Forensic Discovery is a book that is a book every Linux admin should read. Forensic Discovery is a slim volume, it clocks in at a mere 217 pages, but it’s full of useful information. As an added bonus, the book is well-written and easy to follow, and should be accessible to any reader with a passing understanding of Linux or UNIX systems.
Tuesday, April 12th, 2005
Share This:
Even if you never need to conduct a forensic analysis of a compromised system, and I hope that you don’t, the book provides the reader with an in-depth understanding of the low-level operation of a system that they may not get just by administering a Linux or UNIX system. It also provides the reader with an idea of what information is recoverable from a system, and the tools and techniques that can be used to get at information many users would assume lost.
The first section of the book discusses general forensic theory and basic methods for information recovery. Though I typically skip, or at least skim, the first chapter of any tech book, I’d recommend starting at the beginning with this one. The authors give a nice, concise, foundation for readers who are not familiar with forensic techniques and set up the groundwork for the rest of the book.
The second section of Forensic Discovery gets into more detail, covering the use of common *nix tools, as well as the The Coroner’s Toolkit for post-mortem analysis of UNIX systems that have been compromised. The file sleuthing techniques discussed here may also prove useful for admins in other situations, so pay close and particular attention to chapters three and four.
Chapters five and six discuss the ways that malware subverts a system. Again, this is well worth reading for any admin — not just admins who plan to get into computer forensics….
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
