Forensic Discovery

Authors : Dan Farmer and Wietse Venema
ISBN : 020163497X
Pages : 240
Publisher : Addison-Wesley Professional
Publication Date : January 2005

Excerpts from the Preface:

The premise of the book is that forensic information can be found everywhere you look. With this guiding principle in mind we develop tools to collect information from obvious and not so obvious sources, we walk through analyses of real intrusions in detail, and we discuss the limitations of our approach.

Although we illustrate our approach with specific forensic tools in specific system environments, we do not provide cookbooks for how to use those tools, nor do we provide checklists for step-by-step investigation. Instead, we provide a background on how information persists, how information about past events may be recovered, and how trustworthiness of that information may be affected by deliberate or accidental processes.

In our case studies and examples we deviate from traditional computer forensics and head towards the study of system dynamics. Volatility and persistence of file systems and memory are pervasive topics in our book. And while the majority of our examples are from Solaris, FreeBSD and Linux systems, Microsoft's Windows shows up on occasion as well. Our emphasis is on the underlying principles that these systems have in common: we look for inherent properties of computer systems, rather than accidental differences or superficial features.

Our global themes are problem solving, analysis and discovery, with a focus on reconstruction of past events. This may help you to discover why events transpired, but that is generally outside the scope of this work. Knowing what happened will leave you better prepared the next time something bad is about to happen, even when it is not sufficient to prevent future problems. We should note up-front, however, that we do not cover the detection or prevention of intrusions. We do show that traces from one intrusion can lead to the discovery of other intrusions, and we point out how forensic information may be affected by system protection mechanisms, and by their failures.

Intended audience:

The target audience of the book is anyone who wants to deepen their understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. These are not only system administrators, incident responders, other computer security professionals, or forensic analysts, but also anyone who is concerned about the impact of computer forensics on privacy.

While we have worked hard to make the material accessible to non-expert readers, we definitely do not target the novice computer user. As a minimal requirement, we assume strong familiarity with the basic concepts of UNIX or Windows file systems, networking, and processes.

Reviews:

Amazon.com

"Definitely a good start at file system analysis, specifically on Unix machines. But you will definitely be left wanting more of the same."

"Forensic Discovery unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder. I highly recommend reading this book."

View/Download Forensic Discovery