Slashdot Mirror
Forensic Discovery
Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.
An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.
The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.
The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.
Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.
Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.
Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.
Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.
Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.
The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.
You can purchase Forensic Discovery from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
>Where such shows deviate from reality is the
>unrealistic speed at which the actors are able to
>identify, apprehend and prosecute the perpetrators.
What is also unrealistic is that the CSI guys ever see a suspect. The go to the crime and spend the rest of the time in a lab or sometimes in court.
They would never ever talk to a suspect.
unlike television, where the crime must be solved by the end of the family hour
Have you thought about what you're (implicitly by your implied criticism] asking for?
Which is it you want, an "episode" that lasts three months? A season that consists of the same 20-ish (or whatever number) episodes it does now, only randomly scattered across the episodes in the order in which they "really occurred"? On every scene change, white text on the bottom of the screen that says "[random time period] later"?
It's like asking for "total realism" in science fiction... you are aware that faster than light travel is, at best, totally unproven and most likely completely impossible? (Save the discussion on the possibility of FTL for sci.physics, please, this is just an example.)
So many fan-boy types ask for things that if they got them, they'd hate even more. I for one am glad the characters aren't making constant references to the amount of time something is taken, and I for one am glad that when they dig through an entire day of garbage in Los Vegas, they show about ten seconds of walking around, followed by the necessary discoveries. Are you seriously asking them to show the five or six hours it might have taken in real life? You feel free to watch it, I can guarantee I wouldn't.
You're telling me that it takes longer than an hour to solve a crime? I've been to football games -- I know that what's on the TV is what's actually happening in real time. If it's on the TV, it must be real.
Besides, who wants to watch a show where they uncover one clue a week, or get a subpoena, or nothing happens that week? Surprisingly, people don't want to watch real life when they turn on the TV (and don't even try to say that reality TV has anything to do with real life).
https://www.eff.org/https-everywhere
The point is that very little consistency checking goes on. For example forensic evidence is used to convict someone. Then the fact that they were convicted is used as evidence to support the accuracy of the forensic evidence without external validation. This is a very common theme. And it's interesting to listen to forensic experts speaking. Some are incredibly sure of themselves and seem to be unaware of the existence of statistical variation. That maggot story is a prime example. Maggots aren't an entirely stupid way to date the death of a corpse. But it's all about chance - like how many flies just happen to be in a particular area at any one time. But courts sem to be particularly poor at dealing with probabilistic information. (And there are numerous publications on that subject.)
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Currently there is a heavy emphasis on making a lot of assumptions about what has happened based upon what is on someone's computer due to the "infallibility" of checksumming disk contents and the software that makes the process palatable to courts and legal profession. That makes it possible for me to get you in a lot of trouble quite easily. I seriously doubt that most folks know everything actually stored on their hard drives or how it got there. The list of malware is so very long that it is impossible for a resonable person to assume the possession is 9/10 of the law when it comes to the contents of an internet connected computer.
In short, conducting an investigation based upon disk casing only, without considering the network traffic context, is nothing short of fraud. Anybody in the industry (blackhat, "whitehat" or otherwise) would do well to remember this.
there's a BIG difference between torturing and claiming that you have evidence.
with torturing people would confess things they had not even done.
you don't need dna to prove that someone was somewhere at some time.. there's lots of other ways. usually someone saw them or you could follow them home or there was some other way to trace them to the crime.
tv forensics is 90% bull.. but what has that do with techniques used by real life cops?
world was created 5 seconds before this post as it is.