[ISN] REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema

InfoSec News isn at c4i.org
Thu Sep 15 00:50:45 EDT 2005

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKFORDIS.RVW   20050310

"Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X,
%A   Dan Farmer zen at fish2.com
%A   Wietse Venema wietse at porcupine.org
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2005
%G   0-201-63497-X
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress at aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20
%O   Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   217 p.
%T   "Forensic Discovery"

In the preface, the authors don't promise to teach the reader anything
about computer or digital forensics.  Rather, they are reporting on
ten years' worth of experience in looking into attacked machines. 
Given the authors' background, this is engrossing.  But turning it
into useful guidance might be left as an exercise for the reader. 
This is not a tutorial work for the novice, but a challenge to the
experienced professional.

Part one outlines the basic concepts of forensics in digital systems. 
Chapter one presents the "spirit of forensic discovery": look
anywhere, for anything, and be prepared when you find it.  (This is a
tall order, particularly the "being prepared" part, but it basically
corresponds to my experience.)  Time information and stamps (on UNIX
systems) are discussed in chapter two, along with mention of the ways
that clumsy attempts to "save" systems can destroy ephemeral
information.  However, the level of the material sweeps between
broadly generic and tightly specific: it may be difficult for those
not already thoroughly familiar with forensic activities to obtain
useful guidance from it.

Part two is supposed to provide us with background on the abstractions
of the computer and operating systems that relate to forensic recovery
of materials.  Chapter three addresses file system basics, but does so
specifically with regard to the UNIX system.  The content is much more
detailed than conceptual (covering, for example, allowable characters
in UNIX filenames), and command examples are not always completely
explained.  The usefulness of this approach is questionable, since the
reader is assumed to know the UNIX system well; in which case, why
cover the elementary fundamentals?  However, the work does highlight
aspects of operating and file system internals not encountered in
normal administrative activity.  Analysis of information recovered
from a compromised system is reviewed in chapter four.  The methods
and procedures are very strictly limited by the case cited, but the
examples demonstrate the backhanded thinking needed to obtain
interesting data after an intrusion.  A variety of intriguing ways to
subvert a running system are examined in chapter five.  As with
previous material, the text seems to talk around the topic, while the
examples, although fascinating, don't always support the general
concepts under discussion.  Analysis of the code of malicious software
(a practice known in virus research as forensic programming) is
addressed in chapter six, although the bulk of the content deals with
test execution of the programming (under various forms of restriction)
and both the benefit and complexity of disassembly is passed over
rather lightly.

Part three moves beyond the concepts and into practical difficulties. 
Chapter seven, although titularly about the contents of deleted files,
is primarily concerned with the conservation and preservation of the
access, modification, and (attribute) change times of files.  (In
response to the draft of this review, the authors clarified some of
the poitns that they were trying to make in the text, such as the fact
that material from deleted files is often more persistent than the
content of active files.  Unfortunately, these points, while
arresting, are not always clear in the work itself.)  Retrieving data
from memory, particularly via the swap or paging areas of disk, is
reviewed in chapter eight.

The preface does state that the authors intend this book to be useful
to sysadmins, incident responders, computer security professionals,
and forensic analysts.  I would suggest that only the last group will
find much here that they can use, and then only those at the advanced
edges of the field.  There is certainly much that is intriguing, but
the material demands of the reader that he or she have extensive
background and knowledge of system and filesystem internals.  Even
then, extracting the information from the target system, and drawing
conclusions as to the implications of that data, will be difficult. 
Farmer and Venema have outlined some fascinating material, on the
bleeding edge of the technology, but have not made it easy for
practitioners to utilize or comprehend.

(In response to the draft review, The authors have noted that the
full, original text of the book is now available at
http://fish2.com/forensics/ or http://www.porcupine.org/forensics/.)

copyright Robert M. Slade, 2005   BKFORDIS.RVW   20050310

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
I believe that Canada cannot, indeed that Canada must not survive
by force. The country will only remain united - it should only
remain united - if its citizens want to live together in one
civil society.               - Pierre Elliott Trudeau, Nov. 15, 1976
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list