BKRLDGFR.RVW 20051127 "Real Digital Forensics", Keith J. Jones/Richard Bejtlich/Curtis W. Rose, 2006, 0-321-24069-3, U$49.99/C$69.99 %A Keith J. Jones %A Richard Bejtlich taosecurity.com taosecurity.blogspot.com %A Curtis W. Rose www.red-cliff.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-24069-3 %I Addison-Wesley Publishing Co. %O U$49.99/C$69.99 fax: 416-443-0948 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321240693/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321240693/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321240693/robsladesin03-20 %O Audience a+ Tech 1 Writing 1 (see revfaq.htm for explanation) %P 650 p. + DVD %T "Real Digital Forensics: Computer Security and Incident Response" Some forensics books provide a CD-ROM with (usually demo) versions of computer forensic software. This one provides a DVD of log and other forensic data, and points the reader to sites for open source tools that can be used to explore it. Six "case studies," of fictitious situations, have been provided, and are referred to at different times and places within the book. Part one ostensibly looks at response to an incident in real time. Chapter one outlines tools that can be used for data capture and analysis of various types on a Windows computer (associated with the first "case"). There is rather limited explanation of the choices and decisions involved (the authors make frequent mention that topics are "beyond the scope" of this book and that the reader should go and get their other works), and it is not always easy to follow the structure that the authors may have intended, but the material should be reasonable enough for the dedicated reader to work through. A duplicate situation, with a UNIX system, is presented in chapter two. Part two concentrates on network-based forensics, although a number of activities in the first division related to the network as well. Chapter three, almost irritatingly simplistic after the "jump in and swim" approach in the first two, lists some tools for collecting network data and evidence. Analysis of the data is outlined in chapter four (for Windows) and five (for UNIX). Again, the resulting listings can make for annoying reading: the authors will frequently note that a page or two of densely packed and impenetrable figures demonstrate a certain conclusion, but they do not always say why. Part three examines forensic copying or duplication of systems. Chapter six covers some basic, and some oddball, points and suggestions. A few commercial (in chapter seven) and non-commercial (in chapter eight) data duplication tools are presented. Forensics analysis techniques get some discussion in part four. Chapter nine uses various tools to try and access disk images or deleted files. Tools for reconstructing Web browsing activity are listed in chapter ten, while email is scrutinized in chapter eleven. The Registry gets special attention in chapter twelve. Analysis of two Linux executable files is attempted in chapters thirteen (a known file) and fourteen (unknown). Chapter fifteen combines both in looking at Windows programs, but uses the Cygwin system to utilize UNIX-like tools. Part five purportedly discusses the creation of a complete forensic toolkit. However, chapter sixteen just lists a few tools, and seventeen suggests making your CD of utilities bootable via the Knoppix distribution. Part six reviews mobile device forensics. Chapter eighteen notes some tools for accessing PDAs (Personal Digital Assistants). Mounting USB (Universal Serial Bus) devices on Linux is covered briefly in chapter nineteen, while analyzing the data, in chapter twenty, is pretty much the same as any other filesystem. Part seven looks at online-based forensics (rather begging the question of what the difference is between "online" and "network"). Chapter twenty-one outlines the tracing of email that has been sent via Webmail services. Programs, mostly in Perl and SQL, for searching Verisign's database of top-level domain ownership, are "listed" in twenty-two. This work has a lot of useful information, but as an overall guide is woefully incomplete. I know that sounds like a contradiction, but it remains true. For those who want to get involved with digital forensics, there are useful pointers to tools, and some sets of data to play with, and these items are missing from most other forensics texts. For those who need to know how to actually approach an investigation of a computer or an intrusion into a system, there are huge gaps in the coverage this work provides. copyright Robert M. Slade, 2005 BKRLDGFR.RVW 20051127