Okay, so I promised a book review and here it is. Don't expect more of these, please. They might happen, but that's not my focus. I'm doing this one simply because I wanted to, and I guarantee there will be no forthcoming schedule of reviews, nor of any paradigm shift in this blog.
So the book is Digital Forensics With Open Source Tools by Cory Altheide and Harlan Carvey. I met Cory at the Summit, and he is - as they say - a pretty cool cat when it comes to forensicating. And he is the sole reason that Hal Pomeranz works with Mandiant (at least according to Rob Lee). ;)
Unlike Eric Huber (see his review on Amazon), I did not receive a free copy of the book to review, I didn't win for getting Cory a Monster drink, or any other "gimme" version of the book. I got it the good old fashioned way - I bought it. So I'm doing my part to contribute to the financial wherewithal of the authors. :)
Rob Lee made a point at Summit that the name of the FOR408 course was changed from "Computer Forensic Essentials" to "Computer Forensic Investigations - Windows In-Depth" because the former seemed to be driving folks away. They were apparently concerned that it was "basics" and thus not as valuable. Never mind that (IMO) we need to be constantly reminded of the "basics." As an example of the importance of "basics" the US Army retests soldiers every year in some core competencies including marksmanship and certain tasks that are critical to battlefield survival. Why? Because you have to be ready, you have to remember, and there's no room for error. Mistakes will still happen but the goal is to minimize those as much as humanly possible. I think forensics are very much the same.
Anyway, the point of all that is that I think this book is very easily one of the "Essentials" of computer forensics. Don't get me wrong, there are a lot of other good books out there, and this is by no means a pure beginner's book. However, for someone with some basic understanding, some exposure to the field (in other words, someone who wants to be a forensicator and is doing their due diligence), this is a very good introduction to some of the deeper concepts we deal with. It's also a good refresher. I will admit, I was familiar with most of the topics in this book, but then I have Brian Carrier's masterpiece on file systems, I've been through SANS courses and so on. I will also admit that I learned new things, got some very good tips, and some great ideas from this book.
Here's what I think makes this book so valuable:
1. It walks you through the process of building your own investigative platform in both Windows and Linux, including which "behind the scenes" type of things you need for applications and processes to run smoothly.
2. It doesn't just focus on Windows analysis. It has multiple Operating Systems, File Systems, and ways to get at the data. If you want dedicated Windows analysis, look no further than Harlan's books (well, there are other good ones there, too, so don't take it literally - but you can't go wrong with his for sure).
3. It exposes you to some of the deeper concepts of these systems - inodes and journaling in EXT3, MFT and registry with NTFS, plists and user artifacts in OS X, and browser items of interest across the board.
4. It demonstrates the use of some specific tools - all open source, of course - in various platforms, and explains some of the pros and cons thereof.
5. [fanboy]It has a section on log2timeline. Enough said.[/fanboy] ;)
The authors have carefully limited the scope, not trying to stray too far afield, not digging too deep. I think they did a great job. If you're a newcomer to forensics, it will open your eyes and make you think. It will get you started in new directions and challenge your horizons. If you're a veteran forensicator - even if you know every single thing in this book - it makes an excellent refresher, stirring you up by way of reminder, so that you can remember in greater detail the things you forget because you do them every day, as well as the things you don't.
I think that about sums it up. It's a good read, and well worth it. If you're a fast reader and don't linger long on the examples I think you can wrap it up in a few short hours. If you take longer, stop to smell the roses and whatnot, it'll take a few longer hours, maybe even a couple days. I suggest you take the time, bookmark, highlight, etc to make sure you get the most out of it. Again, it's worth it.
No comments:
Post a Comment