REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Sep 14, 2005.

  1. BKFORDIS.RVW 20050310

    "Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X,
    %A Dan Farmer
    %A Wietse Venema
    %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D 2005
    %G 0-201-63497-X
    %I Addison-Wesley Publishing Co.
    %O U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273
    %O Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation)
    %P 217 p.
    %T "Forensic Discovery"

    In the preface, the authors don't promise to teach the reader anything
    about computer or digital forensics. Rather, they are reporting on
    ten years' worth of experience in looking into attacked machines.
    Given the authors' background, this is engrossing. But turning it
    into useful guidance might be left as an exercise for the reader.
    This is not a tutorial work for the novice, but a challenge to the
    experienced professional.

    Part one outlines the basic concepts of forensics in digital systems.
    Chapter one presents the "spirit of forensic discovery": look
    anywhere, for anything, and be prepared when you find it. (This is a
    tall order, particularly the "being prepared" part, but it basically
    corresponds to my experience.) Time information and stamps (on UNIX
    systems) are discussed in chapter two, along with mention of the ways
    that clumsy attempts to "save" systems can destroy ephemeral
    information. However, the level of the material sweeps between
    broadly generic and tightly specific: it may be difficult for those
    not already thoroughly familiar with forensic activities to obtain
    useful guidance from it.

    Part two is supposed to provide us with background on the abstractions
    of the computer and operating systems that relate to forensic recovery
    of materials. Chapter three addresses file system basics, but does so
    specifically with regard to the UNIX system. The content is much more
    detailed than conceptual (covering, for example, allowable characters
    in UNIX filenames), and command examples are not always completely
    explained. The usefulness of this approach is questionable, since the
    reader is assumed to know the UNIX system well; in which case, why
    cover the elementary fundamentals? However, the work does highlight
    aspects of operating and file system internals not encountered in
    normal administrative activity. Analysis of information recovered
    from a compromised system is reviewed in chapter four. The methods
    and procedures are very strictly limited by the case cited, but the
    examples demonstrate the backhanded thinking needed to obtain
    interesting data after an intrusion. A variety of intriguing ways to
    subvert a running system are examined in chapter five. As with
    previous material, the text seems to talk around the topic, while the
    examples, although fascinating, don't always support the general
    concepts under discussion. Analysis of the code of malicious software
    (a practice known in virus research as forensic programming) is
    addressed in chapter six, although the bulk of the content deals with
    test execution of the programming (under various forms of restriction)
    and both the benefit and complexity of disassembly is passed over
    rather lightly.

    Part three moves beyond the concepts and into practical difficulties.
    Chapter seven, although titularly about the contents of deleted files,
    is primarily concerned with the conservation and preservation of the
    access, modification, and (attribute) change times of files. (In
    response to the draft of this review, the authors clarified some of
    the poitns that they were trying to make in the text, such as the fact
    that material from deleted files is often more persistent than the
    content of active files. Unfortunately, these points, while
    arresting, are not always clear in the work itself.) Retrieving data
    from memory, particularly via the swap or paging areas of disk, is
    reviewed in chapter eight.

    The preface does state that the authors intend this book to be useful
    to sysadmins, incident responders, computer security professionals,
    and forensic analysts. I would suggest that only the last group will
    find much here that they can use, and then only those at the advanced
    edges of the field. There is certainly much that is intriguing, but
    the material demands of the reader that he or she have extensive
    background and knowledge of system and filesystem internals. Even
    then, extracting the information from the target system, and drawing
    conclusions as to the implications of that data, will be difficult.
    Farmer and Venema have outlined some fascinating material, on the
    bleeding edge of the technology, but have not made it easy for
    practitioners to utilize or comprehend.

    (In response to the draft review, The authors have noted that the
    full, original text of the book is now available at or

    copyright Robert M. Slade, 2005 BKFORDIS.RVW 20050310


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Sep 14, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave
    Dan Lanciani
    Jul 15, 2003
  2. philo

    Farmer's Market

    philo, Oct 14, 2003, in forum: Computer Support
    Oct 14, 2003
  3. Rudi Carl De  Beer

    even testen en dan mauwen

    Rudi Carl De Beer, Oct 25, 2003, in forum: Computer Support
    Rudi Carl De Beer
    Oct 25, 2003
  4. Robert Michael Slade

    REVIEW: "Always Use Protection", Dan Appleman

    Robert Michael Slade, Dec 14, 2005, in forum: Computer Security
    Robert Michael Slade
    Dec 14, 2005
  5. weims07

    The Astronaut Farmer

    weims07, Dec 28, 2006, in forum: The Lounge
    Dec 31, 2006