Title: Real Digital Forensics: Computer Security and Incident Response
Authors: Keith J. Jones, Richard Bejtlich, Curtis W. Rose
Reviewer: Chris Bilger
Although “Real Digital Forensics: Computer Security and Incident Response” was published as long ago as 2005, it still provides a solid all-round introduction to IT forensics. (A new edition entitled “Real Digital Forensics 2” is planned for mid-2010). Weighing in at 688 pages, this book covers Windows, Unix and Linux and explains digital forensics from the perspectives of incident response and case law. It also discusses in depth a number of commercial and open source tools used to perform forensic analysis. The DVD which accompanies the book contains several sets of sample intrusion data generated by attacking live systems, and is extremely useful for practice forensic examinations.
The first section, Live Incident Response, shows how to carry out an incident response process on Windows and Unix platforms. It covers the types of information to collect from a machine, what to look for, and why this information is important in determining that an attacker has compromised a resource.
The next part, Network-Based Forensics, looks into the different kinds of data that can be collected on a network. It examines how to use each type of data in a forensic examination, and describes the tools used to capture different kinds of data. As before, specific details are given on analysing evidence on different operating systems.
The third part, Acquiring a Forensic Duplication, is devoted to creating a sound forensic image. It is important that suitable guidelines are followed so the process of creating an image will hold up in a court of law. This is done by following appropriate procedures and using write blocking tools. Detailed information is provided on creating images with commercial and open source products.
Part four, Forensic Analysis Techniques, is the longest section of the book. It covers a myriad of techniques that can be used to squeeze the last drop of useful information from data. The topics include:
* Recovering deleted files;
* Electronic discovery;
* Reconstructing web browsing and email activity;
* Windows registry reconstruction;
* Analysis of different forensic tools sets for Windows and Unix/Linux;
* Analysing unknown files.
These chapters provide the critical information that is needed for most forensic examinations.
Part five, Creating a Complete Forensic Toolkit, deals with tools for Windows and Unix/Linux and how to create a robust toolkit that will aid a forensic investigator during examinations. It shows how to make sure the tools that are used do not alter information on the host system. Additional information is given on how to make a bootable Linux distribution that includes the tools.
The sixth section, Mobile Forensics, discusses forensics as applied to mobile devices. It covers multiple tools that can be used for forensic analysis of a Personal Digital Assistant (PDA). Chapters are devoted to creating duplications of USB devices and compact flash cards and the analysis of these devices.
The last section of the book, Online-Based Forensics, looks into popular on-line email sites and how to track emails sent through these services. It also investigates ways to determine domain name ownership. There is an appendix that introduces the Perl scripting language, which can be useful for sorting through large amounts of data.
This book is easy to read and comprehend, and its authors have an abundance of experience in the field of forensics and incident response. Keith Jones has been an expert witness on several cases. Richard Bejtlich is Director of Incident Response at the General Electric Company and author of the TaoSecurity blog; he has written and contributed to a number of other books on IT security (Extrusion Detection: Security Monitoring for Internal Intrusions, The Tao of Network Security Monitoring: Beyond Intrusion Detection…) Curtis Rose has 18 years of experience in computer forensics and Information Security, and leads teams that conduct computer examinations.
The authors do a great job of stepping through each chapter and explaining techniques in a way that is easy to understand. The section of the book that helped me most professionally was section five, Creating a Complete Forensic Toolkit, which explains exactly how to create a bootable toolkit that will not alter data on the host system. On the whole, this book provides a consistent introduction to a wide array of IT forensics topics. One topic that feels incomplete, however – perhaps because of the book’s vintage – is Mobile Device Forensics. There is no information on mobile phones and MP3 players. That is an isolated shortcoming, however. The book introduces and discusses many of the tools that are widely used in the field, and its screenshots are helpful in illustrating sample output from tools. In my opinion “Real Digital Forensics: Computer Security and Incident Response” is a great resource for any forensic investigator.