Wednesday, June 22, 2011

Book Review: Digital Forensics With Open Source Tools

DFWOST: No dongle? No problem!
No dongle? No problem, says it all! Authors, Cory Altheide and Harlan Carvey, deliver a superb, field guide for digital forensic practitioners. This book is not a textbook on how to perform digital forensics, but a guide for the veteran or new forensic examiner to reference, to extend his/her analysis capabilities with open source tools. The authors bring their years of real world experience at practicing digital forensics, into a single publication.
Digital Forensics With Open Source Tools (DFWOST) begins by defining "free" vs. "open" and the digital forensic process, as well as the benefits of using open source tools. DFWOST quickly moves into setting up the examination workstation, that the examiner/analyst will use to perform the digital forensic examination; regardless, of the host operating system of your forensic machine.
While the book is not a textbook on how to perform a digital forensic examination, it does outline basic digital forensic concepts and terminology that the forensic examiner must comprehend to utilize the open source framework that the book mainly focuses upon, The Sleuth Kit.
From here, the book goes into depth with Windows, Linux, and Mac OS X operating systems and how to use open source tools to identify, parse, and "forensicate" the various system artifacts.
The book's final chapter focuses on automating forensic analysis and extending capabilities with open source tools Finally, the appendix is full of free, non-open source tools that you should become familiar with and integrate into your digital forensic toolkit. Remember, there are many ways to skin a cat! [Disclaimer: no kitteh's were harmed in compiling this book review :)]

Here's why I am giving this book a five star review:

1) Altheide and Carvey walk the reader through compiling a forensic examination workstation to utilize for a digital forensic investigation. It's full of tips, command line refreshers, and best practices delivered from experienced digital forensic professionals with perfect symmetry (i.e., "It is best to complete Y, to avoid Z").

2) In regards to symmetry, Altheide and Carvey do an awesome job of describing The Sleuth Kit Tools, breaking down the common TSK prefixes and each layer of TSK tools, which for new examiners can be task within itself. If you are new to TSK, DFWOST is the perfect companion.

3) Altheide and Carvey eliminate the barrier of just having OS specific forensic tools. Linux and Mac OS X users can now play in their own sandbox, using their own toys (Of course, Linux and Mac users knew this all along).

4) Chapter 8 on File Analysis is the longest chapter (41 pages in length), covering analysis of image files, audio and video files, archive files, and documents. This chapter breaks down a file's content and metadata. DFWOST puts file analysis into a practical and digestible format, that a new examiner should be able to apply immediately to a forensic investigation.

5) The book's length, based on the subject matter is spot on and not too cumbersome (255 pages including Appendix on Free, Non Open Tools). Just as Carvey done with Windows Registry Forensics (WRF), Digital Forensics With Open Source Tools (DFWOST) takes a sniper approach (@cpbeefcake reference) on the subject matter. Depending on what type of reader you are, you may knock it out in a single reading session; or, it may take several reading sessions, which will allow you to follow along, complete the examples, and exercises outlined in the book.

6) Lastly, the DFWOST print version that I purchased is signed by both authors. I was able to catch both authors at the Open Source Digital Forensics Conference last week in NoVa. Thank you gentlemen!

The book's content, length, and practical application make it a necessity for the digital forensic examiner's toolkit! Now, go forth and 'forensicate', DFWOST-style!

Read what others are saying about DFWOST on Amazon, SANS DFIR blog, and on the Forensicaliente blog.
Post a Comment