TechBookReport logo

Keywords: IT security, computer forensics, intrusion analysis

Title: Forensic Discovery

Author: Dan Farmer and Wietse Venema

Publisher: Addison Wesley

ISBN: 020163497X

Media: Book

Verdict: Recommended for anyone interested in the practical side of IT forensics.

What do you do if you find that one of your servers has been compromised? Copy the files across to a different machine for analysis? Login and attempt to track down what happened? Power down and rip out the disk so that you can attach and mount it on another machine?

As the two authors of this book make clear, a compromised system is a crime scene like any other. Evidence must be collected and must be provably clean and untampered with. And, just as with the crime scenes you see on TV cop shows, the biggest danger to the collection of forensic evidence is careless trampling over the scene. The simple act of copying files, for example, trashes timestamps which are vital for tracing sequences of events.

This is a detailed and technical guide to the techniques of computer forensics. Written with a technically aware readership in mind rather than a more populist account of the subject, it makes for essential reading for anyone involved in the nuts and bolts end of IT security. The focus of the book is on analysis of compromised systems rather than the act of intrusion detection or pro-active defence against intrusion. It's about what to do after a system has been broken into.

At the heart of the subject, and of this book, is an understanding of how systems are put together. That means a detailed knowledge of file systems, disk technology, kernel processes and so on. It's not for the faint-hearted, but then neither is this a book only for kernel hackers. The authors do assume a working knowledge of Unix (the book covers Solaris, FreeBSD and Linux in particular), and some knowledge of Perl and shell programming, however.

While the book touches on many topics, there are two which really stand out. The first is the need to establish a clear time-line of an incident. While this may seem like a fairly straightforward thing to establish it is clear, as the book explains, that this is no mean feat. An experienced intruder goes to great lengths to cover his or her tracks, and the authors show how to uncover these tracks. The second is the need to do a thorough file system analysis, including recovering deleted files and finding which files have been compromised. Again, this is easier said than done as many of the tools that would normally be used to interrogate a file system may themselves have been compromised.

The need for forensic tools is also discussed, with an emphasis on the Coroner's Toolkit and the SATAN network scanner (which the authors wrote) and other open source tools. The source code is supplied on the book's associated web site.

The subject is covered with a mixture of theory and practice, with some good walk-throughs of real-life incidents that high-light some of the dos and don'ts of forensic analysis. The technical content is of a very high standard, as you would expect given the two authors. It's well-written, clear and yet manages to be admirable succinct. Recommended for anyone interested in the nuts and bolts of IT forensics.

Hit the 'back' key in your browser to return to subject index page

Return to home page

Contents © TechBookReport 2005. Published April 18 2005