Joined: 18 Apr 2002
Location: Kuala Lumpur, Malaysia
|Posted: Tue Jan 06, 2004 1:26 am Post subject: Book Review - Computer Forensics : Incident Response
Computer Forensics: Incident Response Essentials
Author: Warren G. Kruse & Jay G. Heiser.
Book Specifications: Soft-Cover, 398 Pages
Category: Computer Forensics and Incident Response
User Level: Good all around knowledge of computer security
Suggested Publisher Price: $44.99 USA/ $69.99 CAN/ £30.99 Net UK (inc of VAT)
Amazon.co.uk: Computer Forensics: Incident Response Essentials UK
Amazon.com: Computer Forensics: Incident Response Essentials US
Info from Back: "Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.
Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered."
As I have mentioned in another review computer forensics is a very interesting and highly technical area that I have long dabbled in, but had no firm baseline knowledge. After reviewing another computer forensics book my interest was piqued. Computer Forensics itself is a fairly pervasive area and covers all facets of computer security in some manner. In studying forensics you gain a great understanding of lower level technicalities such as the construction of file systems and the various places in which information can be hidden.
After reading a fair amount about forensics and having a little play with some freeware utilities such as F.I.R.E I feel a little more comfortable with the area, but well I'm still far from being an expert. I have also seen this book recommended in a few circles and I know that the authors are very well respected so even though it may be a little out of date the information should still be solid.
The book covers a good area within and around the area of digital forensics; it goes a little outside the focus of the book to give you a good understanding of the subject matter. It covers both Windows and Linux equally well referencing both commercial and open source forensics tools and resources. You don't really need a huge amount of expertise to get a lot out of this book, but you do need to be familiar with Linux, Windows, Networking and computer security in general. For the majority of regulars on the forum, you will be able to read the whole book without any further research.
The book is split into 13 chapters with no larger sections and no apparent organisation or flow, the chapters do have informal subsections which makes it easy to pick out relevant info. These are some of the more important/interesting chapters
A full list of contents can be found HERE.
- Introduction to Computer Forensics.
- Encryption and Forensics.
- Your Electronic Toolkit.
- Introduction to Unix for Forensic Examiners.
- Introduction to the Criminal Justice System.
There is the normal preface with some good points for management if you want to sell the need for an Incident Response Team or at least some kind of training for your security staff. This leads on to a section outlining each of the chapters and a tidbit on how the book is intended to be read. The book then moves onto the introduction, which is a basic lead into computer forensics, data acquisition, chain of custody and analysis.
The book goes on to cover a lot of basics for anyone already familiar with computer security starting with network information such as Internet fundamentals, DNS, E-mail headers, Dial-up sessions, Usenet posts and a small section about IDS. This is followed by a chapter on hard drives and storage media, which outlines file systems, partition tables, operating systems, unallocated space and laptop drives.
The cryptography section covers a bit of everything and is a fair introduction to cryptography in computer security and it's relevance to forensics including steganography and NT Alternate Date Streams. Hostile code is covered in a non-technical manner with explanations of the various types and their purpose. The electronic toolkit section covers mostly commercial software unfortunately for the Windows platform. Some free tools are covered such as The Coroners Toolkit and ForensiX a powerful investigation system. The following chapter on Windows is beginner friendly using standard Windows tools such as find and regedit with some examples from Encase as well. The UNIX section is slightly more technical but still starts with a basic introduction to UNIX, users, permissions and so on. This section combined with a later chapter on investigating a UNIX host contains some great examples of how to use the standard UNIX tools to search for files, examine binaries and make forensically sound images. I would say chapter 11, the chapter on Investigating a UNIX host is by far the most useful and in-depth chapter in the book.
The book finishes with a good introduction to the criminal justice system and some great appendixes including a valuable section on Internet Data Incident Response Guidelines and a sample Incident Response Form.
Style and Detail
The layout and style of the book is fairly standard and easy to read if not at a little times rather dull. There are plenty of diagrams where needed and the odd few pictures of various bits of hardware along with the necessary screengrabs where software is being explained. I didn't find the book particularly easy to read, it seems to jump around a lot and the chapters in general don't seem to follow on from each other.
I would say the book could have done with being split into more chapters and perhaps following a more logical flow from chapter to chapter as the information contained in the book is good quality and useful.
This is a good book for beginners to computer forensics and incident response and gives some superb advice on handling evidence, which accentuates the experience of the authors in dealing with real cases and legal issues. There are some great tips on how to get the most out of UNIX tools during forensics examinations and how to make legally safe images.
If you are already fairly advanced in forensics or have some real world experience I don't think you would get much out of this book as it covers a lot of basics and doesn't really go into any deep technical detail.
I give it a good for starters SFDC 6/10
This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Last edited by ShaolinTiger on Sun Jan 18, 2004 11:39 pm; edited 1 time in total