Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKFORDIS.RVW 20050310 Forensic Discovery , Dan Farmer/Wietse Venema, 2005, 0-201-63497-X, U$39.99/C$57.99 %A Dan Farmer zen@fish2.com %A Wietse Venema
    Message 1 of 1 , Sep 14, 2005
    • 0 Attachment
      BKFORDIS.RVW 20050310

      "Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X,
      U$39.99/C$57.99
      %A Dan Farmer zen@...
      %A Wietse Venema wietse@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2005
      %G 0-201-63497-X
      %I Addison-Wesley Publishing Co.
      %O U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/020163497X/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20
      %O Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation)
      %P 217 p.
      %T "Forensic Discovery"

      In the preface, the authors don't promise to teach the reader anything
      about computer or digital forensics. Rather, they are reporting on
      ten years' worth of experience in looking into attacked machines.
      Given the authors' background, this is engrossing. But turning it
      into useful guidance might be left as an exercise for the reader.
      This is not a tutorial work for the novice, but a challenge to the
      experienced professional.

      Part one outlines the basic concepts of forensics in digital systems.
      Chapter one presents the "spirit of forensic discovery": look
      anywhere, for anything, and be prepared when you find it. (This is a
      tall order, particularly the "being prepared" part, but it basically
      corresponds to my experience.) Time information and stamps (on UNIX
      systems) are discussed in chapter two, along with mention of the ways
      that clumsy attempts to "save" systems can destroy ephemeral
      information. However, the level of the material sweeps between
      broadly generic and tightly specific: it may be difficult for those
      not already thoroughly familiar with forensic activities to obtain
      useful guidance from it.

      Part two is supposed to provide us with background on the abstractions
      of the computer and operating systems that relate to forensic recovery
      of materials. Chapter three addresses file system basics, but does so
      specifically with regard to the UNIX system. The content is much more
      detailed than conceptual (covering, for example, allowable characters
      in UNIX filenames), and command examples are not always completely
      explained. The usefulness of this approach is questionable, since the
      reader is assumed to know the UNIX system well; in which case, why
      cover the elementary fundamentals? However, the work does highlight
      aspects of operating and file system internals not encountered in
      normal administrative activity. Analysis of information recovered
      from a compromised system is reviewed in chapter four. The methods
      and procedures are very strictly limited by the case cited, but the
      examples demonstrate the backhanded thinking needed to obtain
      interesting data after an intrusion. A variety of intriguing ways to
      subvert a running system are examined in chapter five. As with
      previous material, the text seems to talk around the topic, while the
      examples, although fascinating, don't always support the general
      concepts under discussion. Analysis of the code of malicious software
      (a practice known in virus research as forensic programming) is
      addressed in chapter six, although the bulk of the content deals with
      test execution of the programming (under various forms of restriction)
      and both the benefit and complexity of disassembly is passed over
      rather lightly.

      Part three moves beyond the concepts and into practical difficulties.
      Chapter seven, although titularly about the contents of deleted files,
      is primarily concerned with the conservation and preservation of the
      access, modification, and (attribute) change times of files. (In
      response to the draft of this review, the authors clarified some of
      the poitns that they were trying to make in the text, such as the fact
      that material from deleted files is often more persistent than the
      content of active files. Unfortunately, these points, while
      arresting, are not always clear in the work itself.) Retrieving data
      from memory, particularly via the swap or paging areas of disk, is
      reviewed in chapter eight.

      The preface does state that the authors intend this book to be useful
      to sysadmins, incident responders, computer security professionals,
      and forensic analysts. I would suggest that only the last group will
      find much here that they can use, and then only those at the advanced
      edges of the field. There is certainly much that is intriguing, but
      the material demands of the reader that he or she have extensive
      background and knowledge of system and filesystem internals. Even
      then, extracting the information from the target system, and drawing
      conclusions as to the implications of that data, will be difficult.
      Farmer and Venema have outlined some fascinating material, on the
      bleeding edge of the technology, but have not made it easy for
      practitioners to utilize or comprehend.

      (In response to the draft review, The authors have noted that the
      full, original text of the book is now available at
      http://fish2.com/forensics/ or http://www.porcupine.org/forensics/.)

      copyright Robert M. Slade, 2005 BKFORDIS.RVW 20050310


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      A: Yes.
      > Q: Are you sure?
      >> A: Because it reverses the logical flow of conversation.
      >>> Q: Why is top posting frowned upon?
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.