[ISN] Book Review: Forensic Discovery

InfoSec News isn at c4i.org
Wed Jan 19 02:55:46 EST 2005


[ http://www.amazon.com/exec/obidos/ASIN/020163497X/c4iorg  - WK]

Author: Dan Farmer & Wietse Venema 
Pages: 198 
Publisher: Addison Wesley Professional 
Rating: 10 
Reviewer: Ben Rothke 
ISBN: 020163497X  
Summary: Forensic Discovery overview 

Security luminaries Dan Farmer and Wietse Venema wrote one of the 
first vulnerability scanners (SATAN) almost 10 years ago; SATAN was 
the precursor to ISS Scanner, Retina and nmap. Venema wrote such 
well-known security applications as the TCP Wrapper program and the 
Postfix mail server. Farmer and Venema's new book Forensic Discovery 
is a valuable book that grounds a computer-savvy reader in the world 
of digital forensics.

An image of a pipe by artist René Magritte is on the cover with the 
caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture 
demonstrates that an object exists on many planes; the simple 
recognition of the picture initiates the belief that we are seeing 
something, but it is only known in representation. Surrealist painting 
and digital forensics coalesce in that the digital forensic 
investigator must think broadly and unconventionally in order to 
reconstruct an incident, all the time keeping in mind that often what 
initially seems obvious is neither real nor correct.

The material in the book is an outgrowth of a one-time seminar the 
authors gave in 1999 on digital forensics and analysis. At the 
seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a 
collection of tools for gathering and analyzing forensic data on a 
Unix system. TCT is heavily referenced throughout the book.

The book initially seems thin, at just 198 pages, but there is no 
filler and the information is presented in a fast and furious manner. 
Part one of the book comprises 35 pages and is an introduction to the 
foundations of digital forensics and what to look for in an digital 

Part two (chapters 3-6) is the nucleus of the book, which quickly gets 
into low-level details about file systems and operating system 
environments. While other forensics books focus exclusively on the 
discovery and gathering of data; Forensic Discovery adds needed 
insight on how to judge the trustworthiness of the observation and the 
data itself. Again, the idea is that not everything is as obvious as 
it may initially seem. An effective investigation often requires 
intense analysis, where meaningful conclusions take time.

Chapter 4, "File System Analysis," notes that while computers have 
significantly evolved since their inception, little has changed in 
last 30 years in the way that file systems actually handle data.

Chapter 5, "Systems and Subversion," is particularly interesting as it 
deals with system startup and shutdown, from a forensics perspective. 
The chapter shows that there are thousands of possible opportunities 
to subvert the integrity of a system without directly changing a file 
during startup and shutdown. A crucial decision that must be made 
during an incident is whether to shut down the system or let it remain 
on-line. There are advantages and disadvantages to each approach, and 
the book details them.

Part three (chapters 7-8) is about the persistence of deleted file 
information. The authors' research reveals that data can be quite 
resistant to destruction. The book shows that a huge amount of data 
and metadata can survive intended deletion as well as accidental 

Forensic Discovery is unusual in that other books on forensics are 
often nothing more than checklists and step-by-step instructions on 
what to do during an incident. Forensic Discovery provides a broad 
framework on the nature of data and how it can be recovered for 
forensic purposes. By understanding the underlying operating system, 
the act of analyzing and dealing with a security breach becomes much 

The book's target reader is anyone who wants to deepen his 
understanding of how computer systems work, as well as anyone who is 
likely to become involved with the technical aspects of computer 
intrusion or system analysis. The topics are too advanced, to make it 
the right book for the novice system administrator. For the technical 
reader, though, Forensic Discovery is one of the best computer 
security books published in the last year. The value of the 
information is immense, and the extensive experience that the authors 
bring is unmatched.

More information about the ISN mailing list