Forensic Discovery View Larger Image | Dan Farmer, Wietse Venema
Addison-Wesley, Paperback, Published December 2004, 217 pages, ISBN 020163497X | List Price: $44.99
Our Price: $34.95
You Save: $10.04 (22% Off)
| | | Availability: Out-Of-Stock |
Be the First to Write a Review and tell the world about this title!People who purchase this book frequently purchase: Books on similar topics, in best-seller order:Books from the same publisher, in best-seller order:
The Definitive Guide to Computer Forensics: Theory and Hands-On Practice
Computer forensics, the art and science of gathering and analyzing digital
evidence, reconstructing data and attacks, and tracking perpetrators, is becoming
ever more important as IT and law enforcement professionals face an epidemic
in computer crime. In Forensic Discovery, two internationally recognized experts
present the most thorough and realistic guide to the subject ever published.
Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing
a powerful approach that can often recover evidence considered lost forever.
The authors draw on their extensive firsthand experience to cover everything
from file systems to memory, kernel hacks to malware. Along they way, they expose
a wide variety of computer forensics myths that stand in the way of success.
You'll find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows,
as well as practical guidance for using many of today's most powerful forensic
tools. The authors are singularly well-qualified to write this book: They personally
created many of those tools--from the legendary SATAN network scanner to the
powerful Coroner's Toolkit for analyzing UNIX break-ins.
After reading this book you will be able to
- Understand essential forensics concepts: volatility, layering, and trust
- Gather the maximum amount of reliable evidence from a running system
- Recover partially destroyed information--and make sense of it
- Timeline your system: understand what really happened when
- Uncover secret changes to everything from system utilities to kernel modules
- Avoid cover-ups and evidence traps set by intruders
- Identify the digital footprints associated with suspicious activity
- Understand file systems from a forensic analyst's point of view
- Analyze malware--and prevent it from escaping
- Capture and examine the contents of main memory on running systems
- Walk through unraveling an intrusion, one step at a time
- Use your evidence to apprehend intruders--and make sure it stands up in
court
This book's companion Web site contains complete source and binary code for
open source software discussed in the book, plus additional computer forensics
case studies and resource links.
Table of Contents
Preface.
What You Can Expect to Learn from this Book.
Intended Audience.
Organization of this Book.
Conventions Used in this Book.
Web Sites.
Acknowledgments.
I. BASIC CONCEPTS.
1. The Spirit of Forensic Discovery.
Introduction.
Unusual Activity Stands Out.
The Order of Volatility (OOV).
Layers and Illusions.
Trustworthiness of Information.
Fossilization of Deleted Information.
Archaeology vs Geology.
2. Time Machines.
Introduction.
The First Signs of Trouble.
What's Up, MAC? (An Introduction to Mactimes).
Limitations of Mactimes.
Argus - Shedding Additional Light on the Situation.
Panning for Gold - Looking for Time in Unusual Places.
DNS and Time.
Journaling File Systems and Mactimes.
Foibles of Time.
Conclusion.
II. EXPLORING SYSTEM ABSTRACTIONS.
3. File System Basics.
Introduction.
Alphabet Soup of File Systems.
UNIX File Organization.
UNIX File Names.
UNIX Pathnames.
UNIX File Types.
A First Look Under the Hood - File System Internals.
UNIX File System Layout.
I've Got You Under My Skin - Delving Under the File System.
The Twilight Zone, or Dangers Below the File System Interface.
Conclusion.
4. File System Analysis.
Introduction.
First Contact.
Preparing the Victim's File System for Analysis.
Capturing the Victim's File System Information.
Sending a Disk Image Across the Network.
Mounting Disk Images on an Analysis Machine.
Existing File Mactimes.
Detailed Analysis of Existing Files.
Wrapping Up the Existing File Analysis.
Intermezzo: What Happens When a File is Deleted?
Deleted File Mactimes.
Detailed Analysis of Deleted Files.
Exposing Out-of-Place Files by Their Inode Number.
Tracing a Deleted File Back to its Original Location.
Tracing a Deleted File Back by its Inode Number.
Another Lost Son Comes Back Home.
Loss of Innocence.
Conclusion.
5. Systems and Subversion.
Introduction.
The Standard Computer System Architecture.
UNIX System Life Cycle from Startup to Shutdown.
Case Study: System Startup Complexity.
Kernel Configuration Mechanisms.
Protecting Forensic Information with Kernel Security Levels.
Typical Process and System Status Tools.
How Process and System Status Tools Work.
Limitations of Process and System Status Tools.
Subversion with Rootkit Software.
Command-Level Subversion.
Command-Level Evasion and Detection.
Library-Level Subversion.
Kernel-Level Subversion.
Kernel Rootkit Installation.
Kernel Rootkit Operation.
Kernel Rootkit Detection and Evasion.
Conclusion.
6. Malware Analysis Basics.
Introduction.
Dangers of Dynamic Program Analysis.
Program Confinement with Hard Virtual Machines.
Program Confinement with Soft Virtual Machines.
Dangers Of Confinement with Soft Virtual Machines.
Program Confinement with Jails, and Chroot.
Dynamic Analysis with System Call Monitors.
Program Confinement with System Call Censors.
Program Confinement with System Call Spoofing.
Dangers of Confinement with System Calls.
Dynamic Analysis with Library Call Monitors.
Program Confinement with Library Calls.
Dangers of Confinement with Library Calls.
Dynamic Analysis at the Machine Instruction Level.
Static Analysis and Reverse Engineering.
Small Programs Can Have Many Problems.
Malware Analysis Countermeasures.
Conclusion.
III. BEYOND THE ABSTRACTIONS.
7. Persistence of Deleted File Information.
Introduction.
Examples of Deleted Information Persistence.
Measuring the Persistence of Deleted File Contents.
Measuring the Persistence of Deleted File Mactimes.
Brute Force Persistence of Deleted File Mactimes.
Long-Term Persistence of Deleted File Mactimes.
Impact of User Activity on Deleted File Mactimes.
Trustworthiness of Deleted File Information.
Why Deleted File Information Can Survive Intact.
Conclusion.
8. Beyond Processes.
Introduction.
Virtual Memory Basics.
Memory Page Basics.
Files and Memory Pages.
Anonymous Memory Pages.
Capturing Memory.
The Savecore Command.
Static Analysis - Recognizing Memory from Files.
Recovering Encrypted File Content without Keys.
File System Blocks vs Memory Page Technique.
Recognizing Files in Memory.
Dynamic Analysis - Persistence of Data in Memory.
File Persistence in Memory.
The Persistence of Non-File or Anonymous Data.
Swap Persistence.
Persistence of Memory through the Boot Process.
Trustworthiness and Tenacity of Memory Data.
Conclusion.
Appendix A. The Coroner's Toolkit and Related Software.
Introduction.
Data Gathering with Grave-Robber.
Time Analysis with Mactime.
File Reconstruction with Lazarus.
Low-Level File System Utilities.
Low-Level Memory Utilities.
Appendix B. Data Gathering and the Order of Volatility.
Introduction.
The Basics of Volatility.
Current State of the Art.
How to Freeze a Computer.
Conclusion.
Index.
About the Authors
Dan Farmer is author of a variety of security programs and papers.
He is currently chief technical officer of Elemental Security, a computer security
software company. Together he and Wietse Venema, have written many of the world’s
leading information security and forensics packages, including the SATAN network
security scanner and the Coroner’s Toolkit.
Wietse Venema has written some of the world’s most widely
used software, including TCP Wrapper and the Postfix mail system. He is currently
a research staff member at IBM Research. Together, he and Dan Farmer have written
many of the world’s leading information security and forensics packages,
including the SATAN network security scanner and the Coroner’s Toolkit.
|
