and gives me a rhythm to emulate. Whether in part or in whole, I can use the content of this book as a template, and modify as necessary. As you read Harlan's book (any of them really), you'll notice great value through the explanations he provides. I purchased the electronic version, but wish I had purchased the paper version - this way I could highlight and use sticky-flag, for parts that are of interest to me.