[ISN] Book Review: Forensic Discovery
isn at c4i.org
Wed Jan 19 02:55:46 EST 2005
[ http://www.amazon.com/exec/obidos/ASIN/020163497X/c4iorg - WK]
Author: Dan Farmer & Wietse Venema
Publisher: Addison Wesley Professional
Reviewer: Ben Rothke
Summary: Forensic Discovery overview
Security luminaries Dan Farmer and Wietse Venema wrote one of the
first vulnerability scanners (SATAN) almost 10 years ago; SATAN was
the precursor to ISS Scanner, Retina and nmap. Venema wrote such
well-known security applications as the TCP Wrapper program and the
Postfix mail server. Farmer and Venema's new book Forensic Discovery
is a valuable book that grounds a computer-savvy reader in the world
of digital forensics.
An image of a pipe by artist René Magritte is on the cover with the
caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture
demonstrates that an object exists on many planes; the simple
recognition of the picture initiates the belief that we are seeing
something, but it is only known in representation. Surrealist painting
and digital forensics coalesce in that the digital forensic
investigator must think broadly and unconventionally in order to
reconstruct an incident, all the time keeping in mind that often what
initially seems obvious is neither real nor correct.
The material in the book is an outgrowth of a one-time seminar the
authors gave in 1999 on digital forensics and analysis. At the
seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a
collection of tools for gathering and analyzing forensic data on a
Unix system. TCT is heavily referenced throughout the book.
The book initially seems thin, at just 198 pages, but there is no
filler and the information is presented in a fast and furious manner.
Part one of the book comprises 35 pages and is an introduction to the
foundations of digital forensics and what to look for in an digital
Part two (chapters 3-6) is the nucleus of the book, which quickly gets
into low-level details about file systems and operating system
environments. While other forensics books focus exclusively on the
discovery and gathering of data; Forensic Discovery adds needed
insight on how to judge the trustworthiness of the observation and the
data itself. Again, the idea is that not everything is as obvious as
it may initially seem. An effective investigation often requires
intense analysis, where meaningful conclusions take time.
Chapter 4, "File System Analysis," notes that while computers have
significantly evolved since their inception, little has changed in
last 30 years in the way that file systems actually handle data.
Chapter 5, "Systems and Subversion," is particularly interesting as it
deals with system startup and shutdown, from a forensics perspective.
The chapter shows that there are thousands of possible opportunities
to subvert the integrity of a system without directly changing a file
during startup and shutdown. A crucial decision that must be made
during an incident is whether to shut down the system or let it remain
on-line. There are advantages and disadvantages to each approach, and
the book details them.
Part three (chapters 7-8) is about the persistence of deleted file
information. The authors' research reveals that data can be quite
resistant to destruction. The book shows that a huge amount of data
and metadata can survive intended deletion as well as accidental
Forensic Discovery is unusual in that other books on forensics are
often nothing more than checklists and step-by-step instructions on
what to do during an incident. Forensic Discovery provides a broad
framework on the nature of data and how it can be recovered for
forensic purposes. By understanding the underlying operating system,
the act of analyzing and dealing with a security breach becomes much
The book's target reader is anyone who wants to deepen his
understanding of how computer systems work, as well as anyone who is
likely to become involved with the technical aspects of computer
intrusion or system analysis. The topics are too advanced, to make it
the right book for the novice system administrator. For the technical
reader, though, Forensic Discovery is one of the best computer
security books published in the last year. The value of the
information is immense, and the extensive experience that the authors
bring is unmatched.
More information about the ISN