I recently attended a presentation by Phil Hagen named “SQL Ginsu” and it reminded me of just how important SQL can be for data reduction. I previously wrote a How-To on Log Parser and recently saw a great article on using Log Parser to assist with reviewing the massive amounts of data we can pull from Windows 7 Volume Shadow Copies (link here). It all led me to remember the Microsoft Log Parser Toolkit book sitting on my shelf and my intention to write a book review. In short, I found the book to be very informative and relevant. It should be required reading for any incident responder or forensic analyst. The review follows.
From my five-star Amazon book review:
My only regret with this book is that I didn’t read it much earlier in my career. Log Parser is a must have tool for every forensics professional and incident responder. Imagine having the ability to take almost any chunk of data and quickly search it using SQL-based grammar. Given the sheer amount of data the average security professional must analyze, Log Parser is perhaps even more relevant today than it was ten years ago. Gabriele Giuseppini is the creator of Log Parser and he and his co-authors do a superb job of teaching the tool and demonstrating its often overwhelming feature set. What could be a very dry manual turns out to be very engaging through copious use of real-world examples that can be used immediately to jump start your investigations. A model for how technical books should be approached.