Book Review – Extrusion Detection

Security Monitoring for Internal Intrusions







Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.


This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA)



Book Review – Windows Registry Forensics





Rating: ***

Windows Registry Forensics is a three-star book with five-star content. It has one mission: to persuade you that examining the Windows registry is an essential and valuable component of any Windows system examination. The author does this by presenting a variety of registry keys and values that can be leveraged to answer important investigative questions. The book does not, however, try to be an exhaustive guide to the Windows registry. Instead, Mr. Carvey focuses on an educated selection of high-value registry keys, in order to demonstrate how to add context and depth to one’s findings.

The book seems most useful to beginning and intermediate practitioners, but even advanced examiners may find registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations.

Windows Registry Forensics is divided into four chapters. The first provides an introduction to both the Windows registry and to registry analysis, including a look at the data structure of the registry hive files. The second chapter introduces numerous tools that can be used to examine the registry, both during live response and dead disk analysis. Chapters three and four dive into specific registry artifacts and their investigative value, dividing the discussion between System (chapter 3) and User (chapter 4) activity.

The reader will learn to use the Windows registry to perform valuable investigative tasks such as: profile what a user did and when they did it, identify the physical locations of wireless access points used, determine whether a particular user account has a password set, discover which files may have been accessed on a USB device, and address whether malware could have been responsible for activity attributed to the user (the Trojan defense).

There are moments in the book, however, when more advanced or curious readers will find themselves wanting more. With few exceptions, the book focuses on the meaning of the registry values at hand and on how the data can be extracted using tools provided by the author. As a result, the book sometimes refers to the binary data structures contained within certain keys, and the need to parse those correctly, without discussing how the structures should be parsed. In these instances, the author simply notes that one or more of his RegRipper plugins will parse the data, then moves on to the meaning of that data.

These moments that want more technical depth are relatively few, however. The information Mr. Carvey does provide is still well worth the price of admission. It is the egregious number of proofing and editing errors, ranging from simple typos to flawed organization, that compels me to give this book three stars. The author is not entirely at fault, as Syngress titles by other authors have shown similar problems. The company seems to suffer a serious quality control problem. But the author is not without fault. In particular, the choice to organize the later chapters based on System versus User settings leads to a disorganized presentation in which the information needed to answer particular investigative questions is sometimes scattered across two chapters. Windows Registry Forensics would be much more cohesive if it had been organized around specific investigative questions. In this way, the approach to answering a question, or set of questions, would be presented in one place, regardless of which registry hives the relevant data resided in. The reader would not be forced to jump between chapters to find all of the information relevant to a particular question.

When all is said and done, however, Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read, aforementioned defects notwithstanding. In short, the book is certainly worth adding to your library. But I would be remiss if I did not point out that the number of flaws, both big and small, is unacceptable for any book, especially one with a list price of $69.95/£42.99.

Gregory Prendergast   (This was incorrectly attributed to John Hughes in Digital Forensics Magazine, our apologies to Greg)

Book Title: Windows Registry Forensics

Book Subtitle: Advanced Digital Forensic Analysis of the Windows Registry

Author(s): Harlan Carvey

Publisher: Syngress

Date of Publishing: February 2011

ISBN: 9781597495806

Price: $69.95 / £42.99



BOOK REVIEW – Hacking the Human

?Hacking the Human








Rating: ***

Even though I’m a qualified ISO 27001 Lead Auditor and former “management consultant” I’m still basically a technical geek. So when I was asked to review this book I was not particularly looking forward to it and I asked myself what relevance did this book have to digital forensics?  I have to say having reviewed the book my mindset has changed.

The book contains 12 chapters, divided into three sections. The first section contains four chapters.  It explains social engineering and describes the risks to an organization of social engineering attacks.  It then goes on to explain why people are the weakest link in an organization.  Finally it explains why current thinking and approaches, including ISO 27001, do not pay due attention to social engineering risks. The second section then goes on to explain human vulnerabilities.  It does this by examining a number of topics in the section’s chapters, including building trust, reading a person, subconscious techniques (including Neuro-Linguistic Programming) and then different roles a social engineer attacker could take.  The final section concentrates on countermeasures to social engineering.  It does this by describing techniques to assess an organization’s vulnerabilities, explaining security controls to counter defined vulnerabilities, including awareness and training.  Finally the section explains how the countermeasures can be tested.

The book comprises 254 pages and given the retail price it is not the best value book I have come across.

So given all of the above, why did I get some value out of reviewing it?  The answer lies within the number of examples and incidents of social engineering attacks it describes.  There are over a dozen.  Whilst a few of them have only a human element to them, most involve to some degree IT or phone technology.  So I started thinking!  If one of these attacks occurred what evidence would I need to find to prove such an attack had occurred, or how would it be possible to establish an innocent victim wasn’t actually the perpetrator?  It was quite thought provoking.

This is not a book on IT security, or Digital Forensics.  Given the number of pages and the sell price it is not particularly good value.  However if you would like to understand social engineering attacks and consider its relevance to digital forensics this is a reasonable edition to your library.

John Hughes

Book Title: Hacking the Human

Book Subtitle: Social Engineering Techniques & Security Countermeasures

Author(s): Ian Mann

Publisher: Gower Publishing Ltd.

Date of Publishing: November 2008

ISBN(13): 978-0566087738

Price: $104.95 / £60.00



Reviewer’s copy of iOS Forensics

I received my reviewer’s copy of the iOS Forensics book today from Apress (thanks for the freebie, guys) and it really is a spectacular job. Apress is a great publisher and the layout, cover and attention to detail with Sean’s manuscript is second to none. I hope you feel it worth it to buy this book for your forensics collection as Sean put a mammoth effort into it – I can attest to every late night, ounce of blood and sweat and headache this tome caused – however, the result is… well, view for yourself.



Book Details

iOS Forensic Analysis: for iPhone, iPad and iPod Touch book cover

  • By Sean Morrissey
  • ISBN13: 9781430233428
  • ISBN10: 1430233427
  • 372 pp.
  • Pub Date: 2010-12-21
  • eBook Price: $41.99



Live Hacking

Title: Live Hacking: The Ultimate Guide to Hacking Techniques and Countermeasures for Ethical Hackers & IT Security Experts

Author: Dr. Ali Jahangiri

Reviewer: John Forrester

Cover Image Live Hacking
Live Hacking


I’d never be so presumptuous as to label myself a hacker but I am an IT security guy so I know the subject matter pretty well. The allure of Dr. Jahangiri’s book was that it would educate me to think like a hacker, so helping me better understand how the bad guys operate and how they gain unauthorized access to our computer systems and networks. As Sun Tzu once wrote, “To know your enemy you must become your enemy.” So, I was really quite excited to get my hands on this book, especially after reading the back cover blurb on and seeing the rave review that a previous reader (or friend) had given it. However, when the package arrived (courtesy of DFM), I was really disappointed. It’s obviously self-published – no problem with that as long as it’s done well – and it shows. There are a bunch of grammatical and spelling errors in the text that really detract from the overall quality of the book and at 49.99UD$ I had serious reservations about ‘value for money’. If I wasn’t writing a review for DFM I’d have considered sending the book right back to where it came from any demanding a refund. However, I ploughed on regardless, and here’s what I found. Firstly, a criticism again on value is that the book is full of (and I mean packed tight with) screen grabs from websites where the page is so condensed that it’s virtually impossible to read or interpret the detail, so the impact of showing the reader the tool is completely lost with such bad reproduction. The first chapter on essential terminology is sparse and did not deliver the glossary I was hoping for, while chapter 2 on reconnaissance simply lists a plethora of websites that you might be able to glean some information about your target from (the bulk of this chapters content is screen grabs). Chapter 3 on Google hacking is ok for a stratospheric overview of a complex subject, but after reading an excellent treatment on exactly this subject just a few months ago (Google Hacking by Johnny Long; published by Syngress) this chapter left me somewhat flat. Chapters 4, 5 and 6 on scanning, enumeration and password cracking again were ok, not fantastic, just ok. What these chapters offer are simplistic, high-level overviews of three subjects that each deserve (and have already got) books in their own right – some at lower price points, I might add. Chapter 7 delivers a whopping 11 whole pages on Windows hacking. Now, I have some experience with penetration testers trying to hack into my systems and I’d guess they had more than 11 pages worth of experience at hand. Maybe I’m wrong, but I’d probably even take a bet on it. Uncommonly in this book, I was pleasantly surprised with chapter 8 on malware as the author covers a good range of nefarious technologies. Aside from an unnecessary abundance of full sized screen captures (yawn, I do go on) from Spytector (there are 8 back-to-back across just 5 pages) the author does a good job of providing an overview of the various forms of ‘bad code’ that can gain access to your systems and data. I was fairly unimpressed with the rest of the book, with the highlight being chapter 10’s treatment of a SQL injection attack – I’d always wondered how that works. So, with 185 pages of useful (?) content, many of which are crammed with illegible screen grabs, I was not impressed. Sorry, Dr. JahanGri, I’m sure you are a very clever man and very proficient in teaching this stuff to your students, but maybe you should consider looking for a professional publisher next time rather than the DIY option.



Malware Forensics: Investigating and Analyzing Malicious Code

Title: Malware Forensics: Investigating and Analyzing Malicious Code

Authors: James M. Aquilina, Eoghan Casey, Cameron H. Malin

Publisher: Syngress

Reviewer: Tony Campbell

Cover for Malware Forensics
Malware Forensics


It has seemed for some time to me that publisher, Syngress, has the Digital Forensics book market almost exclusively to itself. After reading Malware Foresnics, my mind had not been changed one iota. This book, although published in June 2008, is by far the most comprehensive introduction to the inner workings of malware that I’ve come across. Understanding malware is a really complicated subject, for sure, covering a broad spectrum of illicit software types, but there is no doubt that the combined efforts of James Aquilina, Eoghan Casey, and Cameron Malin delivers a fantastic result. Quite often I personally struggle with reading heavyweight textbooks cover to cover, often with these books ending up on my bookshelf as unread references just in case I will need them in the future. However, I did read this one, cover to cover, and have come out the other side of that experience a better man. The authors go into the low-level details of both Windows and Linux malware and decompose the inner working of each type of illicit software to a fundamental degree of understanding that is consumable by programmers and non-programmers (like me). Another great feature of this book is that the authors do not hold back on their use of Windows and Linux tools, taking the reader through the processes involved analyzing real examples of malware in both operating system environments. I would recommend this book to anyone who has an interest in understanding malware and certainly recommend it to anyone who has a need to understand the context of malware in computer forensics. It is very apparent from the style of delivery and especially after re-reading the introductory section on the context of forensics that the authors are very focused on the evidentiary weight of their malware analysis. I applaud them for these efforts and highly recommend this book as not just being for malware geeks, but really important for anyone trying to understand the nature of malicious code and how it can adversely affect your forensic investigation. At 592 pages, this book is a true heavyweight contender and is truly the best value for money I’ve found on this subject. Well done, Syngress and well done autors for Winner of Best Book Bejtlich read in 2008.



Real Digital Forensics

Title: Real Digital Forensics: Computer Security and Incident Response

Authors: Keith J. Jones, Richard Bejtlich, Curtis W. Rose

Publisher: Addison-Wesley

ISBN-13: 978-0-321-24069-9

Reviewer: Chris Bilger

Real Digital Forensics Cover
Cover Image: Real Digital Forensics


Although “Real Digital Forensics: Computer Security and Incident Response” was published as long ago as 2005, it still provides a solid all-round introduction to IT forensics. (A new edition entitled “Real Digital Forensics 2” is planned for mid-2010). Weighing in at 688 pages, this book covers Windows, Unix and Linux and explains digital forensics from the perspectives of incident response and case law. It also discusses in depth a number of commercial and open source tools used to perform forensic analysis. The DVD which accompanies the book contains several sets of sample intrusion data generated by attacking live systems, and is extremely useful for practice forensic examinations.
The first section, Live Incident Response, shows how to carry out an incident response process on Windows and Unix platforms. It covers the types of information to collect from a machine, what to look for, and why this information is important in determining that an attacker has compromised a resource.
The next part, Network-Based Forensics, looks into the different kinds of data that can be collected on a network. It examines how to use each type of data in a forensic examination, and describes the tools used to capture different kinds of data. As before, specific details are given on analysing evidence on different operating systems.
The third part, Acquiring a Forensic Duplication, is devoted to creating a sound forensic image. It is important that suitable guidelines are followed so the process of creating an image will hold up in a court of law. This is done by following appropriate procedures and using write blocking tools. Detailed information is provided on creating images with commercial and open source products.
Part four, Forensic Analysis Techniques, is the longest section of the book. It covers a myriad of techniques that can be used to squeeze the last drop of useful information from data. The topics include:
* Recovering deleted files;
* Electronic discovery;
* Reconstructing web browsing and email activity;
* Windows registry reconstruction;
* Analysis of different forensic tools sets for Windows and Unix/Linux;
* Analysing unknown files.
These chapters provide the critical information that is needed for most forensic examinations.
Part five, Creating a Complete Forensic Toolkit, deals with tools for Windows and Unix/Linux and how to create a robust toolkit that will aid a forensic investigator during examinations. It shows how to make sure the tools that are used do not alter information on the host system. Additional information is given on how to make a bootable Linux distribution that includes the tools.
The sixth section, Mobile Forensics, discusses forensics as applied to mobile devices. It covers multiple tools that can be used for forensic analysis of a Personal Digital Assistant (PDA). Chapters are devoted to creating duplications of USB devices and compact flash cards and the analysis of these devices.
The last section of the book, Online-Based Forensics, looks into popular on-line email sites and how to track emails sent through these services. It also investigates ways to determine domain name ownership. There is an appendix that introduces the Perl scripting language, which can be useful for sorting through large amounts of data.
This book is easy to read and comprehend, and its authors have an abundance of experience in the field of forensics and incident response. Keith Jones has been an expert witness on several cases. Richard Bejtlich is Director of Incident Response at the General Electric Company and author of the TaoSecurity blog; he has written and contributed to a number of other books on IT security (Extrusion Detection: Security Monitoring for Internal Intrusions, The Tao of Network Security Monitoring: Beyond Intrusion Detection…) Curtis Rose has 18 years of experience in computer forensics and Information Security, and leads teams that conduct computer examinations.
The authors do a great job of stepping through each chapter and explaining techniques in a way that is easy to understand. The section of the book that helped me most professionally was section five, Creating a Complete Forensic Toolkit, which explains exactly how to create a bootable toolkit that will not alter data on the host system. On the whole, this book provides a consistent introduction to a wide array of IT forensics topics. One topic that feels incomplete, however – perhaps because of the book’s vintage – is Mobile Device Forensics. There is no information on mobile phones and MP3 players. That is an isolated shortcoming, however. The book introduces and discusses many of the tools that are widely used in the field, and its screenshots are helpful in illustrating sample output from tools. In my opinion “Real Digital Forensics: Computer Security and Incident Response” is a great resource for any forensic investigator.

Chris Bilger



iPhone Forensics

Book Title: iPhone Forensics
Subtitle: Recovering Evidence, Personal Data & Corporate Assets
Author: Jonathan Zdziarski
Publisher: O’Reilly
Date of Publication: 17 September 2008
Price: £30.99 (UK), $39.99 (USA)
ISBN: 978-0-596-15358-8

Reviewer: Tony Campbell

Cover of iPhone Forensics
Cover image: iPhone Forensics from O'Reilly


I love my iPhone and so should you (he says in a monotone, robotic voice). But, the real question is, am I just another Apple fanboy, brainwashed by Steve Jobs’ celebrity industry presence and marketing genius? Or have I really made a buying decision based on the facts? It’s true that the iPhone is probably the sexiest piece of kit in this arm of the Milky Way, but is there something lurking under the glitzy hood, that could rise up and bite us in the proverbial “you know what”?
Whether you are an individual or an organisation (and on whatever side of the law you happen to operate), you’ll need to know exactly how much risk you are taking when you do business on your iPhone. How secure is your data and, forensically, how many of your daily activities, transactions and communications are accountable in the eyes of the law?

So, how do you dig into Apple’s prizewinning marrow while donning the cap of the forensics investigator? That’s the easy part: pick up a copy of Jonathan Zdziarski’s iPhone Forensics, published by O’Reilly Media, and you’ll see exactly what’s going on beneath the glossy veneer. This book is a great technical companion for computer forensics guys who have a need (or a calling) to dig into the iPhone platform. True, it’s a very short book with a high price point (just 113 pages of technical content for £30.99), so the real proposition is pitched in terms of technical punch rather than kilograms of rainforest.

The foreword, written by the enigmatic John T Draper (Cap’n Crunch), sets the scene for the rest of the book, showing that it’s fairly easy for investigators to get a bucket load of valuable data from the iPhone as long as they know where to look. Zdziarski kicks off with a great introductory chapter that takes us through the rules of evidence collection and good forensic practice, before launching into the technical chapters. Even if it is aimed primarily at the newbie investigator, this introduction gives the book a nice, well-rounded feel.

Chapters 2 and 3 cover the basics of understanding the iPhone architecture and how to gain access to the underlying system. These chapters are invaluable and written in an easy to follow style, but quickly get you to the stage where you are looking at the iPhone device with its pants pulled well and truly down. Zdziarski then spends the next three chapters focusing on the forensic recovery of data, and analysing a whole bunch of interesting tools, such as Foremost and Scalpel. He then launches into e-discovery where he details techniques for finding evidence inside iPhone database files (SQLite) and XML property lists (these contain items such as cookies, account details, and Safari browsing history).

Chapter 6 ties the iPhone forensic investigation to the desktop PC, describing tools and techniques for pairing evidence between the two platforms. Finally, Chapter 7 cuts to the chase and explains in terms of specific kinds of investigation (and real-life cases) which information is the most useful, and how it would be presented in court.

This book is an excellent resource for any computer forensics investigator. I recommend buying it, and also registering on O’Reilly’s website for their up-to-date iPhone Forensics Data Recovery Training and listening to some of the webcasts by Jonathan Zdziarski himself. For more information on these resources, see .