When I first saw the title for Digital Forensics with Open Source Tools by Cory Altheide and Harlan Carvey (Syngress, April 2011, ISBN: 9781597495868), I thought to myself “Oh great, another mash up of Carrier’s File System Forensic Analysis, Farmer & Venema’s Forensic Discovery and the freely available Sleuthkit documentation.” What I found, however, was a well-written, detailed and concise book detailing many of the most important, and freely available, open source tools that could be wielded in the name of system forensics and incident response. I’ve known both authors, Cory Altheide and Harlan Carvey, for quite some time and both are well known in forensic circles. The voice throughout the book is consistent and it’s difficult to see where one author picks up and the other leaves off (well, when the conversation switches to RegRipper I’m fairly certain that Harlan is the predominate voice).
The first chapter in Digital Forensics with Open Source Tools (DFwOST for short) outlines what constitutes a ‘free’ vs. ‘open’ tool, the various licenses and the benefits of standardizing on a mixed bag of non-commercial tools – hint, portability between jobs is a big bonus. Chapter 2, surprisingly, shows you how to build your own open source examination platform and walks the read through the installation and configuration of software, interpreters and other tools for both a Linux or Windows host. Chapters 3 through 7 provide overviews, tips and tricks on everything from disk and file system analysis techniques to searching for artifacts on Windows, Linux and OS X systems in addition to Internet specific artifacts like those left by browsers and mail clients. Chapter 8 gives a somewhat high-level view of file analysis concepts and provides some file-specifc format information for the investigator-on-the-go (who can really remember the various metadata available in a PDF file anyway?). Chapter 9 discussed the automation of analysis and some of the tools used to help extract common files, create timelines and work with graphical investigative environments like PyFLAG and the Digital Forensics Framework. Finally, the Appendix provides some high-level information on some complimentary, though not open, tools to help with the forensic process.
I can honestly say that I read this book in a matter of hours – not to mention in one sitting. My forensic knowledge and training did allow me to read through the book at a fairly decent pace but I think that even the most green of forensic analysts would walk away with a more detailed knowledge of the forensic process and the open source tools that could be used to undertake a forensic exercise. The book is not going to explain the file system and its intricacies at any great length but really, there are other books already written that do that. Also, the book won’t show you how to do everything with the tools it mentions but it certainly will point the reader at some new tools that they may have never known about previously. It’s safe to say that DFwOST is certainly no substitute for forensic training or experience but if you already have all of the standard forensics books on your bookshelf (you know the ones), you’d do well to save a slot for DFwOST as a quick reference for some of the newer tools not covered in those older tomes.
When I first received this book from Syngress I was very excited. I knew nothing about PCI compliance — other than it was big ticket item and everyone processing Visa transactions was affected in some way because of it. I can honestly say that I tore through this book and didn’t put it down until I reached chapter 13. I was completely wrapped up in it as it was something I knew nothing about and wanted to know more!
Chapters 1 through 3 introduce you to the concepts behind PCI compliance including what it is and who needs to comply. These chapters really set the stage for what the rest of the book has to offer the reader.
Chapter 4 provides a technology overview of firewalls, intrusion systems, antivirus solutions, and common system default settings. Personally I felt that Chapter 4 was filler content just to add a chapter. It may, however, serve as a good reference for those in management roles who do not have “hands-on” interaction with the architecture of their environment.
Chapter 5 explains how to go about protecting your cardholder data as dictated by PCI requirements 3 & 4. This is a great chapter for anyone new to securing infrastructure to meet the requirements of a PCI audit. The authors also provide a fantastic section entitled “The Absolute Essentials” which offers suggestions on the minimum protection you can employ to protect your cardholder data.
Chapter 6 was by far my most favorite chapter and Syngress has offered it as a free download from their website. Many of you know what I do for a living and know how important understanding logging and requirements for logging is for my day-to-day duties. This chapter focuses around PCI Requirement 10 which details how you must handle the log data collected in your PCI environment. As soon as I started reading this chapter I knew that Dr. Anton Chuvakin had written this section of the book, or at least had a heavy insight into its direction. This chapter alone makes the book worth its weight in gold.
Chapter 7 details the importance of access control in your PCI environment. For obvious reasons, access to your cardholder data must be recorded and checked with a fine tooth comb. User privileges, authentication, authorization, and user education is also covered in this chapter. This chapter goes further to provide examples of ensuring your Windows, Unix/Linux, and Cisco infrastructure meet PCI requirements.
Chapter 8 explains how to leverage vulnerability management solutions to meet the requirements outlined in sections 5, 6, and 11 of the PCI requirement. The authors also provide two very good case studies to help the reader put things into perspective.
Chapter 9 focusses on the monitoring and testing of your environment. The authors are quick to point out that monitoring and testing must continue even after the audit in order to ensure you remain compliant.
Chapter 10 details how to drive your PCI project from the business side in order to ensure you accomplish your objectives. Suggestions are provided on budgeting time and resources, keeping staff in the loop, and justifying the business case to your executive team. The authors also offer a step-by-step “checklist” for ensuring your project runs smoothly and that all of your bases are covered.
Chapter 11 explains the various responsibilities within the organization for ensuring the PCI project succeeds. One of the key things to take away from this chapter is the role of the Incident Response team and its need to understand the requirements of PCI compliance.
Chapter 12 is a really good “eye-opener” that prepares you for the failure of your first audit. The key thing to take away from this is chapter is to not blame the auditor the same way you shouldn’t blame a referee in sports. They’re simply there to do their job to the best of their ability. If you have a problem with the way they are doing their job, bring it up with their superior. Perhaps their decision will get overturned?
Chapter 13 brings you into a “OK, now what?” phase. This chapter provides a detailed overview of the various requirements and breaks each requirement into “Policy Checks” and “Hands-on Assessments” sections. The policy checks discuss policies that should be reviewed to verify that they are up-to-date and the hands-on assessments sections give ideas on testing these policies. The beauty part is that the authors suggest open source solutions to help you protect your PCI compliant investment.
I give this book 5 stars as it is the best PCI reference I have found on the market. Everything I found in this book will allow me to understand the compliance requirements of my existing customers, their process, and their overall goals. Hats off to the entire team of authors.
There are very few books on the topic of Windows Forensic Analysis and Harlan Carvey has taken it upon himself to provide the security community with a guided tour of the inner workings of Microsoft operating systems. As Microsoft does not yet offer a “forensic” track in it’s training offerings most forensic knowledge of Windows comes from on the job experience or tool specific training offered by a vendor.
This book begins by leading you through the collection of evidence. The author provides you with examples of collecting data from live running systems using commercial tools, tools native to Windows, and advanced perl scripts which are provided on the accompanying DVD. Locard’s Exchange Principle, a principle unknown to me prior to reading this book, is explained in great detail and is reference throughout the book. The concept is further demonstrated in an example using my favorite security tool, Netcat. People who respond to incidents need to know what to look for. Harlan dives deep into the key items of interest and explains how to pay special attention to volatile information such as system time, network connections, clipboard contents, and mapped drives, to name a few.
Once you have collected your data the author moves into specific chapters on how to analyze and make sense of it. Harlan does a fantastic job of explaining how to analyze memory (dumping the memory, analyzing crash dumps, reading through memory, etc.), analyzing the registry (tracking user activity, explaining how processes autostart from registry entries, etc.), analyzing windows files (working with event logs, common document formats, alternate data streams, etc.), analyzing executable files (static and dynamic analysis), and finally rootkits (detecting and preventing).
On the cover of the book the author has a quote by Troy Larson, Senior Forensic Investigator of Microsoft’s IT Security Group which states:
“The Registry Analysis chapter alone is worth the price of the book.”
When I first received the book I thought “Wow, that’s a glowing recommendation” and upon reading the book cover to cover I couldn’t agree more. I have yet to see a book which takes you through the intricacies of the Windows Registry in such a way that I, being a Linux person, could easily relate to.
The rootkit chapter was a little light on content but the rest of the book makes up for it. There are books out there dedicated to rootkits and I wouldn’t expect the author to provide a book that explains everything about everything and still expect people to be able to carry it with them.
The accompanying DVD contains the scripts mentioned in the book, some videos explaining the use of some tools, as well as a bonus folder that contains … well I’ll let you buy the book to find out what cool tools are provided.
This book should be on every analysts shelf whether they perform Windows forensic analysis as part of their role, or think that they might be called upon to do so in a pinch. I also think that this book is a fantastic supplement to any Microsoft training and any security training you may receive in the future.
I give this book 4.5 stars as it is easy to read and kept my interest throughout the entire book.
Do yourself a favor and pick up this book today.