BKFORDIS.RVW 20050310 "Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X, U$39.99/C$57.99 %A Dan Farmer zen@fish2.com %A Wietse Venema wietse@porcupine.org %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-201-63497-X %I Addison-Wesley Publishing Co. %O U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/020163497X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20 %O Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation) %P 217 p. %T "Forensic Discovery" In the preface, the authors don't promise to teach the reader anything about computer or digital forensics. Rather, they are reporting on ten years' worth of experience in looking into attacked machines. Given the authors' background, this is engrossing. But turning it into useful guidance might be left as an exercise for the reader. This is not a tutorial work for the novice, but a challenge to the experienced professional. Part one outlines the basic concepts of forensics in digital systems. Chapter one presents the "spirit of forensic discovery": look anywhere, for anything, and be prepared when you find it. (This is a tall order, particularly the "being prepared" part, but it basically corresponds to my experience.) Time information and stamps (on UNIX systems) are discussed in chapter two, along with mention of the ways that clumsy attempts to "save" systems can destroy ephemeral information. However, the level of the material sweeps between broadly generic and tightly specific: it may be difficult for those not already thoroughly familiar with forensic activities to obtain useful guidance from it. Part two is supposed to provide us with background on the abstractions of the computer and operating systems that relate to forensic recovery of materials. Chapter three addresses file system basics, but does so specifically with regard to the UNIX system. The content is much more detailed than conceptual (covering, for example, allowable characters in UNIX filenames), and command examples are not always completely explained. The usefulness of this approach is questionable, since the reader is assumed to know the UNIX system well; in which case, why cover the elementary fundamentals? However, the work does highlight aspects of operating and file system internals not encountered in normal administrative activity. Analysis of information recovered from a compromised system is reviewed in chapter four. The methods and procedures are very strictly limited by the case cited, but the examples demonstrate the backhanded thinking needed to obtain interesting data after an intrusion. A variety of intriguing ways to subvert a running system are examined in chapter five. As with previous material, the text seems to talk around the topic, while the examples, although fascinating, don't always support the general concepts under discussion. Analysis of the code of malicious software (a practice known in virus research as forensic programming) is addressed in chapter six, although the bulk of the content deals with test execution of the programming (under various forms of restriction) and both the benefit and complexity of disassembly is passed over rather lightly. Part three moves beyond the concepts and into practical difficulties. Chapter seven, although titularly about the contents of deleted files, is primarily concerned with the conservation and preservation of the access, modification, and (attribute) change times of files. (In response to the draft of this review, the authors clarified some of the poitns that they were trying to make in the text, such as the fact that material from deleted files is often more persistent than the content of active files. Unfortunately, these points, while arresting, are not always clear in the work itself.) Retrieving data from memory, particularly via the swap or paging areas of disk, is reviewed in chapter eight. The preface does state that the authors intend this book to be useful to sysadmins, incident responders, computer security professionals, and forensic analysts. I would suggest that only the last group will find much here that they can use, and then only those at the advanced edges of the field. There is certainly much that is intriguing, but the material demands of the reader that he or she have extensive background and knowledge of system and filesystem internals. Even then, extracting the information from the target system, and drawing conclusions as to the implications of that data, will be difficult. Farmer and Venema have outlined some fascinating material, on the bleeding edge of the technology, but have not made it easy for practitioners to utilize or comprehend. (In response to the draft review, The authors have noted that the full, original text of the book is now available at http://fish2.com/forensics/ or http://www.porcupine.org/forensics/.) copyright Robert M. Slade, 2005 BKFORDIS.RVW 20050310