Forensic Discovery

Authors: Dan Farmer, Wietse Venema
ISBN: 020163497X
Publisher: Addison Wesley

Forensic Discovery is a small book that packs a big punch. In just over 200 pages it presents more information than books three times its size (and weight).

The book is divided in to three main sections. The first, “Basic Concepts”, explains two of the books core ideas, the order of volatility, how it influences the gathering of evidence, and the importance of time based information. It also introduces a number of less obvious information sources, such as the Ext2/3 file system journal and in memory DNS caches before providing a primer on MACtimes. Chapter two ends with an example intrusion, how the time based information revealed the attackers actions and a second previously undetected intrusion.

The second part, which makes up the bulk of the book, dives in to file systems, subverting kernels and (the slightly out of place but still interesting) analysing malware. These chapters cover a lot of ground in a rapid, but understandable way. Due to the size of the book all padding seems to have been stripped out, leaving nothing but the highlights. And when the authors are Dan Farmer and Wietse Venema there are a lot of highlights.

The final section is two, technically dense, chapters long. The first looks at how long deleted files persist on disk, the information they leave behind, presents some tools that can help retrieve them and shows some example retrieval numbers taken from experiments using Solaris, FreeBSD and Linux. The closing chapter focuses on memory. It explains how swap and memory pages relate to forensic discovery, how files reside in memory and how to extract chunks of them once the file has been deleted.

While the principles presented are widely applicable, nearly all of the technical examples are Unix focused. The concepts are clearly presented and remarkably accessible but the examples themselves require strong familiarity with Unix commands, file-systems, networking and processes. It’s also worth noting that the book is full of little tips and tricks - examples are detecting filesystems mounted over existing directories, extracting chunks of files using lazarus.

Score: 810. Essential reading for anyone interested in digital forensics, a greater understanding of Unix systems or just some very cool technical tricks.