Forensics

Click the banner for the site map of NoticeBored.com, the information security awareness service

Fred Cohen says he wrote Challenges to Digital Forensic Evidence (~$39 from Amazon) because of the mistakes he had seen people make when bringing technical materials into a legal setting. The work is a solid background for a forensic examiner, covering a number of areas that are missed in most other books on this topic.

Debra Shinder’s Scene of the Cybercrime: Computer Forensics Handbook (2^nd edition, ~$60 from Amazon) remains as relevant and valuable today as it was when it first came out. For anyone just becoming involved in digital forensics, the book is an excellent introduction and overview of the field in its proper context.

Computer and Intrusion Forensics by George Mohay et al. (~$88 from Amazon) brings both computer/systems and network forensic topics into a single book. While the computer forensic content is sound and it is heartening to see other fields being included, the limited content on network forensics is disappointing.

Paul Crowley’s CD and DVD Forensics (~$45 from Amazon) is often interesting but lacks sufficient detail on most topics. It suggests areas to be concerned about but the forensic examiners would need more. Given that this is an esoteric area of study and few other sources are available, it is at least an initial starting point.

Brian Carrier’s File System Forensic Analysis (~US$38 from Amazon) is an introduction to the subject of computer forensics with a wealth of useful detail on the specifics of partitions and structures.

ForensicTestimony In A Guide to Forensic Testimony - The Art and Practice of Presenting Testimony as an Expert Technical Witness (US$49 from Amazon), Fred Smith and Rebecca Bace follow the style of the legal profession and case law, teaching through examples rather than pointing out a specific methodology. This work is important and information security professionals, certainly those in management or consulting rôles, should seriously consider it. The text is written with the technical worker in mind, although legal professionals would undoubtedly find the research , advice and explanations to be helpful in preparing for technical cases. HackersChallenge

The Hacker's Challenge 3-book series by Mike Schiffman et al (US$27-US$34 from Amazon) each contain twenty tests that are supposed to challenge your ability to analyze network data (most of the scenarios are network based) in order to identify and assess intrusions. InternetForensix

The intended audience for Robert Jones’ Internet Forensics (US$31 from Amazon) consists of security professionals, developers and system administrators but much of the material presented in this book is simplistic. The average Internet user may however find the content helpful. SoftwareForensix

Rob Slade’s Software Forensics: Collecting Evidence from the Scene of a Digital Crime (US$44 from Amazon) is the finest work on this topic available today ... well OK, to be honest, it’s the only book dedicated to the subject …

Harlan Carvey’s Windows Forensics and Incident Recovery (US$41 from Amazon) is aimed at anyone interested in the security of Microsoft Windows, particularly network remote-access malware.

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll (~US$12 from Amazon) is essential if light reading for information security professionals that remains a classic yet still captivating detective story for IT geeks in general. It concerns the identification and tracking of a network hacker by a semi-skilled but diligent network/system administrator at a university, in the days before “information security” was appreciated as a field of study.

If you are interested in becoming an IT forensics expert and have the technical background to give it a go, try Real Digital Forensics - Computer Security and Incident Response by Keith Jones, Richard Bejtlich and Curtis Rose (~$34 from Amazon). This book teaches you the ropes through a series of case studies using open source tools and gigabytes of ‘evidence’ to scan on the accompanying DVD.

Dan Farmer and Wietse Venema, the famous researchers who created and released the SATAN tool a decade ago, have written Forensic Discovery (~US$35 from Amazon). SATAN was one of the first automated network vulnerability scanners. Chapter 7 for example (available as a PDF from Amazon) describes the exponential decay of deleted computer data. The authors measured half -lives of between 12 and 35 days, in other words data remnants may remain readable for weeks after they have supposedly been deleted from a system.

Computer Forensics - Incident Response Essentials by Warren Kruse and Jay Heiser (~$31 from Amazon) is recommended reading for those interested in learning about the technical aspects of computer incident management. The book starts with an outline of the incident management process but quickly homes in on computer forensic techniques. It is readable, not a highly detailed technical manual. It includes a helpful list of tools to support IT forensic analysis and a very useful appendix with flowcharts documenting the typical incident response process.

Lance Spitzner has been writing about “honeypots” and “honeynets” - systems and networks used to lure and study hackers - for years. Here’s a good example of Lance’s excellent technical writing. His book Honeypots - Tracking Hackers (~US$30 from Amazon) is a truly outstanding contribution to the field of information security and essential reading for security architects, network administrators and other propeller heads.

The forensics wiki is a collaborative project collecting information on digital forensics tools and practices. It’s a good place to find out all you ever wanted to know about forensics.

The UK Police ACPO guide to evidence collection (version 4) is well written and extensively used by those who do forensic discovery for a living.

The range of digital forensics tools includes a UPS device to keep a machine powered-up while being transported from the scene-of-crime back to the forensics lab and a ‘mouse jiggler’ to prevent the screensaver activating (in case it is password protected), as well as the usual forensic analysis software.

Rob Slade’s online computer forensics course links to a range of resources and book reviews.

Forensic Focus is a “busy” site with lots of materials for digital forensics professionals including an excellent online forum, lists of books and a newsletter.

FreeUndelete (free for personal use) claims to restore deleted files on a Windows PC, even including those removed from the Recycle Bin.

Dan Farmer and Wietse Venema are famous for The Coroners’ Toolkit (a collection of digital forensics tools), TCP Wrappers and Postfix (programs to improve the security of UNIX email programs), Improving the Security of your Site by Breaking Into It and SATAN (Security Analysis Tool for Auditing Networks).

The Sleuth Kit is based on The Coroners’ Toolkit, while the Penguin Sleuth Kit is another collection of forensic tools, nothing in fact to do with polar crime.

Helix is a livecd (meaning a bootable CD) based on the Knoppix version of Linux, that provides a number of useful utilities for forensic examination of Linux, UNIX and Windows systems. It is available as a free ISO image as well as commercial enterprise and professional versions.

RFC (“Request For Comment”) 2350 offers guidance on computer security incident response processes, while CERT gives step-by step instructions on creating a computer security incident response team.

The US Department of Justice Computer Crime & Intellectual Property Section is, as one might expect, well practiced in the art and science of digital forensics.

The Open Source Computer Forensics Manual doesn't have a lot in it and it only covers the basics, but it is reasonable at that. Maybe you’d like to help get the project restarted?

If you’re heavily into digital forensics, you may be attending or presenting at the next Digital Forensic Research Workshop in Montreal in August. If not, you might find some value in the papers presented at past workshops, such as last year’s.

These may be mostly sales catalogues but they do point to some useful forensics utilities.

Les Bell’s advice on tracing email is helpful whether you are investigating an email security incident, or just trying to figure out how email works.

You can use a Windows boot CD in order to rescue/investigate Windows drives, or a Linux LiveCD with suitable tools, such as Helix.

OpenSourceForensics.org is mostly just a listing of tools. As with so many similar eShop-window sites, it pays to be somewhat dubious about the comments and recommendations, and to look for other options beyond those listed. In fact, you should really start your search a stage or two further back by first figuring out and prioritizing your requirements.

The Small Scale Digital Device Forensics Journal is perhaps not the kind of thing your average community library stocks but a local University might just carry it.

A couple of NIST Special Publications cover digital forensics specifically on PDAs and cellphones.

CyberSpeak is a technology podcast covering computer security, computer crime and computer forensics, hosted by two former federal agents who investigated computer crime.

Fourteen tips on IT forensics in two parts (first and second) include the warning “Don’t get in over your head”. Whereas some IT incidents turn out to be nothing much when investigated, others can turn deadly serious. Inadequate skills and tools can lead inexperienced investigators to get themselves into deep water, quite possibly damaging all prospects of a successful outcome.

Related NoticeBored links collections