Errata (entries appear from lowest page numbers to highest) ------------------------------- 10/12/2015 Chapter 5, page 142 [Error/Clarification] In several places, the book states that if a pool greater than 4096 is requested, it ends up in the big page pool. The size is actually slightly smaller - 4080 on x64 and 2040 on x86. Credits: Joe Sylve ------------------------------- 8/19/2014 Chapter 10, page 296 A) [Clarification] The provided Userassist key paths are intended to be examples (i.e. not all inclusive). Although we state "The key paths may be different depending on the system you are investigating. For example, on Windows XP [...]" readers may believe that the key paths shown on this page are the only ones that contain Userassist data. In fact, there are many other possible GUID subkeys under HKCU\software\microsoft\windows\currentversion\explorer\userassist. B) [Addition/Note] The rot13 encoding of the value names is controlled by the NoEncrypt value under the Settings subkey. Thus, its important to check this value or you might end up decoding data that wasn't encoded in the first place. Also, Didier Stevens' blog mentions that for a limited time (Windows 7 Beta) the rot13 was replaced with Vigenere crypto (http://blog.didierstevens.com/2009/01/18/quickpost-windows-7-beta-rot13-replaced-with-vigenere-great-joke). Its unlikely that you'll encounter systems using this algorithm unless Microsoft switches to it permanently in the future. C) [Clarification] The _VOLUSER_ASSIST_TYPES structure that we present is reportedly for "Windows XP, 2003, Vista, and 2008 machines." For the sake of clarity, 2008 does not include 2008 R2. The R2 kernel defines a different structure for _VOLUSER_ASSIST_TYPES which you can see in the userassist.py source file (https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/registry/userassist.py) on or about line 40 of the 2.4 release. D) [Clarification] The LastUpdated member of _VOLUSER_ASSIST_TYPES is shown as a WinTimeStamp rather than a FILETIME. WinTimeStamp is a Volatility class name that abstracts several underlying Windows data types, including FILETIME. It allows Volatility plugins to easily format the underlying data (for example, to display a human readable timestamp rather than an integer). For more information, see the "Objects and Classes" section of Chapter 3 (page 54). In other words, WinTimeStamp is not an "official" Microsoft data structure - its one that the Volatility developers designed for convenience. Credits: Joachim Metz. ------------------------------- 8/19/2014 Chapter 10, page 297 A) [Clarification] The page says "The shimcache registry keys are part of the Application Compatibility Database" however it would be more clear to say that the keys are part of the "Application Compatibility feature" to avoid confusion with the actual Application Compatibility Database file (sysmain.sdb). B) [Clarification] The Shimcache record structures are shown for Windows XP systems, but we should specify "32-bit Windows XP systems" (since the structures differ on 64-bit Windows XP). Credits: Joachim Metz. ------------------------------- 12/06/2014 Chapter 13, page 370 [Clarification] The NtSetSystemInformation (SystemLoadAndCallImage) method of loading drivers does not work on Vista and later. Credits: Troy @ CodeMachine ------------------------------- 12/06/2014 Chapter 13, page 381 [Error] In describing the DeviceObject member of _DRIVER_OBJECT, we stated it is "A pointer to the first device created by the driver." However, the DeviceObject member is actually the *last* device created by the driver. Credits: Troy @ CodeMachine ------------------------------- 12/06/2014 Chapter 13, page 396 [Clarification] Starting with Vista SP1, the PsSetCreateProcessNotifyRoutineEx API can be used to install process creation callbacks. Note: PsSetCreateProcessNotifyRoutine can also still be used on this platform, the *Ex version actually calls PsSetCreateProcessNotifyRoutine internally. Credits: Troy @ CodeMachine ------------------------------- 8/15/2014 Chapter 18, page 542 The meaning of the 'c' and 'b' mactime fields are reversed. In the book, it says 'c' is creation time and 'b' is MFT modified time, however it is the other way around. Likewise, on page 571, it says: "Several files in the timeline with the dwg extension are accessed and the archive file (netstat.dll) is created: Tue Nov 27 2012 01:11:40,mac.,[IIS MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x1cedc800) Tue Nov 27 2012 01:11:40,m...,[ENG MFT STD_INFO] WINDOWS\webui\netstat.dll (Offset: 0x10b97400)" Although netstat.dll is in fact created by the malware/actors, the relevant timeline entry showing the 'b' is not displayed in the book. Reference: http://wiki.sleuthkit.org/index.php?title=Mactime_output. Credits: Joachim Metz. -------------------------------- 9/14/2014 Page 795 Under "Data Structures", the role of the proc and task structures are backwards. proc is said to represent processes in the Mach layer, when it actually represents processes in the BSD layer. Similarly, it says the task structure handles the BSD layer when it actually handles the Mach layer. Credits: Golden G. Richard III