Slashdot Mirror
Forensic Discovery
Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.
An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.
The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.
The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.
Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.
Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.
Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.
Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.
Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.
The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.
You can purchase Forensic Discovery from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Unfair comparison. The whole time issue is all based on pacing. The big time-waster when it comes to forensics is DNA analysis, as that department is generally the department that gets it in the pants when it comes to the budget.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
I met a young, single woman who did computer forensics for the police. She told me over dinner that while she thought her work was important, it caused her a lot of stress in her life. She said there were many times where she recovered images from the computer of a sex criminal that were really indiscribable.
She was really good looking and had a body that you normally don't find on a girl geek. But, man, I wasn't about to start dating some chick who comes home from work sobbing from prowling through gigabyes to violent sexual jpegs and avis. I guess that's why someone so damn good looking and smart was still single...
Not that I would ever have anything to hide, but how safe is data on an encrypted disk, in particular linux encrypted filesystems like this? It seems to me that with a little encryption you would pretty easily foil the efforts of any local forensics people.
I Am My Own Worst Enemy
In the days of yore the torture was used much leass than people imagine. Just the threat of torture was enough to make people confess. The same goes with forensic science. A cop says: "we have your DNA and we know it's you for sure" and that's enough to make someone confess. And as long as programs like CSI keep airing people will continue to fall for it.
In fact, the fact that forensic science is 90% bull is probably one of the best kept secrets left in the Western world.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Frankly, I don't care. I don't care that in reality it would take 3-4 months to get the DNA processed because of the massive queue of other cases that need DNA processed. I don't care that real-live CSIs would never, ever, ever see a suspect or a crime scene. You can't really do a series that way. I don't have cable or sattellite so I haven't seen the show, but I doubt that even New Detectives goes without showing the suspects.
I like have interesting characters, I like a good story. That's I still read Agatha Christie novels and watch the Poirot mysteries, even though Christie cheated on a regular basis.
Just my $.02
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Yup, there's really nothing quite like stumbling upon a crime scene. Looks good, smells good, no nightmares or traumatic flashbacks. So get your Vapo-Rub and 35mm camera and come on down to "Forensic Discovery!"
Sounds like she needs some consoling.
Well, it was that "some" in "some consoling" that I wasn't sure about. How much? She's telling me on the first date that she's under tremendous stress. I appreciate her honesty and respect her for that but I suspect that if she feels the need to divulge that on a first date, the level of consoling is likely to be more than "some". That's what I was worried about. To be dating a girl with a face and a body like that who knows her way around computers like a pro and who is doing a job that is clearly a service to mankind sounds like a geek's wildest dreams come true. But therein lies the problem: this is the kind of girl who most of us would fall head-over-heels for. I was afraid of getting really wrapped up in her and then having to endure of heartache of having her crying in my arms once a week or more. Or having her push me away in bed because she had seen something at work that had turned her off of sex for the next two weeks. You can call me an ass or a dumbshit but seriously think about it for a moment. This was going to be a major emotional roller-coaster for me.
I'm reminded of some poor sap here on slashdot who was telling us what it's really like to have a nympho girlfriend. It sounds great until you are presented with the reality of the situation, namely, that she absolutely needed sex every time he put his arm around her. Look, I still think that woman I dated was very desirable on many, many levels but I also think I did the right thing by stopping that relationship before I got sucked into her work as well.
I don't get cable or sattelite. As it is, I still enjoy CSI. Accuracy to procedure aside, they still do a good story, and the acting is better then many of the other shows that are on Network Television.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Hi all,
Noticed that this post was hovering around 30 posts, and so i thought i would toss in some relevent tidbits that are pretty interesting.
I graduated with a CS degree, and now i run a data warehouse, and architect an enterprise java application. Things are going well, but as many of us are aware, it may not be going so well for everyone that just graduated...
case in point - a buddy of mine got a good job out of school, but it isn't great, not like what we all pictured when we signed up in the midst of the boom 5 years ago! About a month ago, an old friend of ours called up and said he had positions available for Forsenic Scientists (paid bank). I kept asking what portion was related to CS or technology, and he kept replying - NONE! The only part is the ability to methodically research details and clues! Can anyone say.... debugging?!
Anyways... i started to think about it, and compared with some of the criminal justice majors i know, CS grads really are more capable to handle that kind of stuff. Just like abstract puzzles, RPGs, and even some of the "lock-picking" articles i have been seeing. Anyone have a simliar tale? Anyone know of a school that has a curriculum that tailors to that kind of profession?
Thanks! ~tim
I've got lovely news for you: Unless you are able to watch a computer from the time it is put on the network to the time that removed for evidence collection, you can say *VERY*LITTLE* about what someone may or may not have done with that computer.
Here's a little story from several years back. A friend of mine who was doing deployed support for one of the armed services used an account at a major American university, which he was authorized to used, to download/store updated cisco images due to limited bandwidth contraints at the tip of the spear where he was working. Well, as it turns out that particular university's computer systems was {c,h}acker infested (due to a certain VIP's daughter attending that institution at that particular point in time). His password was sniffed (this was in the days when ssh was not that wide spread) and his connections to that university's computers were hijacked on a fairly regular basis (he thought his lousy connections were due to all the sat. hops his packets were taking to get from ship to shore).
Well, about 6 months after this started, he got a little visit from a few "computer crime investigators". The experience was enlightenting, but not in a positive way. After he was presented with the "evidence", which consisted of bogified last log... I'm sorry, there is no host called swedish.chef.bork.bork.bork), he told the investigators that he felt that his telnet sessions might have been hijacked and he was told "that is only a theoretical attack and is not possible". The investigators then proceeded to tear his life apart (forced out of a job, seized all his work tools, searched two residences including one belonging to a foreign national for which they had neither permission or a warrant, froze his savings, initiated a tax audit, got him kicked him out of his house, interviewed family, friends, coworkers, boss/boss' boss telling them that he was a criminal about to be put away for a very long time, etc.) It took him almost 10 years to recover from the ignorance of some LE investigator turned "computer investiagor" who thought telnet session hijacking was "only theortical" because he didn't realize that hunt and jugernaut hand been in wide distribution among the cracker community 10 months prior to the investigation. The "forensics" that were used is this investigation were nothing short of fraud. I believe that computer forensics investigators should be bonded and licensed so that they can be sued into oblivion in the event of malpractice.
So, the next time your are forced to interface with *ANY* "computer investigator", remember, that nothing they say, do or "discover" has anything to do with reality/"The Truth"(tm), so much as it has *EVERYTHING* to do with what they think they can get away with in court with a jury of your "peers".
DoctorMabuse,
:). One of my customers is large enough to have their own copy, and access to iLook if needed.
:)
I also use EnCase when I do forensics work, and prefer the SHA-1 hash features in it
However, the procedural work that has to be done before an evidence disk gets into my hands is just as, if not, more important than the actual evidence. Even when it comes to log files, I have to follow a very firm set of procedures, starting with the md5 checksum of the files, before I even start. I also have to only work on the copies.
However, I like EnCase for one other reason. They'll provide their own experts for you if required in your case. Even though the file system analysis is not as complete as iLook in some regards, it's still a really good product that provides the whole package.
And, EnCase Enterprise Edition can examine live systems now
The Dutch police has a huge database of all kinds of (child pornography) pictures. Of each picture they have a hash. When they confiscate the pc of somebody who is suspected of having child pornography, the first thing they do is run the hashes against the pictures on the system. This saves them from having to look at all those pictures, they can now focus on the unknown ones. Great thing is also that the hashes are admissable in Court as evidence.
Use Adsense for Charity