Computer Forensics: Incident Response Essentials
Authors: Warren G. Kruse II and Jay G. Heiser
Available for download is chapter 2 entitled “Tracking an Offender”.
Computer forensics is one of those skills that to an average user may appear to have magical mystical powers, and those who practice it like modern wizards. As a relatively young offspring on the tree of IT security, it keeps evolving, making sure that the same average user never gets the grip of it. Courses do exist in one-way or another, but books are pretty much scarce. Providing you have the knowledge, you might not need a particular book, as many of the necessary skills you may already posses. But even the smartest of the computer gurus have a need for some formal introduction, not only about safekeeping and not tampering with evidence, but also in deduction of tracks. And lo and behold, we finally have a good book to start with.
Computer Forensics is another fine book brought to us by Addison Wesley publishing, written by two security experts, Warren G. Kruse II & Jay G. Heiser. Mr. Kruse is a ex-police officer specialized in computer related crimes, and a member of several upstanding anti-computer crime organizations, whereas Mr. Heiser is a CISSP and a seasoned expert with more than fifteen years of experience in the IT security business. Together they have joined forces to give birth to this book, and shed some light onto the computer forensics path, often too dark for anyone to dare venturing in alone. Lets see what the authors, also the respective teachers of the same subject, have pulled together for us.
Computer forensics is pretty much a grey area, with few courses available to the curious seeking more knowledge, not to say wisdom. This is one of the few, if any, books available on computer forensics.
So, it takes one step at the time, by slowly introducing us with the term computer forensics, and progressively expanding its entangled web of information you need to know about it. And that is the name of the first chapter, introduction to computer forensics. You’ll learn all you need to, in order to be properly acquainted with the topic. The three A’s are introduced, as they form the backbone of every forensic analysis, and they are acquire, authenticate and analyse. You’ll learn why it’s important to analyze the data without modifying it, all the little steps of great importance and outlines of the basic procedure that is to be followed are covered in depth as the book progresses.
The following chapter, tracking an offender, is more based on detecting and tracking down the internet offender. It deals pretty much with reading all the tiny clues an average user usually ignores or they appear as concise as Indian smoke signals. A lot of information can be gathered from a simple e-mail header or a usenet posting, and this chapter points you in the right direction of what to look for, and most importantly, how to look for it. If you’re a person that enjoys reading various system logs, and looks out for details you may already have the habit of looking into other people’s headers. I know I do sometimes. If that is not the case, this chapter is just the thing you need.
The third chapter deals with storage devices, and the things you need to know about them in order to conduct a successful analysis. File systems, hardware, interfaces and other things you need to know are there. Of course, don’t expect to find technical specifications and what makes tick the latest Barracuda drive, but enough to put you steadily on your feet. For specific information, you’ll have to try and find it yourself. Search engines are your friends, always remember that.
Chapters 4,5 and 6 deal with data, each in its specific manor. Cryptography is covered, one thing you need to understand how it works, archiving, digital signatures and time stamping, each of great importance to your analysis. Hostile code usually needs to be hidden in some way, otherwise it is not quite useful if immediately found, right? The malicious user has a wide selection of tools at his disposal to cover his tracks and to hide the code he planted, and here are described the procedures that are on your side, helping you in your investigation.
Chapter 7 deals with your little super sack. Your electronical kit. Yes, your little gadgetry and software you need to conduct a successful investigation, on site or in your lab. It’s not quite your average Inspector Gadget kit, but close enough.
The following 4 chapters are OS dependent. Investigating MS Windows is covered first, and clues what to look for. The registry can be tricky sometimes, so can the Encrypted File System. This one solves your worries, by trying to provide as many solutions as there can be for various versions of Windows out there. Then comes the Unix part. If you’re not too familiar with that OS, you’ll find a brief introduction, followed by common compromises of a Unix host, to finally cover the investigation. Good one, you’ll easily get a grip with that find | grep thingy, if you didn’t have the privilege to use already.
the last chapter is devoted to the criminal justice system, which can vary from one legislation to another, but some basic procedures should remain the same. I would advice checking your country’s laws for this one, guided by this chapter.
The 7 appendixes cover several specific topics that didn’t make it into the chapters for one reason or another. Crowbaring a linux host, creating a linux boot disk, exporting Windows 2000 personal certificate and etc. This way the authors remained focused on the chapters, not breaking the mind flow with some issues that are important but don’t deal with general discussion or are too complex and are better explained alone.
And for dessert…
Like I stated earlier, computer forensics is an area of expertise that keeps evolving rapidly. Everyday new techniques are deployed, new technologies are used and abused. To stay in touch, you have to follow various IT trends, and constantly rebuild your knowledge, in order to succesfuly follow it. This book is sort of a starting point, you’re guide to making first steps in computer forensics. And it does an excellent job at it.
This book is the first thing you need to read about computer forensics, providing you can keep up. A level of knowledge is expected from the reader, but any computer user with interest will understand it, not to mention system administrators of any level. Many advanced users, not to say power users, will already be acquainted with a lot of things disscussed here, which is a good thing, to demystify the term of forensics. You’ll learn to find trails where they aren’t supposed to exist, and to read the between the lines, not to say sectors or nodes of data on the disk.
As with any reading material in IT area of expertise, there is always the danger of becoming obsolete, and that’s also where this book stands out of the crowd. It does guide its reader through forensics, and points out the proper way of doing things, but not only applicable on todays computers, disks and gadgetry. You needn’t worry that by the time you get it, it will serve you no good. Nope. Of course, contemporary tools and utilites used are mentioned, but in the manner that is appropriate, in footnotes, or if included in text like an example.
If computer forensics classes start to pop up massively, this will be the book to base them on. Nothing can prove to be a substitute for experience, but it will point the direction where you can learn and get the experience necessary to become a modern version of Sherlock Holmes. Essential reading, my dear Watson!
So, get your cup of coffee and fire up that good ol’ hex editor…