Wednesday, June 22, 2011

Book Review: Digital Forensics With Open Source Tools

DFWOST: No dongle? No problem!
No dongle? No problem, says it all! Authors, Cory Altheide and Harlan Carvey, deliver a superb, field guide for digital forensic practitioners. This book is not a textbook on how to perform digital forensics, but a guide for the veteran or new forensic examiner to reference, to extend his/her analysis capabilities with open source tools. The authors bring their years of real world experience at practicing digital forensics, into a single publication.
Digital Forensics With Open Source Tools (DFWOST) begins by defining "free" vs. "open" and the digital forensic process, as well as the benefits of using open source tools. DFWOST quickly moves into setting up the examination workstation, that the examiner/analyst will use to perform the digital forensic examination; regardless, of the host operating system of your forensic machine.
While the book is not a textbook on how to perform a digital forensic examination, it does outline basic digital forensic concepts and terminology that the forensic examiner must comprehend to utilize the open source framework that the book mainly focuses upon, The Sleuth Kit.
From here, the book goes into depth with Windows, Linux, and Mac OS X operating systems and how to use open source tools to identify, parse, and "forensicate" the various system artifacts.
The book's final chapter focuses on automating forensic analysis and extending capabilities with open source tools Finally, the appendix is full of free, non-open source tools that you should become familiar with and integrate into your digital forensic toolkit. Remember, there are many ways to skin a cat! [Disclaimer: no kitteh's were harmed in compiling this book review :)]

Here's why I am giving this book a five star review:

1) Altheide and Carvey walk the reader through compiling a forensic examination workstation to utilize for a digital forensic investigation. It's full of tips, command line refreshers, and best practices delivered from experienced digital forensic professionals with perfect symmetry (i.e., "It is best to complete Y, to avoid Z").

2) In regards to symmetry, Altheide and Carvey do an awesome job of describing The Sleuth Kit Tools, breaking down the common TSK prefixes and each layer of TSK tools, which for new examiners can be task within itself. If you are new to TSK, DFWOST is the perfect companion.

3) Altheide and Carvey eliminate the barrier of just having OS specific forensic tools. Linux and Mac OS X users can now play in their own sandbox, using their own toys (Of course, Linux and Mac users knew this all along).

4) Chapter 8 on File Analysis is the longest chapter (41 pages in length), covering analysis of image files, audio and video files, archive files, and documents. This chapter breaks down a file's content and metadata. DFWOST puts file analysis into a practical and digestible format, that a new examiner should be able to apply immediately to a forensic investigation.

5) The book's length, based on the subject matter is spot on and not too cumbersome (255 pages including Appendix on Free, Non Open Tools). Just as Carvey done with Windows Registry Forensics (WRF), Digital Forensics With Open Source Tools (DFWOST) takes a sniper approach (@cpbeefcake reference) on the subject matter. Depending on what type of reader you are, you may knock it out in a single reading session; or, it may take several reading sessions, which will allow you to follow along, complete the examples, and exercises outlined in the book.

6) Lastly, the DFWOST print version that I purchased is signed by both authors. I was able to catch both authors at the Open Source Digital Forensics Conference last week in NoVa. Thank you gentlemen!

The book's content, length, and practical application make it a necessity for the digital forensic examiner's toolkit! Now, go forth and 'forensicate', DFWOST-style!

Read what others are saying about DFWOST on Amazon, SANS DFIR blog, and on the Forensicaliente blog.

Sunday, June 12, 2011

On The Road: Open Source Digital Forensics Conference

This blog post is being put together from the road. The Open Source Digital Forensics Conference begins tomorrow with tutorials and the official conference Tuesday. Myself and fellow blogger/friend/forensicator, Ken Pryor are on the road, D.C. bound for the OSDF conference. Follow the conference on Twitter, #OSDFC. You can also follow the blog on Twitter as well @DFSource for conference tweets or my personal account. Looking forward to catching up with old friends and meeting new ones these next few days. See you at OSDFC!

Thursday, June 9, 2011

2011 Forensic 4cast Awards (Unofficial Results)

Here are the winners for the 2011 Forensic 4cast Awards that were streamed live at that we followed and tweeted live on Twitter @DFSource. Checkout what others were saying on Twitter about the #DFIRSUMMIT. The Forensic 4cast website should post the "official results" soon:

Congratulations to all the 2011 winners!! A special thank you to Alisha Whitfield for supporting Lee, which has allowed him the time to give back to the digital forensic community.

Disclaimer: We are calling these unofficial results until they are officially posted on Forensic 4cast website and if there were any omissions or errors.

Tuesday, June 7, 2011

Quick Post: DFIR Summit/OSDF Con

For those of us that cannot attend the SANS Forensic Summit that is going on today and tomorrow, you can catch SANS Institute's Live Stream feed at

The Forensic 4cast Awards will also be streamed LIVE via the above live stream feed TODAY at 5:20 EDT/2:20 PDT. Good luck to all the nominees!

Follow the Summit on twitter with hashtag #DFIRSUMMIT

The 2011 Open Source Digital Forensics Conference is next week and also fast approaching. The agenda is now available online. I will be attending the conference and looking forward to catching up with some old friends/forensicators and meeting new ones.