UNIX and Linux Forensic Analysis DVD Toolkit [Paperback]

Chris Pogue (Author), Cory Altheide (Author), Todd Haverkos (Author)

Book Description

Publication Date: June 30, 2008 | ISBN-10: 1597492698 | ISBN-13: 978-1597492690 | Edition: 1

This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.

The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.

Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else. Not only are the tools provided, but the author also provides sample files so that after completing a detailed walk-through, the reader can immediately practice the new-found skills.


* The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else.
* This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.
* The authors have the combined experience of Law Enforcement, Military, and Corporate forensics. This unique perspective makes this book attractive to ALL forensic investigators.

Editorial Reviews

About the Author

Chris Pogue has spent the past five years as part of the IBM Ethical Hacking Team. He was tasked with emulating the actions of an actual malicious attacker with the intention of assisting customers to identify and eliminate probable attack vectors. Chris has worked on over 3000 exploitation attempts for both internal IBM systems as well as third party customers. Chris is also a former US Army Warrant Officer and has worked with the Army Reserve Information Operations Command (ARIOC) on Joint Task Force (JTF) missions with the National Security Agency (NSA), Department of Homeland Security, Regional Computer Emergency Response Team-Continental United States (RCERT-CONUS), and the Joint Intelligence Center-Pacific (JICPAC). Chris attended Forensics training at Carnegie Mellon University in Pittsburgh, Pennsylvania, and holds a Master's degree in Information Security. He is a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH). Chris also holds a Top Secret (TS) security clearance from the Department of Defense.

Cory Altheide is a Security Engineer at Google, focused on forensics and incident response. Prior to returning to Google, Cory was a principal consultant with MANDIANT, an information security consulting firm that works with the Fortune 500, the defense industrial base and the banks of the world to secure their networks and combat cyber-crime. In this role he responded to numerous incidents for a variety of clients. Cory has authored several papers for the computer forensics journal Digital Investigation and was a contributing author for UNIX and Linux Forensic Analysis (2008) & The Handbook Of Digital Forensics and Investigation (2010). Additionally, Cory is a recurring member of the program committee of the Digital Forensics Research Workshop (DFRWS).

Product Details

• Paperback: 248 pages
• Publisher: Syngress; 1 edition (June 30, 2008)
• Language: English
• ISBN-10: 1597492698
• ISBN-13: 978-1597492690
• Product Dimensions: 9.2 x 7.5 x 0.6 inches
• Shipping Weight: 1.2 pounds
• Average Customer Review: 2.8 out of 5 stars  See all reviews (5 customer reviews)
• Amazon Best Sellers Rank: #1,282,108 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

10 of 10 people found the following review helpful:

1.0 out of 5 stars Hardly A Book About Forensics, October 16, 2009

By 

P. Knight (USA) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: UNIX and Linux Forensic Analysis DVD Toolkit (Paperback)

The title may mislead readers to believe that this book discusses actual forensics of Unix and Linux systems. It does not. The authors waste precious pages in this short book discussing their favorite cool Linux apps like Nessus and Metasploit but don't have any meaningful discussion about the various flavors of Unix: AIX, Solaris, *BSD, etc. Their "Unix and Linux" forensic book is almost entirely about Linux. There is no thoughtful discussion about filesystem forensics; no technical detail helpful to Forensic Examiners.

The few moments where the authors approach a meaningful forensic topic, the reader is redirected to an online resource rather than provided an analysis or explanation within the book.

The book title may lead readers to believe that an accompanying DVD contains a Unix forensic toolkit of some kind. In fact, there is only 1.8 MB of documents and no tools save for a few (4) short Bash scripts that hardly cover a thorough forensics examination: live or otherwise. One of the scripts is only one line. One of these documents is an incomplete 3.5 page summary of Sleuthkit tools. By "incomplete" I mean that it is apparent that the author decided to quit writing. Apparently there was no room in this 236 page, 14-gauge font book to cover in any detail the different Unix filesystems, data acquisition, data carving or static filesystem analysis. But the authors make plenty of room to discuss scanning with Unix tools (nmap, nessus, etc.).

There is a section entitled "Malware" except that no malware sample is actually examined. The reader is briefly introduced to Panda's AV scanner and is walked through how to use ClamAV as if that is the only AV scanner available for either a Unix user or Forensic Examiner. Forensic Examiners should pay very close attention to AntiVirus product comparative reviews.

The book cover boasts that this is the "only digital forensic analysis book for *nix". Indeed there may be little in the way of books solely dedicated to Unix forensics but other books cover Unix forensics with greater detail than this one. For example, Brian Carrier's "Filesystem Forensic Analysis" or Jones, Bejtlich and Rose's "Real Digital Forensics".

The book cover also boasts that readers can "Hit the ground running" with the information within. Unfortunately, if readers expect the content to help them bridge a gap between Windows and Unix, they will hit the ground with a resounding thud. If any Forensics Examiner finds value in the content of this book for actual Unix forensic investigations, I would question that examiner's experience and training.

If the authors wanted to write a book about cool Linux tools or network scanning, they should have entitled the book differently. Perhaps "A Beginner's Guide to Using Linux and Linux Security Applications".

I felt the title was misleading and false advertising. The authors take advantage of the word "Forensics" to sell a book that is not about forensics. For $53.95 I expected much more and was extremely disappointed and disgusted at the inferiority of the content.

4 of 5 people found the following review helpful:

1.0 out of 5 stars going on ebay, February 9, 2009

By 

R. Chae - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: UNIX and Linux Forensic Analysis DVD Toolkit (Paperback)

I don't often write reviews, but after reading this book, I decided to write one. Not because this book was excellent, but because I was quite disappointed. I am not an expert in *nix security by any means; however, this book is exteremly basic. The target audience for this book is someone who has little or no knowledge in linux or unix internals and security.

If you already know unix or linux, but are not familiar with tools like Nessus, nmap, wireshark, tcpdump, netcat, etc... just go directly to [...], where you can find the compilied list of the top 100 security tools from the nmap-hackers mailing list.

What a waste of time and money.

1 of 1 people found the following review helpful:

2.0 out of 5 stars No really UNIX content., March 8, 2011

By 

Jesse G. Lands (Ohio) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: UNIX and Linux Forensic Analysis DVD Toolkit (Paperback)

While I was expecting a book similar to the Syngress publication Windows Forensics Analysis by Harlan Carvey I was given more of a Linux for Dummies with a Forensic emphasis.

I'll break it down by chapter to make things a little more understandable. The introduction Chapter one was the standard why am I writing this and what will I cover. It seemed like that was a good start. Unfortunately things when south with Chapter 2. Introduction to UNIX: I'm sorry did I miss the UNIX in it? The focus was Ubuntu Linux. While a forensic analyst should be able to examine Linux systems, that wasn't the title of the book. UNIX was first, but UNIX was hardly mentioned. There are similarities, but not to the extent that the author makes the reader believe. At the time of my reading this book I was working on forensic analysis of a Solaris system and a CentOS system. I was able to use maybe 10 to 15 percent of the content for the Solaris system and if I was lucky 50% for the CentOS system.

Chapter 3 Live Response: Data Collection- there was no Live Response. In short there was very little about what the responder should collect and what is useless information. Much of the chapter was spent on a Log Book and various live CD/DVD Linux distributions that are available. There is a slight discussion of how to collect drive images, but even that is outdated at the time of writing. Two years prior to the writing I was collecting images from Terabyte systems.

Chapter 4 is about Initial Triage and Data Analysis- I'm sorry what? We've already collected the image? Why do we go back to triage? Why are we now just concerned with the network? I know chapters can be read in any order, but if this is for an "intro" person they will most likely do the work in order of the chapters if they do not know any better or have someone guiding them. The author gives a few examples of techniques which are good. Then an example of keyword lists and makes a point of telling the reader to develop their own. The author makes a point of saying attackers will want to look like normal activity on the network, but then gives keyword lists that are standard script kiddie tools. If the attacker is more than just a beginner they have modified the signature/look so that it doesn't match. While I am not against a keyword search, I am against the thinking that if your keyword search does not hit then you must acquit. Chapter 4 is probably the most useful chapter of the book.

Then we go to one of the most useless chapters in the book. At over fifty pages this chapter is the largest, but covers the least useful information. Discussing The Hacking Top 10 is pointless. Especially with the emphasis on tools that won't be as common. A discussion of Nmap and netcat are vital to this book, but many hackers won't take the time to install Wireshark with it's size and GUI. There are tools out there that are cmd line based and would suite an attacker more. Some of the other tools should be discussed, but not to the extent that the author does. It's almost as if the book was to short to charge $59.95 so they added pages to justify the cost.

Chapter 6 discussed the /Proc file system. One of the more useful chapters in the book. However it is one hundred percent Linux based. Again no discussion at all for the differences in UNIX and Linux.

Chapter 7 discussed file analysis. Again a very useful chapter, but lacking in depth. A minuscule thirteen pages there should be so much more discussed.

Chapter 8 was the second most useless chapter in the book. Fortunately it was only a waste of ten pages of the book. Discussing anti-virus instead of what the chapter Title promises "Malware", it really was let down on possible interest. While the title of Chapter 5 did not lead anyone on, Chapter 8 was definite tease. The discussion was a vague conversation about the direction of malware in the Linux environment (notice again not discussing UNIX) and then into different anti-virus systems that are available. I have never installed an AV to do forensics and it would seem to me to not be reliable if the signature has changed slightly anyway.

In discussing this book the Appendix is noteworthy. It gives a high-level overview of setting up Cybercrime detection, but it is only vaguely related to the topic as there is much discussion on networks and Windows systems.

While there is a requirement for a UNIX forensics book this book does not meet that requirement. It is useful for Linux analysis if that is all you are working on, but this will not apply much to the more UNIX platforms of the *nix systems. While I applaud the authors attempt, it seems as if editing may have taken the liberty to force this book into a broader market than was the original intention.