Authors: Cory Altheide and Harlan Carvey
Proprietary digital forensics tools have long been popular with the majority of forensic practitioners, but there are also open source ones that can come very handy. The book introduces a great number of them, and the only limitation is that the authors focused strictly on those that are used for analyzing media and images of systems that are offline.
About the authors
Cory Altheide is a Security Engineer at Google, focused on forensics and incident response. Prior to returning to Google, Cory was a principal consultant with MANDIANT. He is a recurring member of the program committee of the Digital Forensics Research Workshop (DFRWS).
Harlan Carvey (CISSP) is the Vice President of Advanced Security Projects with Terremark Worldwide. He has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies.
Inside the book
The book starts with a very short chapter explaining briefly the goals and process of digital forensics, and establishing a clear definition of what “open source” means, and the very real benefits of this type of software.
As most open source tools are distributed in source form or are simple scripts, in order to use them, users are required to create the executable code themselves or to have an interpreter (Perl, Python, Ruby, etc.) that is able to run the script.
The second chapter goes through the steps required to do this both if one is using Linux as a host or Windows. The topic of working with image files and file systems in each of these environments is also addressed.
Disk and file system analysis is tackled next, and the authors concentrate on explaining how to use The Sleuth Kit to do this. A page or so is also dedicated to fundamental concepts of forensic analysis, such as partitioning and disk layouts, special containers, hashing, carving, and forensic imaging.
File systems of Windows, Linux and OS X, and artifacts that can be subjected to forensic analysis in each are thoroughly explained in the next few chapters, followed by a peek into app-specific artifacts created by various browsers and mail clients.
Finally, the authors address the characteristics of and the differences between different types of files, and teach users how to proceed to automating artifact extraction and introduce the advantages of using graphical investigation environments (as opposed to the command line or console based tools mostly used in the rest of the book).
The book also contains a very helpful appendix on free, non-open tools that can be used for the various tasks mentioned in the book.
The authors intended this book for two types of readers: complete novices in the world of digital forensics, and seasoned practitioners who are interested in learning more about open source tools that could help them in their work.
And although it might seem difficult to merge the knowledge in such a way to make for an interesting book for both groups, in my opinion, the writers managed to do it beautifully.