Forensic Discovery. By Dan Farmer and Wietse Venema; published by Addison-Wesley, 800/382-3419 (phone), www.awprofessional.com (Web); 217 pages; $39.99.
In The Persistence of Memory, Salvador Dali painted a bleak dreamscape featuring drooping watches, which has been interpreted by art critics and others to represent the impermanence of the physical world. Dali may have had a different view had he painted after the computer revolution transformed the world into one in which information lives on indefinitely. The difficulty of truly erasing digital information is one of the underlying themes of Forensic Discovery, a guide to gathering and analyzing digital evidence, reconstructing computer data, and tracking virtual attackers.
Forensic Discovery is not for technical novices; readers must have a solid understanding of computer file systems, networking concepts, and computer processes. The authors focus on computer forensics for UNIX (Solaris, FreeBSD, and Linux) computers, with scant information provided about Windows. The authors explain how to obtain reliable digital evidence from running UNIX systems, uncover changes to system utilities and kernel modules, and identify suspicious activity. Sample computer compromises illustrate the concepts.
Once the basic tenets of computer forensics have been explained, the authors move into technical discussions such as a detailed description of UNIX file systems and the surprisingly large amounts of “deleted” files and metadata that can be found in systems even years after the data has supposedly been erased. The authors also furnish detailed information about how to use the well-known computer forensics software tool that they created, Coroner’s Toolkit. At least some discussion of other such tools would have been helpful, however.
From detecting rootkits to tracing system calls to reverse-engineering malicious code, the authors explore many complex areas of forensics. Anyone without a programming background may be overwhelmed.
For all of Dali’s skill and renown, he certainly is not for everybody. The same is true of this book—it’s great for those with the base knowledge, but not for the novice. It also has its limitations in that its focus is on forensics with UNIX computers, but it does not address doing the same on Windows-based systems.
Reviewer: Steven Weil, CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), CBCP (Certified Business Continuity Professional), is senior security consultant with Seitel Leeds & Associates, a full-service consulting firm based in Seattle. He specializes in security policy development, HIPAA compliance, disaster recovery planning, security assessments, and security incident response. n