36 of 37 people found the following review helpful
on June 28, 2012
With a title like Network Forensics: Tracking Hackers through Cyberspace, the book at first sounds like a cheesy novel. But by page 25, you will quickly see this is the real thing. By the time you hit the last page, you will have read the collective wisdom of two of the smartest minds in the space.
Author's Jonathan Ham and Sherri Davidoff are both SANS Institute instructors, and bring significant real-world experience to every chapter. Martin McKeay has an interview (albeit dated) with the authors on his web site here about their SANS course on network forensics.
In 12 densely written chapters at just over 500 pages, the book covers nearly every aspect within network and digital forensics.
While the book Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet provides a comprehensive overview of the topic; Network Forensics: Tracking Hackers through Cyberspace focuses at the packet level.
Part 2, which is about a third of the book, is spent on traffic analysis, with all-embracing coverage of concepts and topics such as statistical flow analysis, wireless traffic capture and analysis, NIDS detection and analysis, packet logging and more.
Readers should be very comfortable with Wireshark packet capture output, which the book extensively references. Those not quite comfortable with packet capture analysis will likely find this book way over their head.
Part 3 focuses on network devices and logging for all types of network devices. Detailed logging aspects for switches, routers and firewalls are dealt with.
The last 2 chapters deal with advanced topics such as network tunneling and malware forensics.
The book also includes 9 case studies which go into extreme detail on the topic covered. While the notion of a case study in many books is a 2-3 page overview, these case studies are 10-20 pages in length and provide an across-the-board analysis of the topic. Evidence files for each case study are available at the author's web site here.
Network Forensics: Tracking Hackers through Cyberspace is an extremely detailed and comprehensive guide on the topic. It is made for the advanced user who is comfortable with forensic tools such as NetworkMiner and Snort.
For those that are up to the task, Network Forensics: Tracking Hackers through Cyberspace is an invaluable reference that will make the reader a master of the topic.
8 of 8 people found the following review helpful
on December 23, 2012
Ok, this is a great scholarly text. If you've never used Wireshark or a Ethernet Tap then you will be in for a treat and a lot of tools you haven't ever used before. Otherwise, this work is like most College text, when the first few chapters are a "history of" and then it sort of goes to an explanation of the tools you need. I found several things I didn't know, and a few tips on actually hiding your traffic and obfuscating your internet mixed in the text. It's not Harry Potter, and sadly it didn't make me a wazard, but it's a great book for anyone interested in network forensics. For those who are hacker minded, this is basically a book of "this is how you can / will be caught" so, read it, know it, reverse it... and then see how much you can derive from your own traffic. The exercises seem to be aimed for a school / network which isn't really in existence, aka most of the "test" are more... ok, look at the traffic patterns in the book, and figure out what you are looking for, instead of go to your computers and run this simulation. Overall, I'd give this book a 4 out of 5 stars, because they teach you how to watch the traffic and dissect it, yet give very little information on how to obfuscate your tracks. Then again, if they taught you how to do that, they'd be out of a job. :D
6 of 6 people found the following review helpful
on June 15, 2013
This is well-written, and easy to read. Good footnotes. It starts with foundational stuff, moves on to a very good discussion of traffic analysis, network devices and detailed logging, and advanced stuff including malware, and tunneling. Several useful case studies. Lots of stuff on packet analysis. Supplements at the authors' website are good. It is dense, but easy enough to read, even with a massive page count. It covers most of network forensics. You do want to be familiar with Wireshark.
3 of 3 people found the following review helpful
on March 9, 2014
There's lot's of material on "computer forensics" but until now this book there's been absolutely nothing on "network forensics".
This is the "Bible" if networks are important to your company's security or you need to know how to find the top talent in the field.
Not overly technical (some things may be better kept secret) but it will certainly have you thinking about things you may not have known were hidden within your networks. Should be on every networking professional's bookshelf!
5 of 6 people found the following review helpful
on April 4, 2013
This seems to be a decent book. I wish the author covered more on advanced topics, like Ch 16. I have to admit I was disappointed to see things like, "this is a switch" and "this is what a router does." If you don't know what a router is, you should probably be starting with a different book. While I can understand why authors include this type of information, to sell more books, I appreciate authors that can target their books to a specific and not as general audience. Just my .02.
2 of 2 people found the following review helpful
on March 3, 2014
The authors drawing upon their vast experience in the industry and resolving many real word forensics problems have presented a very readable and useful treatise of the subject.
The book not only serves as introduction to various approaches for an otherwise intractable problem it also can function as a useful reference for a real world expert. Depending on the time a person has they can do deep dive on any topic using this book or browse all the topics to get a quick overview of the craft. The case studies are especially well done.
This is a must have book for anyone contemplating to play a role in the security and forensics area.
8 of 11 people found the following review helpful
on September 11, 2013
So, I spent way too much time reading this book since it just didn't flow well for me.
The goods: examples, depth of content in some areas
The bads: no coverage of actual (narrowly defined) network forensics, dry style
Personally, I'd recommend this book to people who need to learn how to deal with packets and need lots of examples with explanations and workflows.
on May 5, 2015
Any book, child story or technical manual that has a forward written by Dr. Daniel Geer is going to be amazing. Not that I recommend Dr. Geer start writing children’s literature, it’s just he is an incredible mind for his time. That was the first thing that caught my attention about the book. I am quite excited about the book because it isn’t your typical forensic book. This masterpiece goes well beyond anything I’ve read in a long time.
Warning: Network Forensics is not for entry level readers or even intermediate. This is hardcore PhD level material.
I was surprised that the book cover says “Tracking Hackers Through Cyberspace.” First off, there isn’t anything wrong with being a hacker. There is something wrong with conducting criminal activity and those are two completely different things. If the book would have posted “Tracking Criminals Through Cyberspace”, I might have only cringed a little bit. My second gripe is about the word “Cyber.” Come on folks, it is “digital” not “cyber.” I’m sure the authors didn’t do this; it was probably the editor’s fault. They have to sell books with sexy names so I don’t directly blame the writers.
The entire book is an in-depth technical manual and how-to guide for network forensics. The difference between regular digital forensics and network forensics is that evidence is much harder to locate and more volatile across a network than data storage devices. Husband and wife team Sherri and Jonathan dive deep, deep into hidden corners of switches and hubs to show you where evidence resides. The text is clearly written and done so in a straight forward manner. The content is tough though. Don’t expect an easy read.
You will need a sharp mind to completely understand the importance of this material, as it’s presented. I found myself reading aloud and reading very slowly. There were many places where I went back and read again. This is coming from a guy who has been in digital security since 1989. There is a treasure chest of techniques, ideas, checklists and software usage loaded across every chapter. At 545 pages, this is worth twice the cost of the book if you plan on a profession in digital forensics.
Sherri and Jonathan give ample real world examples and go step by step how to solve these crimes. If you buy the book just to read the stories, then you won’t be disappointed. There are some really great mysteries that were never in the media loaded in the pages. The usual software products are covered in great detail along with plenty of solutions for open source programs too. I like free stuff so I lean towards code I can review myself and not proprietary commercial programs.
You will want to pay close attention to patterns throughout the guide. There is lengthy coverage on packets, protocols, devices and all manner of technology that I had never considered exploring as deep as these writers did. There are cool case studies to keep your attention focused on the topic. Don’t let the evil Ann steal all your trade secrets. This means the book is also fun. The authors made sure to keep you, the reader, involved in the forensic process. It showed me how much I didn’t know about the finer points of network forensics.
I will have to admit that this book is similar to reading some of the computer crime law books I have. It took me a long time to read the book because I was absorbing so much incredible information. Log files are dissected down past the timestamping we are used to seeing and further down to individual packets associated with MAC addresses. Timestamps can be wrong, as the writers tell, because not everything is in synch and devices are located across the globe. So they suggest and show you how to correlate information from multiple sources. There is a stern warning to not use your crime theory for anything other than support the facts of that crime.
I suck at that one.
Network Forensics takes you by the hand and walks you through very complicated cases, one simple step at a time. The authors provide several reasons for doing a technique a certain way, along with issues with what could go wrong if you don’t take their advice. There are times in the book where I had to backtrack to rediscover something I had already read but forgotten and now needed it. Luckily the book is nicely laid out so you can find your information quickly.
At the end of this amazing book is an advanced section. Yes, an advanced section. I though the whole book was advanced then they spring a more advanced segment at the end. Those authors really do know their topic. The advance section covers malware forensics and network tunneling. Malware forensics is a very specialized field not for the faint of heart. If you enjoy spending countless hours dissecting code than this is your playground, not mine.
I’ve talked about my precious desk space in other reviews and that only very special books make it onto my desk. Right now, five books sit on that desk. I will have to bump one off because this book, this masterpiece, must now take a spot on my small desk. Some people have awards, others give stars, I give room for incredible books. Network Forensics is truly a book in its own class.
But please heed my warning. This book is not for beginners. This book is for serious professionals who have ample experience under their belts already. If you buy this book and don’t met this criteria, don’t blame me cause I warned you. This is one incredible masterpiece.
2 of 3 people found the following review helpful
on June 9, 2013
Love this book. Davidoff and Ham have done an excellent job of making a whole range of very technical network security topics accessible, even to complete newcomers new to the field.
Great step by step guide on how to analyze networks and detect anomalies within them. Highly Recommended.
3 of 5 people found the following review helpful
This book is a fascinating account of how to investigate and debug networking mysteries. I search for books in computer security often in amazon and recently came across this book. It is written in an excellent manner and has lucid explanations throughout. It has very good annotations including footnotes with links. Best way to learn a system/protocol/network is to reverse engineer and study its inner design. The book can be used by a wide variety of professionals - Students will benefit immensely to understand/debug systems. IT staff/security professionals will get benefit how to investigate attacks into systems and thereby how to prevent them. If you like mystery, hacking to understand systems, looking into packet traces to see how things work, this book will thrill you.
Best way to go over this book is to get a system with Linux (a good distribution for this book is BackTrack Linux), and go over the book/case studies. The book has plenty of screenshots/command line outputs making learning a breeze. The author's writing style makes the book lively. It is organized into four parts - Foundations, Traffic Analysis, Network Devices/Servers and Advanced Topics
Some of the topics covered to give an idea are Investigation techniques, packet analysis by looking into headers/payloads, explanation on wireless in detail, network intrusion detection/analysis, event log aggregation, correlation and analysis. Security/SSL, IPSec, tunneling, malware analysis are all covered in great detail.
This book has lot of case studies - e.g., statistical flow analysis in Chapter 5. This makes it very interesting and practical. Also the authors have put the capture files and scripts in their website to accompany the book. Commend the authors Sherri Davidoff and Jonathan Ham for bringing out this wonderful book. It should be in every student/professional of networking/security domains.