4 of 4 people found the following review helpful
No really UNIX content.,
Verified Purchase(What's this?)
This review is from: UNIX and Linux Forensic Analysis DVD Toolkit (Paperback)
While I was expecting a book similar to the Syngress publication Windows Forensics Analysis by Harlan Carvey I was given more of a Linux for Dummies with a Forensic emphasis.
I'll break it down by chapter to make things a little more understandable. The introduction Chapter one was the standard why am I writing this and what will I cover. It seemed like that was a good start. Unfortunately things when south with Chapter 2. Introduction to UNIX: I'm sorry did I miss the UNIX in it? The focus was Ubuntu Linux. While a forensic analyst should be able to examine Linux systems, that wasn't the title of the book. UNIX was first, but UNIX was hardly mentioned. There are similarities, but not to the extent that the author makes the reader believe. At the time of my reading this book I was working on forensic analysis of a Solaris system and a CentOS system. I was able to use maybe 10 to 15 percent of the content for the Solaris system and if I was lucky 50% for the CentOS system.
Chapter 3 Live Response: Data Collection- there was no Live Response. In short there was very little about what the responder should collect and what is useless information. Much of the chapter was spent on a Log Book and various live CD/DVD Linux distributions that are available. There is a slight discussion of how to collect drive images, but even that is outdated at the time of writing. Two years prior to the writing I was collecting images from Terabyte systems.
Chapter 4 is about Initial Triage and Data Analysis- I'm sorry what? We've already collected the image? Why do we go back to triage? Why are we now just concerned with the network? I know chapters can be read in any order, but if this is for an "intro" person they will most likely do the work in order of the chapters if they do not know any better or have someone guiding them. The author gives a few examples of techniques which are good. Then an example of keyword lists and makes a point of telling the reader to develop their own. The author makes a point of saying attackers will want to look like normal activity on the network, but then gives keyword lists that are standard script kiddie tools. If the attacker is more than just a beginner they have modified the signature/look so that it doesn't match. While I am not against a keyword search, I am against the thinking that if your keyword search does not hit then you must acquit. Chapter 4 is probably the most useful chapter of the book.
Then we go to one of the most useless chapters in the book. At over fifty pages this chapter is the largest, but covers the least useful information. Discussing The Hacking Top 10 is pointless. Especially with the emphasis on tools that won't be as common. A discussion of Nmap and netcat are vital to this book, but many hackers won't take the time to install Wireshark with it's size and GUI. There are tools out there that are cmd line based and would suite an attacker more. Some of the other tools should be discussed, but not to the extent that the author does. It's almost as if the book was to short to charge $59.95 so they added pages to justify the cost.
Chapter 6 discussed the /Proc file system. One of the more useful chapters in the book. However it is one hundred percent Linux based. Again no discussion at all for the differences in UNIX and Linux.
Chapter 7 discussed file analysis. Again a very useful chapter, but lacking in depth. A minuscule thirteen pages there should be so much more discussed.
Chapter 8 was the second most useless chapter in the book. Fortunately it was only a waste of ten pages of the book. Discussing anti-virus instead of what the chapter Title promises "Malware", it really was let down on possible interest. While the title of Chapter 5 did not lead anyone on, Chapter 8 was definite tease. The discussion was a vague conversation about the direction of malware in the Linux environment (notice again not discussing UNIX) and then into different anti-virus systems that are available. I have never installed an AV to do forensics and it would seem to me to not be reliable if the signature has changed slightly anyway.
In discussing this book the Appendix is noteworthy. It gives a high-level overview of setting up Cybercrime detection, but it is only vaguely related to the topic as there is much discussion on networks and Windows systems.
While there is a requirement for a UNIX forensics book this book does not meet that requirement. It is useful for Linux analysis if that is all you are working on, but this will not apply much to the more UNIX platforms of the *nix systems. While I applaud the authors attempt, it seems as if editing may have taken the liberty to force this book into a broader market than was the original intention.