Book Review: Forensic Discovery
Forensic Discovery is a book that is a book every Linux admin should read. Forensic Discovery is a slim volume, it clocks in at a mere 217 pages, but it's full of useful information. As an added bonus, the book is well-written and easy to follow, and should be accessible to any reader with a passing understanding of Linux or UNIX systems.
Even if you never need to conduct a forensic analysis of a compromised system, and I hope that you don’t, the book provides the reader with an in-depth understanding of the low-level operation of a system that they may not get just by administering a Linux or UNIX system. It also provides the reader with an idea of what information is recoverable from a system, and the tools and techniques that can be used to get at information many users would assume lost.
The first section of the book discusses general forensic theory and basic methods for information recovery. Though I typically skip, or at least skim, the first chapter of any tech book, I’d recommend starting at the beginning with this one. The authors give a nice, concise, foundation for readers who are not familiar with forensic techniques and set up the groundwork for the rest of the book.
The second section of Forensic Discovery gets into more detail, covering the use of common *nix tools, as well as the The Coroner’s Toolkit for post-mortem analysis of UNIX systems that have been compromised. The file sleuthing techniques discussed here may also prove useful for admins in other situations, so pay close and particular attention to chapters three and four.
Chapters five and six discuss the ways that malware subverts a system. Again, this is well worth reading for any admin — not just admins who plan to get into computer forensics. Also, it’s well worth reading these chapters before a system is compromised, rather than after a system is compromised. (Although I’d want to have Forensic Discovery close at hand if I were examining a compromised system.)
The final section of the book, “Beyond the Abstractions” covers low-level operation of *nix systems, and explains how “deleted” data can remain behind for extended periods of time in chapter seven — and how one might be able to recover some of the data. This is almost guaranteed to inspire paranoia in anyone who’s sold old hard drives without taking extreme measures to get rid of personal data on the disk. Chapter eight discusses ways that an admin can capture data from a system’s memory, the basics of virtual memory subsystems and memory pages.
The books appendices discuss The Coroner’s Toolkit in greater detail, and the volatility of data on a computer. Again, I usually skim (or skip) a book’s appendices, but it’s well worth reading this book from cover to cover.
In short, this is one of the best books I’ve picked up in a long time. I’d recommend it highly to any Linux admin or user who is looking to increase their understanding of the way data is handled on a system, and how to get at that data.
Forensic Discovery – The Definitive Guide to Computer Forensics: Theory and Hands-On Practice
by Dan Farmer and Wietse Venema
Published by Addison-Wesley
217 pages, $39.99 US