REVIEW: "Real Digital Forensics", Keith J. Jones/Richard Bejtlich/Curtis W. Rose
- BKRLDGFR.RVW 20051127
"Real Digital Forensics", Keith J. Jones/Richard Bejtlich/Curtis W.
Rose, 2006, 0-321-24069-3, U$49.99/C$69.99
%A Keith J. Jones
%A Richard Bejtlich taosecurity.com taosecurity.blogspot.com
%A Curtis W. Rose www.red-cliff.com
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 fax: 416-443-0948 800-822-6339 bkexpress@...
%O Audience a+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 650 p. + DVD
%T "Real Digital Forensics: Computer Security and Incident Response"
Some forensics books provide a CD-ROM with (usually demo) versions of
computer forensic software. This one provides a DVD of log and other
forensic data, and points the reader to sites for open source tools
that can be used to explore it. Six "case studies," of fictitious
situations, have been provided, and are referred to at different times
and places within the book.
Part one ostensibly looks at response to an incident in real time.
Chapter one outlines tools that can be used for data capture and
analysis of various types on a Windows computer (associated with the
first "case"). There is rather limited explanation of the choices and
decisions involved (the authors make frequent mention that topics are
"beyond the scope" of this book and that the reader should go and get
their other works), and it is not always easy to follow the structure
that the authors may have intended, but the material should be
reasonable enough for the dedicated reader to work through. A
duplicate situation, with a UNIX system, is presented in chapter two.
Part two concentrates on network-based forensics, although a number of
activities in the first division related to the network as well.
Chapter three, almost irritatingly simplistic after the "jump in and
swim" approach in the first two, lists some tools for collecting
network data and evidence. Analysis of the data is outlined in
chapter four (for Windows) and five (for UNIX). Again, the resulting
listings can make for annoying reading: the authors will frequently
note that a page or two of densely packed and impenetrable figures
demonstrate a certain conclusion, but they do not always say why.
Part three examines forensic copying or duplication of systems.
Chapter six covers some basic, and some oddball, points and
suggestions. A few commercial (in chapter seven) and non-commercial
(in chapter eight) data duplication tools are presented.
Forensics analysis techniques get some discussion in part four.
Chapter nine uses various tools to try and access disk images or
deleted files. Tools for reconstructing Web browsing activity are
listed in chapter ten, while email is scrutinized in chapter eleven.
The Registry gets special attention in chapter twelve. Analysis of
two Linux executable files is attempted in chapters thirteen (a known
file) and fourteen (unknown). Chapter fifteen combines both in
looking at Windows programs, but uses the Cygwin system to utilize
Part five purportedly discusses the creation of a complete forensic
toolkit. However, chapter sixteen just lists a few tools, and
seventeen suggests making your CD of utilities bootable via the
Part six reviews mobile device forensics. Chapter eighteen notes some
tools for accessing PDAs (Personal Digital Assistants). Mounting USB
(Universal Serial Bus) devices on Linux is covered briefly in chapter
nineteen, while analyzing the data, in chapter twenty, is pretty much
the same as any other filesystem.
Part seven looks at online-based forensics (rather begging the
question of what the difference is between "online" and "network").
Chapter twenty-one outlines the tracing of email that has been sent
via Webmail services. Programs, mostly in Perl and SQL, for searching
Verisign's database of top-level domain ownership, are "listed" in
This work has a lot of useful information, but as an overall guide is
woefully incomplete. I know that sounds like a contradiction, but it
remains true. For those who want to get involved with digital
forensics, there are useful pointers to tools, and some sets of data
to play with, and these items are missing from most other forensics
texts. For those who need to know how to actually approach an
investigation of a computer or an intrusion into a system, there are
huge gaps in the coverage this work provides.
copyright Robert M. Slade, 2005 BKRLDGFR.RVW 20051127
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Hear, O Israel: The Lord our God, the Lord is one. Love the
Lord your God with all your heart and with all your soul and with
all your strength. - Deuteronomy 6:4,5
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade