| | |  | Intranet | Home » » » » Forensic Discovery | | | | | | | Description: | | "Don't look now, but your fingerprints are all over the cover of this book. Simply picking it up off the shelf to read the cover has left a trail of evidence that you were here.
"If you think book covers are bad, computers are worse. Every time you use a computer, you leave elephant-sized tracks all over it. As Dan and Wietse show, even people trying to be sneaky leave evidence all over, sometimes in surprising places.
"This book is about computer archeology. It's about finding out what might have been based on what is left behind. So pick up a tool and dig in. There's plenty to learn from these masters of computer security."
--Gary McGraw, Ph.D., CTO, Cigital, coauthor of Exploiting Software and Building Secure Software "A wonderful book. Beyond its obvious uses, it also teaches a great deal about operating system internals."
--Steve Bellovin, coauthor of Firewalls and Internet Security, Second Edition, and Columbia University professor "A must-have reference book for anyone doing computer forensics. Dan and Wietse have done an excellent job of taking the guesswork out of a difficult topic."
--Brad Powell, chief security architect, Sun Microsystems, Inc. "Farmer and Venema provide the essential guide to 'fossil' data. Not only do they clearly describe what you can find during a forensic investigation, they also provide research found nowhere else about how long data remains on disk and in memory. If you ever expect to look at an exploited system, I highly recommend reading this book."
--Rik Farrow, Consultant, author of Internet Security for Home and Office "Farmer and Venema do for digital archaeology what Indiana Jones did for historical archaeology. Forensic Discovery unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder."
--Richard Bejtlich, technical director, ManTech CFIA, and author of The Tao of Network Security Monitoring "Farmer and Venema are 'hackers' of the old school: They delight in understanding computers at every level and finding new ways to apply existing information and tools to the solution of complex problems."
--Muffy Barkocy, Senior Web Developer, Shopping.com "This book presents digital forensics from a unique perspective because it examines the systems that create digital evidence in addition to the techniques used to find it. I would recommend this book to anyone interested in learning more about digital evidence from UNIX systems."
--Brian Carrier, digital forensics researcher, and author of File System Forensic Analysis The Definitive Guide to Computer Forensics: Theory and Hands-On PracticeComputer forensics--the art and science of gathering and analyzing digital evidence, reconstructing data and attacks, and tracking perpetrators--is becoming ever more important as IT and law enforcement professionals face an epidemic in computer crime. In Forensic Discovery, two internationally recognized experts present a thorough and realistic guide to the subject. Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing a powerful approach that can often recover evidence considered lost forever. The authors draw on their extensive firsthand experience to cover everything from file systems, to memory and kernel hacks, to malware. They expose a wide variety of computer forensics myths that often stand in the way of success. Readers will find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for writing one's own forensic tools. The authors are singularly well-qualified to write this book: They personally created some of the most popular security tools ever written, from the legendary SATAN network scanner to the powerful Coroner's Toolkit for analyzing UNIX break-ins. After reading this book you will be able to - Understand essential forensics concepts: volatility, layering, and trust
- Gather the maximum amount of reliable evidence from a running system
- Recover partially destroyed information--and make sense of it
- Timeline your system: understand what really happened when
- Uncover secret changes to everything from system utilities to kernel modules
- Avoid cover-ups and evidence traps set by intruders
- Identify the digital footprints associated with suspicious activity
- Understand file systems from a forensic analyst's point of view
- Analyze malware--without giving it a chance to escape
- Capture and examine the contents of main memory on running systems
- Walk through the unraveling of an intrusion, one step at a time
The book's companion Web site contains complete source and binary code for open source software discussed in the book, plus additional computer forensics case studies and resource links.
| | | Product Details: | | | Author:
| Dan Farmer | | Hardcover:
| 240 pages | | Publisher:
| Addison-Wesley Professional | | Publication Date:
| January 09, 2005 | | Language:
| English | | ISBN:
| 020163497X | | Product Length:
| 9.54 inches | | Product Width:
| 7.24 inches | | Product Height:
| 0.81 inches | | Product Weight:
| 1.43 pounds | | Package Length:
| 9.21 inches | | Package Width:
| 7.09 inches | | Package Height:
| 0.87 inches | | Package Weight:
| 1.46 pounds | | Average Customer Rating:
|  based on 15 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 15 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
22 of 23 found the following review helpful:
 Brief but intenseJan 24, 2005
By Jack D. Herrington
"engineer and author"
They say it's good to leave your audience wanting more, but I'm not sure how correct that is with tech books. In this case I am definitely wanting more. About a third of the book is on basic operating system introductory material. The rest of the book starts to get in-depth on file system analysis, hacker trapping, and some basic data analysis. But then it ends. And I wanted more.
Definitely a good start at file system analysis, specifically on Unix machines. But you will definitely be left wanting more of the same.
12 of 12 found the following review helpful:
 Great Information from Two Network Security LegendsApr 11, 2005
By Tony Bradley
"s3kur3"
I have learned a lot from other computer forensics books such as Harlan Carvey's Windows Forensics and Incident Recovery or Kevin Mandia and Chris Prosise's Incident Response and Computer Forensics - 2nd Edition, but this one has a slightly different approach and conveys a lot of good, detailed information in a relatively concise book.
The book is aimed at readers who wish to gain a deeper understanding of how computer systems work, particularly system administrators or those who may actually be tasked with performing a forensic investigation. The book does assume some level of computer knowledge such as the basic concepts of networking, system processes or file systems and is not intended for pure novices.
Farmer and Venema focus a fair amount of attention on the concept of time and how to use it in a forensic investigation. They also highlight a sort of order of operations for how to proceed to try and ensure you retrieve volatile data before it disappears.
Computer forensics is an area of network and computer security that I am particularly interested in. This is an excellent book which I highly recommend. It is well-written and very educational, but it is also a fairly quick read.
[...]
12 of 12 found the following review helpful:
Small on size, but big on detailMar 11, 2005
By Kevin J. Schmidt
This book is small, but it is packed with information. The book is easy to read. I learned a thing or two myself about UNIX filesystems regarding forensics. Every serious security practioner should read this book.
11 of 11 found the following review helpful:
Superb forensics book on evidence discoveryApr 20, 2005
By Dr Anton Chuvakin
"Dr. Anton Chuvakin"
I enjoyed the book ("Forensic Discovery") since it came when I was preparing for my SANS forensics certification (GCFA). Obviously, the "household" names on the cover caught my attention as well. I used TCT and other tools created by the authors and thus my expectations for the book were pretty high. It did deliver! I picked up a whole lot of tidbits on file system forensics as well as malware and compromised system investigation. Unlike some other volumes, this book does not seek to be comprehensive; instead, it focuses on the fun things and focuses on them well.
In particular, I liked authors' ideas and tips on the OOV (order of volatility) of evidence. While not new, they are extremely well-presented in the book. Other highly useful sections were the ones on time stamps and their analysis and file deletion analysis (with thorough persistence of deleted file analysis). I did not like the sections on malware analysis that much, likely because some other book go way more in-depth then this one (like, for example recent Szor's book on viruses).
The book mostly covers Unix, Windows is also mentioned a couple of times.
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
10 of 11 found the following review helpful:
One of the best security books published in the last yearJan 19, 2005
By Ben Rothke
"Author of 'Computer Security: 20 Things Every Employee Should Know'"
When most people think of forensics, television shows like Quincy and CSI come to mind. Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators. In the real world, (unlike television, where the crime must be solved by the end of the family hour), crimes are solved with slow, deliberate and methodical steps. The prodigious incidence of digital crime has elevated computer forensics to a critical role within the field of information security. The focus of computer forensics is twofold: first is the attempt to determine whether a breach has occurred and to stop the perpetrator; second is prosecution of the offender, if the breach was a criminal activity.
Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.
An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.
The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.
The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.
Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.
Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.
Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.
Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.
Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.
The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.
See all 15 customer reviews on Amazon.com
| | |
* Estimated shipping rate for US 48 states. Final rate calculated at checkout. |
