Forensic Discovery


Posted on by Ben Rothke

When most people think of forensics, television shows like Quincy and  CSI come to mind. Where such shows deviate from reality is the  unrealistic speed at which the actors are able to identify, apprehend  and prosecute the perpetrators. In the real world, (unlike television,  where the crime must be solved by the end of the family hour), crimes  are solved with slow, deliberate and methodical steps. The prodigious  incidence of digital crime has elevated computer forensics to a critical  role within the field of information security. The focus of computer  forensics is twofold: first is the attempt to determine whether a breach  has occurred and to stop the perpetrator; second is prosecution of the  offender, if the breach was a criminal activity. 

Security luminaries Dan Farmer and Wietse Venema wrote one of the  first vulnerability scanners (SATAN) almost 15 years ago; SATAN was the  precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known  security applications as the TCP Wrapper program and the Postfix mail  server. Farmer and Venema's new book Forensic Discovery is a valuable  book that grounds a computer-savvy reader in the world of digital  forensics. 

An image of a pipe by artist René Magritte is on the cover with the  caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture  demonstrates that an object exists on many planes; the simple  recognition of the picture initiates the belief that we are seeing  something, but it is only known in representation. Surrealist painting  and digital forensics coalesce in that the digital forensic investigator  must think broadly and unconventionally in order to reconstruct an  incident, all the time keeping in mind that often what initially seems  obvious is neither real nor correct. 

The material in the book is an outgrowth of a one-time seminar the  authors gave in 1999 on digital forensics and analysis. At the seminar,  Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection  of tools for gathering and analyzing forensic data on a Unix system. TCT  is heavily referenced throughout the book. 

The book initially seems thin, at just 198 pages, but there is no  filler and the information is presented in a fast and furious manner.  Part one of the book comprises 35 pages and is an introduction to the  foundations of digital forensics and what to look for in an digital  investigation. 

Part two (chapters 3-6) is the nucleus of the book, which quickly  gets into low-level details about file systems and operating system  environments. While other forensics books focus exclusively on the  discovery and gathering of data; Forensic Discovery adds needed insight  on how to judge the trustworthiness of the observation and the data  itself. Again, the idea is that not everything is as obvious as it may  initially seem. An effective investigation often requires intense  analysis, where meaningful conclusions take time. 

Chapter 4, "File System Analysis," notes that while computers have  significantly evolved since their inception, little has changed in last  30 years in the way that file systems actually handle data. 

Chapter 5, "Systems and Subversion," is particularly interesting as  it deals with system startup and shutdown, from a forensics perspective.  The chapter shows that there are thousands of possible opportunities to  subvert the integrity of a system without directly changing a file  during startup and shutdown. A crucial decision that must be made during  an incident is whether to shut down the system or let it remain  on-line. There are advantages and disadvantages to each approach, and  the book details them. 

Part three (chapters 7-8) is about the persistence of deleted file  information. The authors' research reveals that data can be quite  resistant to destruction. The book shows that a huge amount of data and  metadata can survive intended deletion as well as accidental damage.  

Forensic Discovery is unusual in that other books on forensics are  often nothing more than checklists and step-by-step instructions on what  to do during an incident. Forensic Discovery provides a broad framework  on the nature of data and how it can be recovered for forensic  purposes. By understanding the underlying operating system, the act of  analyzing and dealing with a security breach becomes much easier.  

The book's target reader is anyone who wants to deepen his  understanding of how computer systems work, as well as anyone who is  likely to become involved with the technical aspects of computer  intrusion or system analysis. The topics are too advanced, to make it  the right book for the novice system administrator. For the technical  reader, though, Forensic Discovery is one of the best computer security  books published in the last year. The value of the information is  immense, and the extensive experience that the authors bring is unmatched.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

forensics & e-discovery

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs