Customer Reviews

Forensic Discovery

5 star:		(11)
4 star:		(4)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

They say it's good to leave your audience wanting more, but I'm not sure how correct that is with tech books. In this case I am definitely wanting more. About a third of the book is on basic operating system introductory material. The rest of the book starts to get in-depth on file system analysis, hacker trapping, and some basic data analysis. But then it ends. And I wanted more.

Definitely a good start at file system analysis, specifically on Unix machines. But you will definitely be left wanting more of the same.

I have learned a lot from other computer forensics books such as Harlan Carvey's Windows Forensics and Incident Recovery or Kevin Mandia and Chris Prosise's Incident Response and Computer Forensics - 2nd Edition, but this one has a slightly different approach and conveys a lot of good, detailed information in a relatively concise book.

The book is aimed at readers who wish to gain a deeper understanding of how computer systems work, particularly system administrators or those who may actually be tasked with performing a forensic investigation. The book does assume some level of computer knowledge such as the basic concepts of networking, system processes or file systems and is not intended for pure novices.

Farmer and Venema focus a fair amount of attention on the concept of time and how to use it in a forensic investigation. They also highlight a sort of order of operations for how to proceed to try and ensure you retrieve volatile data before it disappears.

Computer forensics is an area of network and computer security that I am particularly interested in. This is an excellent book which I highly recommend. It is well-written and very educational, but it is also a fairly quick read.

[...]

I enjoyed the book ("Forensic Discovery") since it came when I was preparing for my SANS forensics certification (GCFA). Obviously, the "household" names on the cover caught my attention as well. I used TCT and other tools created by the authors and thus my expectations for the book were pretty high. It did deliver! I picked up a whole lot of tidbits on file system forensics as well as malware and compromised system investigation. Unlike some other volumes, this book does not seek to be comprehensive; instead, it focuses on the fun things and focuses on them well.

In particular, I liked authors' ideas and tips on the OOV (order of volatility) of evidence. While not new, they are extremely well-presented in the book. Other highly useful sections were the ones on time stamps and their analysis and file deletion analysis (with thorough persistence of deleted file analysis). I did not like the sections on malware analysis that much, likely because some other book go way more in-depth then this one (like, for example recent Szor's book on viruses).

The book mostly covers Unix, Windows is also mentioned a couple of times.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org

This book is small, but it is packed with information. The book is easy to read. I learned a thing or two myself about UNIX filesystems regarding forensics. Every serious security practioner should read this book.

When most people think of forensics, television shows like Quincy and CSI come to mind. Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators. In the real world, (unlike television, where the crime must be solved by the end of the family hour), crimes are solved with slow, deliberate and methodical steps. The prodigious incidence of digital crime has elevated computer forensics to a critical role within the field of information security. The focus of computer forensics is twofold: first is the attempt to determine whether a breach has occurred and to stop the perpetrator; second is prosecution of the offender, if the breach was a criminal activity.

Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.

An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.

The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.

The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.

Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.

Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.

Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.

Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.

Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.

The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.

I read forensic discovery last week on the plane home from San Francisco. After a few chapters I was hooked and could barely put it down to eat. This book is absolutely recommended for anyone at all interested in security concepts as well as system administrators or anyone who would need to understand the way that information exists and persists on computer systems.

Farmer and Venema do for digital archaeology what Indiana Jones did for historical archaeology. 'Forensic Discovery' unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder. I highly recommend reading this book.

I appreciate books that don't rehash previously published material. Plenty of authors have written books with the word 'forensics' in the title, and many impart little or no useful or original information. (Exceptions include this book, along with Mandia and Prosise's 'Incident Response and Computer Forensics, 2nd Ed' and Jones' 'Real Digital Forensics,' forthcoming.) While 'Forensic Discovery' discusses concepts familiar to kernel developers or others with low-level operating system knowledge, the book is useful because it places such details in the concept of a security investigation.

'Forensic Discovery' is exactly the sort of forensic book I enjoy, because it is primarily concerned with intrusions. Broadly speaking, there are two types of 'forensic investigators:' those that know how to image a hard drive and search for pornography, and those that know how to respond to and investigate an intrusion. Farmer and Venema are clearly in the second category, and their examples focus on intrusion scenarios rather than workplace misuse of the Internet. Their statement regarding the conservative approach advocated by the US DoJ on p. 195 makes their stance clear.

Chapters 6 and 8 were two of my favorites. Ch 6 discusses virtual machines, system call and library monitoring, and debugging. The authors also show the relationship between disassembled code and decompiled C source code. Ch 8 offers a solid introduction to virtual memory managers. Throughout the book Farmer and Venema give command equivalents for Linux, FreeBSD, and Solaris. Windows makes infrequent appearances,, although ch 8 presents a Windows memory dump case.

'Forensic Discovery' is unique in that many of the author's conclusions are based on their own experiments. They seek to gauge file system and memory persistence using real-world systems, rather than unsubstantiated theories. 'Forensic Discovery' complements books on analyzing malware and victim systems, such as those by Skoudis, Carrier, Hoglund, and Jones. At 198 pages it is a quick read, but definitely worth your time and money.

A trifle unsettling. The authors go through ways to do analysis on a computer, to see if it has been broken into. They focus on unix and linux machines, though most of their work also pertains to Microsoft computers.

The discussion can also give you insight into how these operating systems run, and specifically how they handle file management. Because an understanding of the general picture is vital to seeing how an attack might be conducted.

Naturally, a lot of space is devoted to studying what rootkits can do, and the traces they might leave. But the authors also take us down to the hardware. One very insightful chapter delves into how deleted files might persist on your computer, and for how long. We all know how Peter Norton in the 1980s was the first to introduce an undo for file deletion under MSDOS. But this book goes further. The authors studied several computers for how long a deleted file's contents might actually still exist on the disk, before being overwritten. While they only studied a few computers, they claim, probably reasonably, that these had typical usage. One was an ftp and web server, for example. They found half lives ranging from 12 days to 35 days. So be careful! If those files are your sensitive data, more stringent measures might be needed to fully erase them.

I've been doing computer security for a good many years at this point, but I've never been much of a forensics person. The other books I've read on the topic were more of a step by step procedure without getting so much into the "why" of the process. I found this book to be different. The authors provide a clear understanding of what things should occur, in what order they occur, and WHY they should occur.

A great example of this is their discussion on the expiration of information within a comptuer system. They go through great pains to help the reader understand the priority used when looking for clues after an incident. The authors even list how long you can expect a computer system to retain information in its various parts.

One good piece of information I'm going to test came directly from Chapter 4 and talks about creating a disk image from across a network using Hobbit's Netcat tool.

Overall, I found the book both easy to understand and informative. It seems a little light on the number of pages, but the number of screenshots is limited, keeping the content high and the fluff to a minimum.

The topics include File System Analysis, System Processes, Analyzing Malware, and the persistence of deleted information. The two appendices add additional information by including discussions about The Coroner's Toolkit and Data Gathering. This includes very useful information on what they call "The Order of Volatility".

This book is full of information on every single step involved in forensic incident response. I've had articles published on this same topic, and found this book informative above and beyond my prior research and industry experience. If you haven't had much IR experience on the UNIX side, you need this book.