22 of 23 people found the following review helpful
on June 22, 2011
No dongle? No problem, says it all! Authors, Cory Altheide and Harlan Carvey, deliver a superb, field guide for digital forensic practitioners. This book is not a textbook on how to perform digital forensics, but a guide for the veteran or new forensic examiner to reference, to extend his/her analysis capabilities with open source tools. The authors bring their years of real world experience at practicing digital forensics, into a single publication.
Digital Forensics With Open Source Tools (DFWOST) begins by defining "free" vs. "open" and the digital forensic process, as well as the benefits of using open source tools. DFWOST quickly moves into setting up the examination workstation, that the examiner/analyst will use to perform the digital forensic examination; regardless, of the host operating system of your forensic machine.
While the book is not a textbook on how to perform a digital forensic examination, it does outline basic digital forensic concepts and terminology that the forensic examiner must comprehend to utilize the open source framework that the book mainly focuses upon, The Sleuth Kit.
From here, the book goes into depth with Windows, Linux, and Mac OS X operating systems and how to use open source tools to identify, parse, and "forensicate" the various system artifacts.
The book's final chapter focuses on automating forensic analysis and extending capabilities with open source tools Finally, the appendix is full of free, non-open source tools that you should become familiar with and integrate into your digital forensic toolkit. Remember, there are many ways to skin a cat! [Disclaimer: no kitteh's were harmed in compiling this book review :)]
Here's why I am giving this book a five star review:
1) Altheide and Carvey walk the reader through compiling a forensic examination workstation to utilize for a digital forensic investigation. It's full of tips, command line refreshers, and best practices delivered from experienced digital forensic professionals with perfect symmetry (i.e., "It is best to complete Y, to avoid Z").
2) In regards to symmetry, Altheide and Carvey do an awesome job of describing The Sleuth Kit Tools, breaking down the common TSK prefixes and each layer of TSK tools, which for new examiners can be task within itself. If you are new to TSK, DFWOST is the perfect companion.
3) Altheide and Carvey eliminate the barrier of just having OS specific forensic tools. Linux and Mac OS X users can now play in their own sandbox, using their own toys (Of course, Linux and Mac users knew this all along).
4) Chapter 8 on File Analysis is the longest chapter (41 pages in length), covering analysis of image files, audio and video files, archive files, and documents. This chapter breaks down a file's content and metadata. DFWOST puts file analysis into a practical and digestible format, that a new examiner should be able to apply immediately to a forensic investigation.
5) The book's length, based on the subject matter is spot on and not too cumbersome (255 pages including Appendix on Free, Non Open Tools). Just as Carvey done with Windows Registry Forensics (WRF), Digital Forensics With Open Source Tools (DFWOST) takes a sniper approach on the subject matter. Depending on what type of reader you are, you may knock it out in a single reading session; or, it may take several reading sessions, which will allow you to follow along, complete the examples, and exercises outlined in the book.
6) Lastly, the DFWOST print version that I purchased is signed by both authors. I was able to catch both authors at the Open Source Digital Forensics Conference last week in NoVa. Thank you gentlemen!
The book's content, length, and practical application make it a necessity for the digital forensic examiner's toolkit! Now, go forth and 'forensicate', DFWOST-style!
11 of 11 people found the following review helpful
on June 13, 2011
With more forensic books hitting the shelves, I find myself prioritizing those by authors I know and trust. I have worked with Cory Altheide and he is an extremely talented forensic professional with a passion for open source tools. Not surprisingly, I would not categorize this as a beginner book. Open source tools require a higher level of interaction than their commercial counterparts, but are a great way to take your forensic skills to the next level. While teaching, I often see students frustrated that there is no one tool that can do it all. Such a tool does not exist, no matter how much you are able to pay for it. Free and open source tools fill large gaps in the capabilities of commercial forensic suites and will continue to do so in the foreseeable future.
The book begins with an excellent section on setting up your forensic workstation, using either Linux or Windows as a host. I was immediately impressed with how succinctly the authors were able to cover this topic. File system analysis is broken into three chapters covering Linux, Windows, and OS X. It is rare to find more than one of these operating systems covered, and references to all three continue throughout the rest of the book. This breadth does come at a cost; a fair amount of system knowledge is assumed. As an example, NTFS is covered in six pages and readers are assumed to have prior knowledge of concepts like NTFS attributes and resident versus non-resident files. Without a doubt, Digital Forensics with Open Source Tools (DFWOST) runs at a blistering pace. This is a boon for more advanced practitioners who do not want to rehash old concepts. However, there were several instances when "newer" artifacts like the Linux Logical Volume Manager (LVM) were discussed that I found myself wanting more. In other sections I found some of the best topic coverage in print. The discussion of image metadata in Chapter 8 is particularly comprehensive.
Of course the coverage of open source tools is why many will buy this book. In this regard it does not disappoint. I was pleased to find nearly all of my favorite tools covered along with many new ones. I found myself dog-earing pages to return back to when time permits. Harlan Carvey's touch was evident in the coverage of Windows based tools. Tools are covered in conjunction with their related forensic artifacts, reinforcing key concepts and underscoring tool relevance. While coverage is ample, tools are not discussed exhaustively. Readers will need to work with the tools themselves to fully understand their capabilities - an approach which I agree with.
Overall, I found DFWOST to be a tremendous asset in an area with few published resources. If you are looking to push your forensic skills forward, I highly recommend this book.
12 of 14 people found the following review helpful
on June 16, 2011
Let me start off by stating that I was provided a free review copy of this book by the authors and their publisher. I know both Cory Altheide and Harlan Carvey and I'm an admirer of their work in the field. If I hadn't been provided a review copy of the book, I would have purchased it on my own and reviewed it because of the trust I have in their abilities as researchers and writers. Part of me wishes I hadn't written that sentence because I know Harlan Carvey is working on another book and I probably just eliminated any possibility of getting a free review copy. Someday I'll learn, but today is clearly not that day.
Unsurprisingly, Cory and Harlan turned out a five star effort. The book does three things for the reader. First, it explains the purpose and use of a variety of open source digital forensic tools (as well as using an appendix to explain some free, but non-open source tools), it provides the reader with some foundational education on file system forensics (Windows, Apple, and Linux), and it explains selected important topics in digital forensics such as web browser forensics, shortcut files, and mail artifacts.
I had a bit of an internal debate regarding whether this book is something that an entry level person would be able to grasp in its entirety. Some of the concepts presented such as the more advanced file system forensic issues can be relatively complicated for a beginner. Ultimately, I think this complexity is a strength of the book in that it makes it a learning barometer of sorts. A good use of this book for a new forensic examiner would be to use it as a guide to determine which portions they already know and which portions are they find confusing. It's the confusing bits that should spur them onto further learning and research until they can come back to the book and understand the concepts that the authors are putting forth. This could have easily been a poorly written book whose explanations were impenetrable to someone new to the field, but it's well written enough that I think it serves as a good initial text for someone who is interested in the field.
This is also a useful book for experienced examiners who want to learn about the variety of open source tools that are available beyond the more expensive, but very popular closed source tools such as EnCase and FTK. While I find those tools to be very useful and beneficial, there has been quite a bit of development and innovation in the open source digital forensics community that can and should be leveraged by both new and experienced examiners.
Price is the potential concern that some might have with this book and that is understandable given the price. I have declined to purchase other interesting looking Syngress titles in the past because I didn't know enough about the authors or the books to justify the risk at the price they were offered. This book is relatively thin and I suspect there will be some concern about the price-to-page ratio. Had this book been written by authors unknown to me, I might very well have declined to purchase it if I hadn't been provided a review copy. However, in the case of this work, it's very much worth the price. This a very well done work that has been created by two respected practitioners and authors in the field and should be on the shelf of every person who is trying to break into the digital forensics field.
9 of 11 people found the following review helpful
on April 25, 2011
When I first saw the title for Digital Forensics with Open Source Tools (DFwOST) I thought to myself "Oh great, another mash up of Carrier's File System Forensic Analysis, Farmer & Venema's Forensic Discovery and the freely available Sleuthkit documentation." What I found, however, was a well-written, detailed and concise book detailing many of the most important, and freely available, open source tools that could be wielded in the name of system forensics and incident response. I've known both authors, Cory Altheide and Harlan Carvey, for quite some time and both are well known in forensic circles. The voice throughout the book is consistant and it's difficult to see where one author picks up and the other leaves off (well, when the conversation switches to RegRipper I'm fairly certain that Harlan is the predominate voice).
The first chapter outlines what constitutes a `free' vs. `open' tool, the various licenses and the benefits of standardizing on a mixed bag of non-commercial tools - hint, portability between jobs is a big bonus. Chapter 2, surprisingly, shows you how to build your own open source examination platform and walks the read through the installation and configuration of software, interpreters and other tools for both a Linux or Windows host. Chapters 3 through 7 provide overviews, tips and tricks on everything from disk and file system analysis techniques to searching for artifacts on Windows, Linux and OS X systems in addition to Internet specific artifacts like those left by browsers and mail clients. Chapter 8 gives a somewhat high-level view of file analysis concepts and provides some file-specifc format information for the investigator-on-the-go (who can really remember the various metadata available in a PDF file anyway?). Chapter 9 discussed the automation of analysis and some of the tools used to help extract common files, create timelines and work with graphical investigative environments like PyFLAG and the Digital Forensics Framework. Finally, the Appendix provides some high-level information on some complimentary, though not open, tools to help with the forensic process.
I can honestly say that I read this book in a matter of hours - not to mention in one sitting. My forensic knowledge and training did allow me to read through the book at a fairly decent pace but I think that even the most green of forensic analysts would walk away with a more detailed knowledge of the forensic process and the open source tools that could be used to undertake a forensic exercise. The book is not going to explain the file system and its intricacies at any great length but really, there are other books already written that do that. Also, the book won't show you how to do everything with the tools it mentions but it certainly will point the reader at some new tools that they may have never known about previously. It's safe to say that DFwOST is certainly no substitute for forensic training or experience but if you already have all of the standard forensics books on your bookshelf (you know the ones), you'd do well to save a slot for DFwOST as a quick reference for some of the newer tools not covered in those older tomes.
3 of 3 people found the following review helpful
Like most computer forensic specialists, I use a variety of commercial tools, which seem to become more expensive with each new release. Well, actually they don't just "seem" to be getting more expensive, they are getting more expensive! Most of the commercial tools are (with good reason) burdened with dongles and other security mechanisms to limit them to the number of expensive licenses you have purchased.
While I don't begrudge most of the commercial forensic tool publishers their license fees, I do on occasion wish for the means to run several examination machines concurrently.
Enter Open Source tools. The problem is that I never seem to find time to really learn the Open Source tools available and when I need them most is hardly the time to start learning them. I need a cheat sheet, so to speak, and "Digital Forensics with Open Source Tools" provides exactly that.
The authors, both widely known and very much respected in the digital forensics community, make it clear that the book has two intended audiences: "new forensic practitioners" and "experienced digital forensics practitioners new to open source tools". In that second group, I would put people like myself who have only a passing, not an intimate, familiarity with Open Source tools.
I've been doing computer forensics for a long time and, frankly, I don't have an opinion as to how well this book meets the needs of truly "new practitioners". I think you'd need quite a bit of experience in some aspect(s) of information technology to even begin comprehending this book.
On the other hand, many experienced examiners will find much of the knowledge appears to be material they believe they already know. Be careful! The text is laden with fascinating nuggets that you won't readily find elsewhere.
Initially, while browsing the table of contents, I thought the authors had bitten off more than they could comfortably chew in terms of scope. Wrong. Every topic they list in the nine chapters is treated adequately, though not exhaustively.
Overall, this is a keeper. It will facilitate - if not encourage - my excursions into Open Source tools and expand my capabilities. Can't ask for more than that.
2 of 2 people found the following review helpful
This book isn't for everyone. The subject assumes an advanced skill level as well as a high level of interest in 1s and 0s. But if the little bits turn you on, this is a really interesting intro to digital forensics. Armed with this book and the open source applications recommended within, you'll have a fighting chance of finding some of the electronic things that weren't meant to be found.
It seems to me like there are two distinct audiences for this book: people trying to find clues on someone else's system or people who want to maintain their own system in such a way that others won't be able to track their activities.
This book does a good job of analyzing the digital "artifacts" left over on three common client operating systems: Windows, Mac, and Linux.
Other chapters analyze topics that are common to all operating systems, such as internet/email artifacts. The file analysis chapter was especially interesting, as it covered the metadata contained in images, audio files, video files, zip/tar archives, and office documents & PDFs. Want to see how long a student spent typing a paper? The Word document's metadata can give you a good idea whether the student spent the whole weekend at the keyboard or just spent ten minutes pasting someone else's work into the document. And did you know that a Word document (.docx) or Excel spreadsheet (.xlsx) are just zip files? To inspect the contents, open the file with an unzip utility. The rest of the contents are XML files (plain text, easy to read) and binary attachments. Those attachments (embedded images) contain their own metadata.
This book will change the way you look at your machine and give you some excellent suggestions for analyzing someone else's machine.
Hopefully you'll only use this information constructively.
2 of 2 people found the following review helpful
on August 2, 2011
As Cory and Harlan state in the introduction, this book is intended for two audiences; new forensic practitioners and experienced digital forensics practitioners new to open source tools. I believe they have succeeded in providing top-notch material for both audiences. Several excellent five star reviews have already been posted, which I agree with wholeheartedly. In order to avoid simply rehashing these existing reviews, I would like to simply state that I believe Cory and Harlan did two things very well with DFWOST:
1. As Cory and Harlan state in the introduction to Chapter 2, "Being able to build software properly is critical for an examiner using open source tools". Speaking as a seasoned examiner that consistently leverages the majority of the tools in DFWOST, we sometimes forget that the configuration of various interpreters (Perl, Python, Ruby) and the proper installation of tools from source are a difficult task for those new to open source tools. This technical hurdle often inhibits the adoption of open source utilities by even senior analysts. I believe Cory and Harlan had this hurdle in mind when authoring DFWOST, as they provide their readers with valuable information regarding these tasks. Chapter 2 does an excellent job of stepping the reader through the installation of various interpreters and utilities for both the Linux and Windows environments. Before I read DFWOST, I was curious if Cory and Harlan would leverage an available Linux-based live distro and bypass the topic of installation and configuration of an examination system all together. I was happy to see they they did not take this route, as dependency on a live distro can simply add a layer of abstraction for a new student.
2. Instead of bloating DFWOST with content that has been covered in depth in existing publications, Cory and Harlan opt to simply direct readers to these resources. Given both the author's resumes (and previous publications), they could of easily supplied this information in DFWOST to unnecessarily bulk this book up. For instance, when the topic of advanced Windows Registry analysis is mentioned, the reader is directed to Harlan's Windows Registry Forensics. This may be construed as self-serving, but the same is done when the topic of Windows binary (PE) analysis is entered. In this case, the reader is directed towards Malware Analyst's Cookbook by Ligh, Adiar, Hartstein, and Richard. In my opinion, both these publications are the definitive sources for their perspective topics. It is refreshing to see the authors direct their readers to the appropriate place, instead of diving into a topic that probably doesn't have the appropriate real estate dedicated for discussion in the first place.
As with any material these two authors provide to the community, DFWOST should be required reading for any examiner - not just open source hobbyists and newbies. I hope we see another great publication from both Cory and Harlan in the near future. They make a good team.
1 of 1 people found the following review helpful
I'm not a professional digital forensics practitioner. I don't investigate. My primary interest is in data recovery following hard drive crashes, accidental deletion and other user-induced mishaps. I am very knowledgeable of Linux and already have experience with some of the tools mentioned in the book, so that puts me somewhere between beginner and experienced forensics practitioner. This book is written for both--though not necessarily for tech newbies, as evidenced by many of the Vine reviewers who apparently had no idea what they were getting into when they opened this book.
As a longtime Linux user, it's refreshing and incredibly useful to have a comprehensive guide to open source alternatives to the expensive commercial forensics tools that often don't even work in Linux. In the past, I've had to rely on web searching, trial-and-error with various tools, navigating through outdated websites to find instructions I need, and trying to make sense of cryptic MAN Pages. This book would have saved me countless hours of frustration by telling what what tools would work best for the need at hand and giving me practical instruction on how to best use those tools.
New forensics practitioners will find this book to be a great cram course on the subject of digital forensics and the open source tools available. Experienced professionals may be frustrated at times by the explanations aimed at the beginners, but they will find the book to be an excellent reference and will probably find a lot of open source alternatives to commercial products they may already be familiar with.
I won't get into specifics of what the book covers since other reviewers have done that, but I will point out that the authors have worked hard to make this book as comprehensive as possible, covering forensics on Windows, Mac and Linux systems as well as Internet artifacts and file analysis of the most common file types (though the tools will help in the analysis of pretty much any file type). The book also covers emerging areas of forensics, such as building timelines, as well as free but non-open tools that are noteworthy and may be of use to readers.
This is a great book to have on your shelf if you are involved in any way with digital forensics, data recovery or computer security. I would suggest some familiarity with Linux, and I would not recommend this book to anyone who doesn't have at least a basic understanding of the command line, file systems, operating systems, etc.
1 of 1 people found the following review helpful
Perhaps the strongest merit of this book to me was how the authors embed enough low level technical details for this to be useful to the programmer intent on a fundamental understanding of forensics. But, at the same time, the book refrains from drowning the reader in a morass of screen captures and core dumping. You can grasp the gist of how files are stored on the disk, for the main operating systems currently running on personal computers.
To this ends, chapter 8 on file analysis concepts could be the most useful to some readers. It covers the special and important case when the files are images. Here typically such image files also store metadata. Common image formats are summarised; though you'd have to look elsewhere for more details on how they actually store/compress images. The chapter also discusses the main document formats. Images and documents are [roughly] the most important file usages. While the explication of both is brief, you should be able to quickly follow the ideas.
As far as open source tools are concerned, the main ones are used throughout the text. While the usages do not comprehensively cover all aspects, you get enough acquaintance to follow up with the actual man pages if you need to.
1 of 1 people found the following review helpful
on May 9, 2013
This book does an excellent job introducing the reader to the many tools available on Linux for performing CyberForensics. It was a text book for my course and was very valuable even to me as someone already familiar with Linux.
It may be a little dated now, some steps are not required as the software has been improved since this was published. Which is why it is only getting 4 stars. These kinds of books need to be mostly digital so they can have regular updates made to them as needed.