CyberForensics: Understanding Information Security Investigations

Posted on by Ben Rothke

CyberForensics: Understanding Information Security Investigations is a new book written by a cast of industry all-stars.  The book takes a broad look at cyberforensics with various case studies.  Each of the books 10 chapters takes a different approach to the topic.  The book is meant to be a source guide to the core ideas on cyberforensics.   

The book notes that there is a cohesive set of concepts that binds cybersecurity investigators to a shared vision, of which is tries to be a source to.  But at 150 pages, while all of the chapters are well-written and enlightening, the book does not have the breadth and depth needed to be a single source of all things cyberforensics. 

Jennifer Bayuk is the books editor, who also wrote the introduction.  Bayuk’s introduction provides a historical background to the subject and puts things into context.  The chapter uses a fantastic visual tool to explain the complete cyberforensic framework. 

Chapter 2 is about the Complex World of Corporate CyberForensic Investigations, and does a good job of detailing the various elements involved in getting various corporate departments integrated during an investigation.  IT in an enterprise setting is fraught with challenges.  Performing a forensic investigation in enterprise IT is even more challenging.  Often these groups have different agendas and react quite different to a forensic event.  The author uses the analogy of a puzzle, which can be complex to put together, but is challenging and necessary nonetheless.

Many of the chapters take a broader view of the topic, while others are quite detailed.  Perhaps the best chapter in the book is chapter 6 – Analyzing Malicious Software from Lenny Zeltser.   The chapter is an outgrowth of Zeltser’s SANS Security 569 course on the topic.  The chapter use of a case study to detail the behaviors analysis of malicious code provides an excellent synopsis of how to analyze and debug malicious code. 

Chapter 7 on Network Packet Forensics from Eddie Schwartz is another exceptional chapter that provides the reader with a walk-through of using various digital forensic input to solve an incident. 

Chapter 10 on Cybercrime and Law Enforcement Cooperation is about how to interface with law enforcement during a cyberforensic investigation.  This may be the Achilles heel of forensics is that getting external cooperation is difficult at best, and often impossible.  A recent example of this is when a friend of mine who had detailed information about the source of the Stuxnet worm.  He attempted to share the information with law enforcement without much success.  The various organizations were not receptive to it and didn’t to take action on his well-researched claims.

The book is written for an experienced practitioner who wants an overview of current trends.  This is not a for dummies type of book.  Readers are expected to be comfortable with varied topics such as Wireshark packet capture, code analysis, investigations, and more.  Those looking for an introduction to cyberforensics should definitely consider another title such as Computer Forensics for Dummies

A problem with books of collaborations such as this is that they often lack a consistent stream of thought.  This book is suffers from that, but to a limited degree.  It is impossible for ten different authors wring about the same subject not to have different styles.  An example of that is the use of the spelling of both CyberForensics and Cyberforensics in the book. 

At 150 pages, the book is a relatively quick initial read, and covers numerous interesting areas. 

The only downside to the book is that it has a prohibitive list price of $189.00   A month after its release, that price may be the reason why it has an Amazon Bestsellers Rank of #1,399,835. 

While the book has excellent content, its exorbitant price will simply ensure that its sales will be eclipsed by the Pocket Oxford Latin Dictionary, coming in way ahead with an  Amazon Bestsellers Rank of 182,392.

Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs