About.com Rating



No matter how careful someone is about removing any traces of their presence from a computer system, the signs and evidence still exist if you know where to look. Farmer and Venema provide an excellent and in-depth look at how to find forensic evidence on a computer system.

The Authors and Book

Dan Farmer and Wietse Venema have worked together for about ten years and collaborated together on well-known programs such as the SATAN network security scanner and the Coroner's Toolkit forensic analysis system.

Farmer is currently the Chief Technical Officer of Elemental Security, a security software company, and Venema, who has also developed software such as TCP Wrapper and the Postfix mail system is a member of the IBM Research staff.

The two of them combined their extensive knowledge and experience to provide this detailed look into uncovering forensic evidence and performing computer incident response.

The first couple of chapters establish a framework on which the rest of the book is developed. The authors introduce important concepts regarding the relative volatility of data and the use of time or timelining to uncover hidden clues.

The middle chapters dive into explaining file systems and how to analyze different aspects of file systems. Chapter 5 covers subtle changes made by the system and the users and ways to detect or discover those changes. The section finishes with Chapter 6, a look at the basics of analyzing malware.

The final two chapters cover the persistence of deleted data and looking beyond processes.

My Review

I have learned a lot from other computer forensics books such as Harlan Carvey's Windows Forensics and Incident Recovery or Kevin Mandia and Chris Prosise's Incident Response and Computer Forensics - 2nd Edition, but this one has a slightly different approach and conveys a lot of good, detailed information in a relatively concise book.

The book is aimed at readers who wish to gain a deeper understanding of how computer systems work, particularly system administrators or those who may actually be tasked with performing a forensic investigation. The book does assume some level of computer knowledge such as the basic concepts of networking, system processes or file systems and is not intended for pure novices.

Farmer and Venema focus a fair amount of attention on the concept of time and how to use it in a forensic investigation. They also highlight a sort of order of operations for how to proceed to try and ensure you retrieve volatile data before it disappears.

Computer forensics is an area of network and computer security that I am particularly interested in. This is an excellent book which I highly recommend. It is well-written and very educational, but it is also a fairly quick read.