"Computer Forensics", Warren G. Kruse II/Jay G. Heiser, 2001,
%A Warren G. Kruse II wkruse@...
%A Jay G. Heiser
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 bkexpress@...
%P 392 p.
%T "Computer Forensics: Incident Response Essentials"
I'm still disappointed that authors seem to think computer forensics
is limited to data recovery, but this work at least has utility value
going for it.
Chapter one is a rough outline of data recovery, with an emphasis on
documentation and the chain of evidence. Basic information about IP
addressing, for the purpose of tracing intruders, is given in chapter
two: it is useful and does not drown the reader in inconsequential
details. (There is an oddly vitriolic dismissal of the story of the
origin of the term for Packet INternet Groper.) A valuable discussion
of email headers, and a very terse outline of intrusion detection
systems (IDS) are also included. Hard drive basics and concepts are
given in chapter three. The material is generally good, but some
points on imaging and connecting are passed over rather quickly.
Chapter four has a reasonable high-level overview of encryption
abstractions, but it is difficult to see the immediate relevance of
the material to forensics. "Data Hiding," chapter five, contains some
meandering topics that range from password cracking to NTFS (NT File
System) streams to steganography. A few tools for dealing with these
problems are listed. The description of hostile code, in chapter six,
matches that of weeds in gardening: anything you don't want. It is,
therefore, unsurprising to find that the content, while basically
sound, is not particularly structured or helpful.
A list of software (and some hardware) tools are described in chapter
seven. Chapter eight explains a number of points about the Windows
operating system that might affect data recovery and forensics. (The
material discussed is not, unfortunately, exhaustive, although it is
very useful as far as it goes.) The introduction to UNIX, in chapter
nine, is more structured and detailed, although it examines fewer
specific tools. Chapter ten's general overview of an attack on a UNIX
system is fairly standard, although there is a useful table of
commonly compromised system utilities. A wide variety of tools and
commands for collecting information from and about UNIX systems is
given briefly in chapter eleven.
Chapter twelve is a short introduction to general concepts in the (US)
law enforcement system. The last chapter is a rather abrupt finish to
the book. There are seven appendices, the most useful of which is a
handy point form overview of incident response activities.
Computer forensics books are starting to come out of the woodwork, and
most offer such sage advice as "gather evidence" and "don't mess up
the chain of custody." This book does tend to follow the same style
and tone, but also has very valuable tips for practical work. It
won't help you much in analysis, but it will help you become better at
collecting data that will stand up in court.
copyright Robert M. Slade, 2002 BKCMPFRN.RVW 20020221
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Nam tua res agitur, paries cum proximus ardet.
- For it is your business, when the wall next door catches fire.
- Horace, Epistles