Mountain View Computer Users Group

About the authors: Keith L. Jones leads the computer forensics and electronic evidence discovery practices at Red Cliff Consulting. Richard Bejtlich is the founder of TaoSecurity, a network security monitoring consultancy. Curtis W. Rose provides support to criminal investigations and civil litigation as an executive vice president at Red Cliff Consulting.

This book (with included DVD) intends to teach Computer Forensics for both Windows and Linux systems, that is, gathering evidence from infected machines and the network they operate in so that the intended victim can effectively react to a successful penetration.

Or, to quote the book: "...give new forensic investigators more than words to learn new skills." "We use the same tools attackers use... the same methods rouge employees make... [collect] the same media we typically collect...this book takes a practical, hands-on approach to solving problems...[with] techniques you can employ immediately."

The clear implication is that the book is aimed at the inexperienced practitioner. As usual, TCP/IP knowledge is a good idea.There is one staring oddity: to use one of the tools you need to alter your kernel! From pg 208: "Please download and install the NASA-enhanced kernel..." This takes more than just a beginner's skill!

The context for the procedures is provided by five scenarios which are a mix of internal and external threats as seen from the point of view of admins or law enforcement.As the techniques are presented, it is explained how they might be applied to these scenarios, as opposed to stepping through the scenarios and describing the methods.

Richard Bejtlich's books usually focus on evidence gathered by network monitoring.Instead, Part I ("Live Incidence Response") begins with host-focused procedures for both Windows and Linux (one chapter for each). Live Response techniques invoke a series of programs on the suspect machine in order to gather "volatile data," that is, system state that will not survive a reboot or shutdown. This explanation is entirely suitable for creating your own Live Response software and procedures.

Networks return to the center of attention in Part II ("Network-Based Forensics"). There is a brief but well-done review of the types of data (Full Context, Session, Statistical, and Alert Data) that should be collected and the software to collect them (Tcpdump, Snort, and many others) as well as the five steps of intrusion (recon, exploitation, reinforcement, consolidation, and "pillage"). A Cop/Drug Ring analogy is employed to describe these four data types which, given the popularity of CSI, might be good for rank beginners but will be less useful to anyone with more experienced.This section also has separate chapters on analysis of the information for Windows and *NIX machines.

Part III ("Acquiring a Forensic Duplication") presents open and closed tools for the forensic cloning of a suspect disk, regardless of the operating system.Its chapter on legal paperwork is very efficient but it would be great if the authors had photos or illustrations of what they use, if only as an example. The material on disk duplication, on the other hand, had lots of excellent photos and screen shots for both the commercial (EnCase and FTK) and open source products (DD, DD_resume, DCFLDD and NED).

Part IV (Forensic Analysis Techniques) shows you what to do with your new disk image.Methods for disk analysis begin with looking for and recovering deleted files, what to do when that is not possible, discerning strings of interest from NBE (Network-Based Evidence) and Live Response findings (like the name of an executable) and searching the disk for them.

This is followed by techniques for reconstructing emails (even Outlook and Outlook Express proprietary formats can be analyzed by open source tools), pages visited while web browsing including reconstructing emails sent with web clients, and the examination of the Windows Registry (good for finding recently-accessed documents or evidence of programs subsequently deleted).

(Currently only commercial applications are available for analyzing the Registry which is odd, considering that scripting languages, like Python for example, have Registry access libraries.)

Multiple chapters focus on examining unknown files to determine their use, with an emphasis on Microsoft-formatted documents and on the examination of unknown Windows and *NIX executables.This includes static analysis with tools like strings.exe and hexWorkshop and disassemblers like IDA to discover system calls or modify a binary file in order to, for example, bypass password security.Missing are instructions on using a product like VMware to set up a virtual machine environment for protecting the rest of the system from the foreign executable; they only mention that you *should* use something like VMware when in fact it is vitally important to do so or you could wind up with yet another infected computer!

Part V ("Creating a Complete Forensic Toolkit") succinctly describes creating CDs for a Live Response toolkit. (But, why not do this in the first part of the book?)It also describes the use of a Knoppix disk which allows you to examine a suspect system without having to boot it from its (possibly) contaminated disk or be concerned about your 'clean' OS being cleverly contaminated by a suspect hard drive.

Part VI ("Mobile Device Forensics") describes gleaning and examining data from PDAs like Palms and iPaqs (with additional information about how they manage memory and how to access internal debugging consoles), USB and CF drives. Forensic examination of USB/CF devices using a loopback is well illustrated and an example of recovering a deleted file is shown.The chapters also illustrate that, while some PDAs have good forensic tools available (like later Palms and iPaqs), the earlier ones do not: sifting through evidence on a Palm III, for example, is limited to hex and string searches.

Part VII ("Online-Based Forensics") presents methods for determining where an email originated from via header examination, and how determined users could cover their tracks.Finally, they leverage searching for DNS records into a lesson on manipulating the entire VeriSign TLD (Top Level Domain) file in a large (100GB+) Postgres database, allowing them to find all DNS names owned by, in their example, the company Foundstone.

My only complaints about the book are the sudden request to change the kernel and a failure to put front and center the necessity of using a virtual machine environment before executing potentially hazardous code.

Otherwise it was a typical Bejtlich security book (no offense to the other authors), containing the basis for immediately creating Standard Operating Procedures, in particular for Live Response, proper forensic documentation, and creating forensic-compliant duplicate drives.It definitely has a place on my security bookshelf, alongside The Tao of Network Security and Extrusion Detection.

The book is published by Addison-Wesley, ISBN 0-321-24069-3, and lists for $55. User group members can get a 30% discount if their group belongs to the UG program.; it sells for $34.64 at Amazon.com (new).

- 30 -