Book Review

Apr. 8, 2013
by
One comment
Filed under:

Computer Forensics

I was fortunate enough to get an advance reviewer copy of David Cowen’s new book – Computer Forensics: A Beginner’s Guide. After reading it, honestly, I was annoyed and a little bit pissed. I have a Masters in Information Security and it was my Computer Forensics class that got me interested in this field. By comparison the textbook I had for that class was dry, dull, stale and inadequate in its task compared to this book. What I would have given to have this as a reference for that class. Fortunately, now I do!

For those that are unfamiliar with the author; David has co-authored Hacking Exposed: Computer Forensics, writes a popular forensic blog (http://hackingexposedcomputerforensicsblog.blogspot.com/ ) and is an experienced Computer Forensic Examiner in the state of Texas.

What’s to like about this book? To me, the biggest selling point of this book is how it reads. If you like the style of the Hacking Exposed books then you’ll enjoy David’s writing style as well. It comes mostly as a first person narrative with David’s experiences sprinkled liberally throughout the book; and that’s a good thing. It becomes very obvious in the reading that not only does the author know what he’s talking about, he knows how to communicate it to a wide audience. I finished the entire book in three sittings and I attribute that to how well it is written.

The topics covered flow very well; starting with chapters on getting started, what can be done with computer forensics, how to get training and where to find current information. For the beginner, these chapters are invaluable as they lay the groundwork for the rest of the book as well as providing some great external references for finding more information about forensics. For the experienced forensicator, these chapters are valuable as a way to introduce new people to what you do as well as providing a great reference list of places to keep up-to-date on computer forensics.

From here the book quickly moves into setting up your own lab, what tools (both hardware and software) you’ll need, and how to start your first investigation. There’s a great chapter here on the importance of testing your tools and how to test them as well as several chapters on different types of forensic cases. The most valuable sections of the book, however, were the final two chapters on the back end of every investigation – documenting and reporting. Why? Because so much of the information in our field focuses on the technical aspects; new tools, new artifacts, new malware, etc., however, all of that is moot if it isn’t properly documented and reported. David fortunately doesn’t gloss over these topics, instead giving them two skillfully written chapters that will serve experienced and new forensicators well.

Without covering every chapter, I’ll instead say that David does an outstanding job of covering a very broad level of topics in computer forensics, including many that you wouldn’t expect to be in a book for beginners. And while the focus is on beginners, this book would make an excellent addition to any computer forensicator’s library.

That said I did have a few minor quibbles with the book. There were a few minor spelling errors and some grammar issues but I expect all of those will be referenced on the accompanying website (http://www.learndfir.com) and fixed in future versions. Another issue I had was that a few chapters’ topic introductions did not match up to the chapter summaries. For example, Chapter 8 deals with creating forensic images. The topics listed as being covered do not mention mobile devices, yet it is discussed briefly in the chapter and then listed as a skilled learned in the chapter summary. In reality, the chapter mentions that the topic is rapidly changing and no methods for imaging mobile devices are documented. For a beginner it may be frustrating to see a skill listed as ‘covered’ in the chapter when it was not. This happens a few times in the book but should not seriously detract from what I consider to overall be an outstanding computer forensics book.

In summary, if you have any interest in computer forensics, I highly recommend this book. If you’re teaching a course on the topic, please do yourself and your students a favor and use this as your textbook. Your students will thank you!

Notes: My ARC was in .pdf form with no Table of Contents, Introduction or Index so I cannot speak to any issues in those areas of the book. I also cannot speak to any formatting issues that might exist with other e-versions of the book. There were none in my version but they do sometimes occur across different e-formats.

My DFIR Reading List/Library

Mar. 21, 2013
by
No comments
Filed under:

I’m a pretty avid reader. I started reading at a very young age (which is why my eyes are so horrible)and I continue to devour books at a rapid rate. Since my wife got me a first generation Kindle, I haven’t purchased a ‘real’ book. I just love the e-format; the portability especially. When I was taking Masters classes it was so great to travel and not have to lug around a big textbook. My wife loves that there aren’t books stacked up in every bathroom and by my bed. This morning I noticed that the majority of my e-library was info sec and digital forensics books and I thought I’d make a list of books I’ve either read or am reading/referencing. The links are to the kindle e-versions.


Davi
Ottenheimer





Grabbed this book to brush up on my virtualization security
knowledge. Honestly, it didn't keep my interest at all. It reads
like a college textbook. I want to come back to it at some point
to give it a more thorough reading but not sure if I will.


Brian Carrier

This one ended up in my library as a precursor to taking SANS
FOR408 and 508. I believe it is part of 508 material you get with
the course. It was published in 2005 but provides an excellent
reference on how file systems work. It reads well too and I
highly recommend picking this one up.


Nelson, Phillips and Steuart

This was the coursebook for my Masters class in Computer
Forensics. For that purpose it was adequate. If someone is
looking for a book that gives an overview on what computer
forensics is at a very basic level, this is the book to give them.
For anyone that's spent any decent amount of time doing DFIR,
skip it. It is broad and very shallow.


T.J. O'Connor

I'm new at python but getting better and mostly picked this one
up to brush up my skill and to help rewire my brain to thinking
like a programmer again. From what I've read so far, it is very
good. It is not one to pick up if you're looking for an intro to
python; there's some outstanding online (and free) tutorials out
there for that.


Gary A. Donahue

I picked this up to strengthen my network knowledge and have as
a reference. Its very Cisco centric but an excellent book if you
need to look up anything related to network configurations or
troubleshooting.


Chris Sanders

I had used Wireshark for awhile before getting this book.
After reading it and going through the exercise, it was like
discovering a whole new program. It read easy, makes sense and is
guaranteed to improve how efficient you'll become at using
Wireshark. I still go back to it often because of how well it
explains concepts and reinforces them with real examples. Worth
the price and then some.


Brian W. Kerrighan

Sometimes we have to explain technical concepts to
non-technical people. Which is why I picked up this book. None
in this book was new to me but it serves as a great example of how
to explain what I do to people that have little to no concept of
how a computer, the internet, or cryptography works. Worth it if
you have friends or family that are constantly asking you
questions about things like this.


Michael Sikorsky, Andrew Honig

I picked this up after reading a post
on Corey Harrell's blog and thinking that I'd really like to know
more about analyzing malware. It is a very good book. If I were
to take any issue with it, it is that it tends to focus on one or
two tools exclusively. I would have liked to see more open source
tools referenced but I would guess that will be addressed in
future releases.


William E. Shotts, Jr.

When I started my dive into DFIR, I was a complete *Nix noob.
Honestly, I still am. But this book was instrumental in helping
me break down the fear of the command line and understanding how
to navigate *Nix directory structures. Highly recommend it if
you're in that same boat. I still reference it for commands I
don't use frequently.

These are one’s that I’ve purchased in the last year or so.

I am looking forward to Richard Bejtlich’s new book (coming out in July): Practical Security Monitoring. The link is to the hardcopy version; the e-version has not yet been posted.

There are several other DFIR related books in my e-library but honestly, they’re ones that lean more toward introductory topics. Do you have any books you really like and recommend? Or don’t recommend.

States need to be at the forefront of information security

Nov. 30, 2012
by
No comments
Filed under:

States have long shown the ability to manage natural disasters and plan for/build capabilities for 9/11 type events but have done little to plan for/respond to cyber related ‘incidents’.

Take a look at any 12 month period in recent US history and you will observe the wide range of emergencies that states have had to respond to: hurricanes, wildfires, floods, drought, acts of terror, and so on. Over years of experience in dealing with these types of incidents, states have developed the expertise in planning, mitigating, managing and responding quickly. And while the Federal government often steps in to provide financial and logistical support, it typically falls on emergency management at the state level to coordinate response efforts. But states, including North Dakota, need to add a new capability to its skill set: preparing for and responding to cyber security incidents.

This summer, the South Carolina Department of Revenue’s information systems were attacked and 3.6 million Social Security numbers, 387,000 credit and debit card numbers and 657,000 business tax returns were extracted. What is even more concerning is that state officials were made aware of the breach by the Secret Service and the South Carolina Law Enforcement Division, not its own IT department. This incident will end up costing taxpayers in South Carolina tens of millions of dollars.
Additionally, the Stuxnet worm, used to subvert Iranian nuclear centrifuges’, demonstrates that these types of threats are not limited to networks. In a state that has so much energy infrastructure providing critical resources to the rest of the country, the implications can be daunting and frightening. Put simply, we live in an era where the need to secure networks and infrastructure from cyber threats is not going to go away. Given the experience North Dakota has with federal response to recent disasters, it would be ill-advised to expect that needed support in a cyber emergency would be timely or effective.

As the federal government and the various branches of the military attempt to decide who and how cyber space is going to be secured, states will need to proactively develop their own plans and expertise to respond to such events. Several have already started, tasking their own National Guard to form cyber units capable of helping to protect state and local governments, private industry and utilities from cyber attacks. Going a step further, state emergency management needs to reach out to private industry for training, communication and coordination. Development of public/private CERT (Computer Emergency Response Team) teams that could be called upon on short notice would give state emergency management a response and defense capability that currently does not exist.

But it is not enough to have the capability; it needs to be communicated to state and local public and private entities. And most importantly it needs to be exercised and tested. Just like we can expect there to be a severe weather pattern that requires an emergency response, we can expect that at some point North Dakota will have to respond to a cyber emergency. It is not a matter of if, but when. Hopefully, we will be ready.

Cloudshark

Nov. 14, 2012
by
No comments
Filed under:

I was first introduced to Wireshark while working on my Masters degree and I play around with it on a regular (daily) basis now. Chris Sanders’ excellent “Practical Packet Analysis” really exposed the capability of this free packet analysis tool to a relative novice like me. Now after doing a bit more playing around I came across Cloudshark. It is exactly what you think it is: a cloud version of Wireshark that can be run from any browser. And it has a Wireshark plugin to upload captures. Pretty neat stuff! It does not have all the features of Wireshark (there’s a paid version for that) but from what I’ve seen it is quite capable in its own right if portability is an issue.

What I’m Playing

Nov. 14, 2012
by
No comments
Filed under:

Updated!
XCOM: Enemy Unknown (XBOX 360)
Borderlands 2 (XBOX 360)

How do get your own VPN and increase your personal security

Apr. 11, 2012
by
No comments
Filed under:

First, if you haven’t already, bookmark Lifehacker. They’re very good about posting relevant security articles. After that check out their article posted on setting up your own VPN. Its good stuff, easy to do and will make you more secure when out and about and using those unsecured wi-fi spots. Go. Do it. Now. Send me thank you comments later.

What I’m playing…

Apr. 10, 2012
by
No comments
Filed under:

Looked at my old playing post and realized its quite outdated. Here’s what’s on the playlist these days:

-Mass Effect 3 multiplayer (XBOX) – don’t get me started on the single player ending.

Dang. That’s really about it. I haven’t been doing much phone or pc gaming mostly due to time constraints.

One Click…

Apr. 10, 2012
by
No comments
Filed under:

I recently took the SANS Security Essentials class online and our instructor, Bryce Galbraith, gave a presentation outside of the class entitled “Why our defenses are failing us…One click is all it takes”. While it does get into some rather technical headspace pretty quickly, I think its worth checking out if only for the overall message, which is, be cognizant of what the implications are of clicking on links. Whether it is an email, Facebook or now Pinterest, clicking the wrong link can seriously compromise your system and any system you’re connected to very quickly. And as these type of social media sites gain popularity, they quickly become targets for scammers and people with malicious intent.

Why passphrases make sense over passwords.

Nov. 18, 2011
by
No comments
Filed under:

I discussed this in an earlier post, but this cartoon illustrates it even better than I could. (credit to Randall Munroe)

How I spent my Monday (and part of Tuesday)

Nov. 18, 2011
by
No comments
Filed under:

This lovely picture looking over the Missouri River in Bismarck, North Dakota was taken from the top floor of the National Energy Center of Excellence. Pretty nice view for November don’t you think? I was attending the Great Plains Energy Expo. Yeah, I know you can see my reflection in the picture…I was using my phone to snap the shot. Sue me.