I’d also like to thank my lovely wife for putting up with my nerdy ways and my excitement in digital forensic and Windows Registry analysis. I know that you don’t get as excited as I do when I see or achieve the things I do, but I’m thankful that you let me do those things.

I’d like to thank Mari DeGrazia, my technical editor, for not only providing excellent insight and feedback throughout the process of writing this book but also for engaging in discussions with me to help sort of my thoughts about the new book out. Engagement and discussion is something sorely absent within the DFIR community, and I am thankful that folks like Mari and Corey Harrell are willing to engage in discussions relevant to our field. After all, this is the really the best way for us to grow as analysts.

I’d be remiss if I didn’t thank Corey for his time and the effort he put into his autorip tool, as well as exchanges we had over artifact categories. Corey’s insight into incident response issues has been invaluable over the years.

I’d also like to thank Eric Zimmerman for all of the great work he’s done in the area of Windows Registry analysis, as well as in creating and updating his Registry Explorer tool. Eric has also produced and made other tools available.

A special “thank you” goes to Cindy Murphy for providing some hive files from a Windows phone. The fact is that RegRipper does work with these hive files; the structure is identical to what’s found on Windows computers, but the keys and values, and their uses, clearly differ. More importantly, there are those within the “community” who are reticent to share any data, even from VMs, for a wide variety of reasons, and here’s a member of law enforcement sharing data…simply because she can. Thank you, Cindy.

Finally, I’d like to thank the Syngress staff for making this book possible.