| | |  | | Home » UNIX and Linux Forensic Analysis DVD Toolkit | | | | | | | Description: | | This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.
The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or "live" UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.
Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else. Not only are the tools provided, but the author also provides sample files so that after completing a detailed walk-through, the reader can immediately practice the new-found skills.
* The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else.
* This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.
* The authors have the combined experience of Law Enforcement, Military, and Corporate forensics. This unique perspective makes this book attractive to ALL forensic investigators. | | | Product Details: | | | Author:
| Chris Pogue | | Paperback:
| 248 pages | | Publisher:
| Syngress | | Publication Date:
| June 30, 2008 | | Language:
| English | | ISBN:
| 1597492698 | | Product Length:
| 9.19 inches | | Product Width:
| 7.48 inches | | Product Height:
| 0.63 inches | | Product Weight:
| 1.19 pounds | | Package Length:
| 9.1 inches | | Package Width:
| 7.4 inches | | Package Height:
| 0.4 inches | | Package Weight:
| 1.15 pounds | | Average Customer Rating:
|  based on 5 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 5 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
10 of 10 found the following review helpful:
 Hardly A Book About ForensicsOct 16, 2009
By P. Knight
The title may mislead readers to believe that this book discusses actual forensics of Unix and Linux systems. It does not. The authors waste precious pages in this short book discussing their favorite cool Linux apps like Nessus and Metasploit but don't have any meaningful discussion about the various flavors of Unix: AIX, Solaris, *BSD, etc. Their "Unix and Linux" forensic book is almost entirely about Linux. There is no thoughtful discussion about filesystem forensics; no technical detail helpful to Forensic Examiners.
The few moments where the authors approach a meaningful forensic topic, the reader is redirected to an online resource rather than provided an analysis or explanation within the book.
The book title may lead readers to believe that an accompanying DVD contains a Unix forensic toolkit of some kind. In fact, there is only 1.8 MB of documents and no tools save for a few (4) short Bash scripts that hardly cover a thorough forensics examination: live or otherwise. One of the scripts is only one line. One of these documents is an incomplete 3.5 page summary of Sleuthkit tools. By "incomplete" I mean that it is apparent that the author decided to quit writing. Apparently there was no room in this 236 page, 14-gauge font book to cover in any detail the different Unix filesystems, data acquisition, data carving or static filesystem analysis. But the authors make plenty of room to discuss scanning with Unix tools (nmap, nessus, etc.).
There is a section entitled "Malware" except that no malware sample is actually examined. The reader is briefly introduced to Panda's AV scanner and is walked through how to use ClamAV as if that is the only AV scanner available for either a Unix user or Forensic Examiner. Forensic Examiners should pay very close attention to AntiVirus product comparative reviews.
The book cover boasts that this is the "only digital forensic analysis book for *nix". Indeed there may be little in the way of books solely dedicated to Unix forensics but other books cover Unix forensics with greater detail than this one. For example, Brian Carrier's "Filesystem Forensic Analysis" or Jones, Bejtlich and Rose's "Real Digital Forensics".
The book cover also boasts that readers can "Hit the ground running" with the information within. Unfortunately, if readers expect the content to help them bridge a gap between Windows and Unix, they will hit the ground with a resounding thud. If any Forensics Examiner finds value in the content of this book for actual Unix forensic investigations, I would question that examiner's experience and training.
If the authors wanted to write a book about cool Linux tools or network scanning, they should have entitled the book differently. Perhaps "A Beginner's Guide to Using Linux and Linux Security Applications".
I felt the title was misleading and false advertising. The authors take advantage of the word "Forensics" to sell a book that is not about forensics. For $53.95 I expected much more and was extremely disappointed and disgusted at the inferiority of the content.
4 of 5 found the following review helpful:
going on ebayFeb 09, 2009
By R. Chae
I don't often write reviews, but after reading this book, I decided to write one. Not because this book was excellent, but because I was quite disappointed. I am not an expert in *nix security by any means; however, this book is exteremly basic. The target audience for this book is someone who has little or no knowledge in linux or unix internals and security.
If you already know unix or linux, but are not familiar with tools like Nessus, nmap, wireshark, tcpdump, netcat, etc... just go directly to [...], where you can find the compilied list of the top 100 security tools from the nmap-hackers mailing list.
What a waste of time and money.
1 of 1 found the following review helpful:
 No really UNIX content.Mar 08, 2011
By Jesse G. Lands
While I was expecting a book similar to the Syngress publication Windows Forensics Analysis by Harlan Carvey I was given more of a Linux for Dummies with a Forensic emphasis.
I'll break it down by chapter to make things a little more understandable. The introduction Chapter one was the standard why am I writing this and what will I cover. It seemed like that was a good start. Unfortunately things when south with Chapter 2. Introduction to UNIX: I'm sorry did I miss the UNIX in it? The focus was Ubuntu Linux. While a forensic analyst should be able to examine Linux systems, that wasn't the title of the book. UNIX was first, but UNIX was hardly mentioned. There are similarities, but not to the extent that the author makes the reader believe. At the time of my reading this book I was working on forensic analysis of a Solaris system and a CentOS system. I was able to use maybe 10 to 15 percent of the content for the Solaris system and if I was lucky 50% for the CentOS system.
Chapter 3 Live Response: Data Collection- there was no Live Response. In short there was very little about what the responder should collect and what is useless information. Much of the chapter was spent on a Log Book and various live CD/DVD Linux distributions that are available. There is a slight discussion of how to collect drive images, but even that is outdated at the time of writing. Two years prior to the writing I was collecting images from Terabyte systems.
Chapter 4 is about Initial Triage and Data Analysis- I'm sorry what? We've already collected the image? Why do we go back to triage? Why are we now just concerned with the network? I know chapters can be read in any order, but if this is for an "intro" person they will most likely do the work in order of the chapters if they do not know any better or have someone guiding them. The author gives a few examples of techniques which are good. Then an example of keyword lists and makes a point of telling the reader to develop their own. The author makes a point of saying attackers will want to look like normal activity on the network, but then gives keyword lists that are standard script kiddie tools. If the attacker is more than just a beginner they have modified the signature/look so that it doesn't match. While I am not against a keyword search, I am against the thinking that if your keyword search does not hit then you must acquit. Chapter 4 is probably the most useful chapter of the book.
Then we go to one of the most useless chapters in the book. At over fifty pages this chapter is the largest, but covers the least useful information. Discussing The Hacking Top 10 is pointless. Especially with the emphasis on tools that won't be as common. A discussion of Nmap and netcat are vital to this book, but many hackers won't take the time to install Wireshark with it's size and GUI. There are tools out there that are cmd line based and would suite an attacker more. Some of the other tools should be discussed, but not to the extent that the author does. It's almost as if the book was to short to charge $59.95 so they added pages to justify the cost.
Chapter 6 discussed the /Proc file system. One of the more useful chapters in the book. However it is one hundred percent Linux based. Again no discussion at all for the differences in UNIX and Linux.
Chapter 7 discussed file analysis. Again a very useful chapter, but lacking in depth. A minuscule thirteen pages there should be so much more discussed.
Chapter 8 was the second most useless chapter in the book. Fortunately it was only a waste of ten pages of the book. Discussing anti-virus instead of what the chapter Title promises "Malware", it really was let down on possible interest. While the title of Chapter 5 did not lead anyone on, Chapter 8 was definite tease. The discussion was a vague conversation about the direction of malware in the Linux environment (notice again not discussing UNIX) and then into different anti-virus systems that are available. I have never installed an AV to do forensics and it would seem to me to not be reliable if the signature has changed slightly anyway.
In discussing this book the Appendix is noteworthy. It gives a high-level overview of setting up Cybercrime detection, but it is only vaguely related to the topic as there is much discussion on networks and Windows systems.
While there is a requirement for a UNIX forensics book this book does not meet that requirement. It is useful for Linux analysis if that is all you are working on, but this will not apply much to the more UNIX platforms of the *nix systems. While I applaud the authors attempt, it seems as if editing may have taken the liberty to force this book into a broader market than was the original intention.
1 of 4 found the following review helpful:
 Excellent introduction to Linux forensics, ideal for those starting out or Windows centric examiner who is curious about LinuxAug 07, 2008
By Jonathan Evans
"echo6"
The first few chapters leads the reader gently into appreciating the differences between Windows and *nix based nomenclature. There are a number of practical tools covered which would assist any Windows investigator to perform post forensic analysis. The tools needed to get the job done on *nix boxes are covered more than adequately. Chapter 4 introduces the reader to some practical advice on triage and live data analysis, there are some useful practical exercises using search techniques and the author shares his experience offering some good practical advice on narrowing the search to relevant areas of investigation. Chapter 5 provides some of the best examples I have seen of the "top 10 hacking" tools covered. This should inspire any reader to appreciate how best to investigate against such "tools". This chapter inspires the reader to conduct their own research in a laboratory environment with just enough of a sweetener provided in the examples to encourage them to do so. Chapter 6 takes the reader on an insightful tour of the /proc filesystem highlighting some of the key areas an investigator needs to know in terms of live analysis and key areas for volatile data capture. There's small additional section on the sysfs which covers additional areas of interest relevant to the investigator. Included in this chapter is an insightful walkthru of an investigation further re-enforcing the ideas presented by the author. Chapter 7 guides the reader through the filesystem, highlighting key areas such as configuration files. The author also provides the reader with some inventive techniques for investigation. Although a short chapter it concisely provides enough detail to assist the reader in their investigations. Chapter 8 contains detailed instructions on the use and installation of anti-virus/malware software with a good overview provided by the author of Linux file permissions/security. The final appendix is a worthy addition providing a good overview of auditing and logging not just on *nix but includes, Windows, firewalls, router, IDS and IPS systems. It provides a complementary addition to the literature.
Summary.
The author has sought to introduce the reader to a very wide subject area, which considering the diversity of Unices is a brave and audacious move. It is quite amazing how much the author has managed to cover and condense into only 8 chapters and an appendix. The authors clearly have a vast amount of forensic experience especially with regard to incident response, providing practical and sound advice to the reader. There are a number of other sources hinted at by the authors which shows thorough research benefiting this literature and ultimately the reader. This book provides the reader with a perfect introduction to UNIX and Linux Forensic Analysis, additional it should also benefit forensic investigators from the Windows centric world in grasping some of the power available with Linux and Open Source tools. This should allow the reader to complement their own arsenal of investigation tools and techniques with a complementary set of Linux forensic CDs and methodology. This is a book I would heartily recommend to experienced computer forensic examiners and those starting out. Especially to those investigators more used to the Windows environment. The book is clearly an introduction and hints at more to come. I very much look forward to reading more material from the authors covering more advanced topics in their next book. The final paragraph of the synopsis clearly says it all.
0 of 5 found the following review helpful:
Very informative style of delivery in Forensic WorldAug 10, 2008
By Fadi Abu Zuhri
"CGEIT, CISM, CISA, CFE, CISSP, PMP, CEH"
The authors initiate a very interesting subject, with very easy informative style of delivery. Looking forward of going through more advanced material by the authors with such valuable information.
| | |
* Estimated shipping rate for US 48 states. Final rate calculated at checkout. |
