Computer forensics, the art and science of gathering and analyzing digital evidence, reconstructing data and attacks,
and tracking perpetrators, is becoming ever more important
as IT and law enforcement professionals face an epidemic in computer crime. In Forensic Discovery, two internationally recognized experts present the most thorough and realistic guide to the subject ever published. Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing a powerful approach that can often recover evidence considered lost forever.
The authors draw on their extensive firsthand experience
to cover everything from file systems to memory, kernel hacks to malware. Along they way, they expose a wide variety of computer forensics myths that stand in the way of success. You'll find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for using many of today's most powerful forensic tools. The authors are singularly well-qualified to write this book: They personally created many of those tools--from the legendary SATAN network scanner to the powerful Coroner's Toolkit for analyzing UNIX break-ins.
After reading this book you will be able to
- Understand essential forensics concepts: volatility,
layering, and trust
- Gather the maximum amount of reliable evidence from
a running system
- Recover partially destroyed information--and make sense of it
- Timeline your system: understand what really happened
when
- Uncover secret changes to everything from system utilities
to kernel modules
- Avoid cover-ups and evidence traps set by intruders
- Identify the digital footprints associated with suspicious
activity
- Understand file systems from a forensic analyst's point
of view
- Analyze malware--and prevent it from escaping
- Capture and examine the contents of main memory on
running systems
- Walk through unraveling an intrusion, one step at a time
- Use your evidence to apprehend intruders--and make
sure it stands up in court
This book's companion Web site contains complete source and binary code for open source software discussed in the book, plus additional computer forensics case studies and resource links.
Chapter 1 The spirit of forensic discovery
Chapter 2 Time machines
Chapter 3 File system basics
Chapter 4 File system analysis
Chapter 5 Systems and subversion
Chapter 6 Malware analysis basics
Chapter 7 The persistence of deleted file information
Chapter 8 Beyond processes
Appendix A The coroner's toolkit and related software
Appendix B Data gathering and the order of volatility