Item Description: Using Perl to conduct forensic analysis and incident recovery

Review Synopsis: Learning neat tricks on Windows using Perl

In May 2006, Infoworld produced a series of Hack Tales, describing enterprising IT hacks. My favourite was the hack that described the use of Perl to audit file shares on a 2,000 user network spread across 8 remote sites. A few weeks later, browsing a local bookstore, I stumbled across a book called Windows Forensics and Incident Recovery, by Harlan Carvey.

A quick flick across some pages, and I was headed for a nearby coffee shop to peruse my new purchase. In addition to describing various open source tools throughout the book, the Perl scripts described (and provided on the companion CD), provided an excellent tutorial for using Perl in a number of interesting scenarios, such as extracting metadata from a Microsoft Word document, or detecting local or remote rootkits.

The scripts can be split, merged and rewritten to target different issues as the reader sees fit, providing an excellent resource on doing almost anything on a Windows system using Perl. Throughout the book, you'll learn about manipulating documents, alternate data streams in NTFS, using the registry, auditing user and file permissions, network socket programming and more.

This book is one of those rare gems that goes beyond the scope of its stated purpose and becomes a resource for so much more, making it a worthy addition to any aspiring JAPH's library