Customer Reviews:
The bible for File System Forensics.......2007-08-15
Great Book. Great job Brian. A must have in your bookshelf if you are serious about computer forensics.
It only lacks two things to be perfect: a reiserfs and a HFS+ sections.
Only an error. GPT partition schema isn't used only in big servers. New Intel Macintoshes use it by default for their boot drive.
super.......2007-03-08
Thanks a lot, we are very happy to have this book in our library!
Accept no substitutes -- THE book to read on file systems.......2006-10-10
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
FSFA has received lengthy and glowing reviews, so I will keep my comments brief. Of the three books I cited earlier, FSFA was the only one which really grabbed my attention. I am a network-centric security practitioner, but Brian Carrier's organization, thoughtfulness, and delivery really hooked me. I very much appreciate authors who define a framework and explain potentially complicated topics within that framework.
For example, Brian is very keen to promote the scientific method. His emphasis on hypotheses and looking for evidence to refute them made me take a second look at my own practices. Brian differentiates between "essential" and "nonessential" data, where the former must be accurate in order for a user to access data and the latter not necessarily needing to be accurate. Again, this is a great way to think about digital evidence in any form. Investigation is grouped into preservation, search, and event reconstruction phases. Finally, Brian's separation of data structures into five categories (file system, content, metadata, file name, and application) facilitates comparisons of file systems in the third part of FSFA.
Besides being well-organized, FSFA does an excellent job covering material not addressed elsewhere. Server partitions, RAID, and LVM are examples. It is important to understand what is NOT present in FSFA, however. Brian very clearly stops at the application level of data, saving that for other books. I think this is a great idea, since it lets FSFA concentrate on its core topics (file systems) and saves the data on those file systems for other books. At the risk of self-promoting, I think FSFA is a powerful companion to "Real Digital Forensics" (RDF), since we provide sample file system images in dd format suitable for analysis using FSFA techniques. RDF also cares more about content than structure, which is where FSFA stops.
Anyone who even pretends to be a host-centric forensics practitioner must read FSFA. I expect it has the power to save you on the stand should you encounter intense questioning from a defense attorney.
The best work on the topic.......2006-08-29
Carrier's book has proven invaluable to this digital forensics trainee, and I expect many of the old hands in the field will be keeping it on hand as well. If you're serious about computer forensics, you need a copy.
Very deep.......2006-05-24
I'm pretty technical, so I enjoyed this book. The author has more on file systems than just about anywhere, and I found it helpful in non security work also just to understand how the different systems work.
I was able to use the book Windows Forensics, Corporate Computer Investigations by Chad Steel more in daily use, but this book would have been a better as a starting point in learning about disk based analysis and does a much better job of diving deep into file system specifics.
Some of the programming level content was tough to follow, but if you are ever going to court and really need to know your stuff this is buy far the book you need. I recommend it throughly.
Customer Reviews:
super.......2007-03-08
Thanks a lot, we are very happy to have this book in our library!
A very good Book........2006-11-10
I took this book because it was told to me by my professor to purchase it.
But after reading its content I feel its really worth buying this book.
Excellent Read.......2006-02-11
This book is written in such a style that is easy to understand, yet technical and detailed enough to maintain your interest and attention all the way through.
The book presents several ways of accomplishing the same tasks in a non-biased, non-vendor-specific way. It explores the use of free, open-source tools as well as commercial offerings, and drills down into forensic analysis of both Windows and Unix/Linux Operating Systems.
The included CD contains actual forensic data and a few tools, which is both interesting and exciting to use while following along with the lessons in the book.
After receiving this book and opening it to the first page, I was almost unable to set it down until I finished it. I received it on a Friday afternoon and I had completed reading it by the end of the weekend. I highly recommend this book to anyone with an interest in Computer or Network Security.
This one is a keeper!.......2006-01-27
As an author and instructor, I tend to be pretty picky about the books I choose to read and use in my classes. The authors present the material in a good logical progression. I especially like that it also provides sample evidence on the DVD. Most of the computer forensic books that currently exist contain mostly theory. This is the first good hands-on text that I have seen.
The authors have captured a good cross section of scenarios and then guide you through each case in-depth, offering practical solutions when faced with obstacles. The content provides methodologies, techniques, and tools that anyone can use. In addition it covers a variety of media such as USB memory and Palm devices.
This is a book that I will definitely keep. It is one of the best forensic investigations books currently on the market and would be a great asset to anyone wishing to enhance their skills.
An essential A-Z guide for forensic investigations.......2005-12-07
There is a real lack of well written books in this category, and this one stands out because it is comprehensive, yet easy to digest and carefully laid out, including case studies to understand data capture and analysis techniques.
The progression of the chapters mirror an investigative process; there is discussion of how to properly handle digital evidence, how to make a duplicate of the source data, and how to make sense of what you have collected. There are many real-world type case studies in the beginning of the book that could easily read off the front of any newspaper, and the captured evidence is on the included DVD for you to search to find the "smoking gun". Very well done.
The book takes the unusual role of discussing not only the more popular commercial tools like EnCase or Forensic Tool Kit, but also all the open source tools available for free, which is a real plus if you don't have the deep pockets required for the retail products. The book also does an excellent job of explaining the advantages and shortcomings of all the products discussed, something not often seen in technical books. Along with the open source discussion are source web sites for downloading the tools. The accompanying DVD is packed with stuff to get you started. The book is filled with well illustrated screen shots to help you orient yourself when trying the programs yourself.
Be forewarned, this book assumes a pretty reasonable amount of technical knowledge and while it addresses the commercial products available on the Win32 platform, a lot of tools and utilities referenced are written for Linux. While a novice investigator can certainly find value in the book, there is a lot of "meat" that even a seasoned professional will find useful.
This is definitely the best book currently available on data forensic investigations.
Customer Reviews:
Invaluable Resource For Any Windows Admin.......2005-02-13
About a year ago I was investigating a system to try and determine if it was attacked, as well as when and how if it had been. I wrote for help to a list that I am on and Harlan Carvey responded with detailed and useful information that helped me out.
I asked Carvey at the time if there were a book I could get that would help me learn that stuff and he told me that he didn't want to be cocky per se, but that there really wasn't and that I would have to wait until his book came out. Now that I have it I think I would have to agree.
There are plenty of great books on computer forensics available, but none that go into the depth that Carvey does on the Windows operating system itself. The information he provides regarding how and where Windows hides information is invaluable for finding and recovering from an attack.
Carvey makes extensive use of PERL, rather than using the native Windows Scripting Host (WSH), and he explains that PERL is vastly more flexible and powerful than what Windows has to offer. He provides details for how to install it and the scripts from the book are on the accompanying CD.
I highly recommend this book for ALL Windows system administrators and anyone who investigates incidents on Windows systems.
(...)
An Excellent and Informative Book.......2004-09-25
I am a nuts and bolts kind of guy and this book suits me to a tee. Harlan covers the topics thoroughly and has added to my knowledge of forensic methodology and shown me new techniques to discover information the many recent versions of the Windows operating system. He has done his homework, mixed it up with lots of coding examples, and even added some dream weaving to illustrate his points.
He lays the groundwork in chapters one, two, and three so that anyone reading the book will be sure to understand his purpose and see the framework that will be used for a methodology for Windows incident response.
Chapters four and five cover incident response. Among the preventative tools mentioned are group policies and configuration options that can be used on a Windows system so it can be configured to effectively take advantage of native security features. One of the topics in this chapter is using and extending Windows File Protection (WFP). A useful suggestion found here is the extension of WFP to protect static pages located on the root of a web site - especially since there are web site defacements occurring all the time. In Chapter five he covers the collection of volatile and non-volatile information. Although there are many tools out there for collection of this information, many well known to forensic examiners, Harlan progresses in a logical sequence and enumerates the pros and cons of each in a very understandable way. There are many examples of command lines, screen shots, and perl scripts to explain the concepts. In chapter 5 there are 47 web links that can be used to research the tools mentioned.
I had never imagined a dream sequence in a book about computer forensics - but there it was in chapter six. We follow in the footsteps of Andy, a network administrator unlucky enough to be the victim of a network incident. Andy develops a methodology to prepare for, contain, and analyze network incidents. We can see the consequences of being unprepared and then follow Andy through the development of this methodology. In hindsight, this was a good teaching tool based on experience and it brings the reader through a logical set of steps so they can start to think about developing their own methodology.
Chapter seven covers what to look for when doing incident investigation. Windows, an operating system where most people use the graphical user interface (GUI), hides many of its internals from the user. This chapter covers the functions of these internals, and locations of data and tools that can be used to discover it. There also is a look at the AFT Windows Rootkit 2003. This rootkit hides itself from the casual investigator. Using the proper tools, this rootkit can be discovered.
Harlan's Forensic Server Project (FSP) is discussed in chapter eight. This project takes the elements discussed earlier in the book and brings them together so that an investigator can adapt and customize to fit the needs of their own investigation. The FSP is not an end to itself, but rather furthers forensic techniques and knowledge with the use of open-source tools and a structured methodology. An additional chapter covers scanners and sniffers that can be used for network forensic investigations.
The investigator will find over 200 links to Internet sites for further exploration. It is a good solid start to an ongoing and exciting project that will evolve and grow now that the solid foundation has been published.
Windows is a complex operating system and the fact that it is used in the majority of computers in the world makes it a tempting target. In the future I would expect that the chapter on rootkits would be expanded. There are several varieties of rootkits in the wild and the forensic community will value any light that can be shown on their operation and malicious functions.
Harlan Carvey's book is a valuable addition to my bookshelf.
Invaluable Reference for Todays Windows Admins.......2004-09-22
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring. This is the first computer book that I have read cover to cover in well over 5 years and I have bought a lot of computer books. From the beginning until the end you are bombarded with information that is useful and relevant to today's Windows management. Not only are you told about different tools but are shown how they are used and what benefit they have, not only in incident response but also in daily monitoring.
This book provides so much information it is hard to figure where I wanted to start with building my own incident response toolkit. You are given quite a few options on how to do an analysis and what tools you can use. Carvey leaves it up to you to determine what options you want to use for each analysis. Carvey is like a good parent giving their child all the information they will need in life and letting them apply it how they see fit.
The scripts that are provided with the book are excellent and provide you with a strong base to build your own incident response toolkit. The Forensic Server Project which the author wrote is covered in Chapter 8 and provides an excellent framework that can be tweaked to use your own preferences and scripts of your choosing. The ease and use of using this framework to collect incident information will make the first responders job that much easier considering the first responder will probably be under stress when doing this analysis. The instructions for installing it will very clear and easy to follow and I had it up and testing in a couple of minutes.
I would strongly recommend this book to anyone that is looking at Windows incident response or Windows monitoring.
Tools for the Microsoft Administrator.......2004-09-16
Windows Forensics and Incident Recovery is an invaluable resource for a Windows Administrator. The author points out correctly that an investigation into anomalous computer behavior is often cut short due to a lack of understanding what to look for and the time constraints that all IT departments work under. After presenting tools to reveal hidden processes and information, he presents a methodology to quickly and easily retrieve this information from a machine so that an informed decision as to whether patching, rebuilding or further investigation into the machine in question can be made.
Many of the utilities that are presented in the book will be familiar to most IT professionals. These utilities combined with the Perl scripts included on the companion CD make for a potent investigative tool kit. The step by step guide made installing Perl and integrated modules easy to follow. While Perl may not be a familiar language to many, opening the scripts with Note Pad or a Freeware tool such as Crimson Editor reveals detailed notes as to the purpose of each section of the script. After completing the setup for the Forensic Server Project the reader is rewarded with a powerful incident protocol ready for real world use.
There is also a review of several methods to hide data from within programs such as MS Word or Excel and also the operating system itself. On general security fundamentals Carvey discusses and confirms what should be the mantra of any Microsoft Administrator; patch, monitor and be informed. This book is a great resource for any Microsoft Administrator.
Very Informative Read.......2004-09-16
I see three types of people reading this book: 1) People who make a living in network security, 2) Advanced users who *really* want to know areas where hackers can get in, and 3) Wanna-be "hackers" (learning what not to do by studying what people are looking for). Every chapter is filled with revealing information and "see for yourself" proofs. The book is easy to read and understand, regardless of your previous Windows Security experience.
I only have two issues with the book. The first is that the author almost exclusively uses Perl as the scripting language for all the proof of concept and utility scripts in the book (all very conveniently located on the accompanying CD-ROM). This is understandable in that Windows native scripting languages may not provide the same functionality as easily (if at all) as Perl, but Perl isn't native to the Windows environment. A great many of today's Windows Administrators started off with Microsoft Platforms, and use Microsoft languages to perform tasks. It would have been nice if the author had presented some of his script in Windows native languages, so as to afford those without Perl experience the same level of experience. Secondly, and again understandably, the book makes reference to many utilities only available for download from various third-party web sites. If web sites were permanent, reliable, static resources, this wouldn't be a problem - but when you attempt to download a mentioned utility only to find that the web site no longer exists, or the download removed, it detracts from the value of the book itself. This is not to say that book is full of broken links, only that the nature of the Internet is dynamic and things change over time.
Overall, a welcome addition to your technology library, and well worth the time invested to read. Anyone reading the book will take away something to improve the security of the systems under their charge.
Average customer rating:
- You must buy...
- Ok book but File System Forensic is better
- Best incidence reponse book out
- Excellent basic reference
- The Very Best Computer Forensics Primer Out There (1/04)
|
Incident Response and Computer Forensics, Second Edition
Chris Prosise ,
Kevin Mandia , and
Matt Pepe
Manufacturer: McGraw-Hill/Osborne
ProductGroup: Book
Binding: Paperback
 Encryption
| Security & Encryption
| Web Development
| Computers & Internet
| Subjects
| Books
Network Security
| Networking
| Computers & Internet
| Subjects
| Books
General
| Computers & Internet
| Subjects
| Books
General
| Computer Science
| Computers & Internet
| Subjects
| Books
Forensics
| Security & Encryption
| Computers & Internet
| Subjects
| Books
Criminal Procedure
| Criminal Law
| Law
| Subjects
| Books
Criminology
| Crime & Criminals
| Nonfiction
| Subjects
| Books
Forensic Science
| Crime & Criminals
| Nonfiction
| Subjects
| Books
True Crime
| True Accounts
| Nonfiction
| Subjects
| Books
General
| E-commerce
| Industries & Professions
| Business & Investing
| Subjects
| Books
Look Inside Business Books
| Trip
| Specialty Stores
| Books
Look Inside Computer Books
| Trip
| Specialty Stores
| Books
Look Inside Nonfiction Books
| Trip
| Specialty Stores
| Books
All Amazon Upgrade
| Amazon Upgrade
| Stores
| Books
Business & Investing
| Amazon Upgrade
| Stores
| Books
Computers & Internet
| Amazon Upgrade
| Stores
| Books
Law
| Amazon Upgrade
| Stores
| Books
Nonfiction
| Amazon Upgrade
| Stores
| Books
Similar Items:
-
File System Forensic Analysis
-
Real Digital Forensics: Computer Security and Incident Response
-
Digital Evidence and Computer Crime, Second Edition
-
Malware: Fighting Malicious Code
-
Inside Network Perimeter Security (2nd Edition) (Inside)
ASIN: 007222696X |
Amazon.com
A strong system of defenses will save your systems from falling victim to published and otherwise uninventive attacks, but even the most heavily defended system can be cracked under the right conditions. Incident Response aims to teach you how to determine when an attack has occurred or is underway--they're often hard to spot--and show you what to do about it. Authors Kevin Mandia and Chris Prosise favor a tools- and procedures-centric approach to the subject, thereby distinguishing this book from others that catalog particular attacks and methods for dealing with each one. The approach is more generic, and therefore better suited to dealing with newly emerging attack techniques.
Anti-attack procedures are presented with the goal of identifying, apprehending, and successfully prosecuting attackers. The advice on carefully preserving volatile information, such as the list of processes active at the time of an attack, is easy to follow. The book is quick to endorse tools, the functionalities of which are described so as to inspire creative applications. Information on bad-guy behavior is top quality as well, giving readers knowledge of how to interpret logs and other observed phenomena. Mandia and Prosise don't--and can't--offer a foolproof guide to catching crackers in the act, but they do offer a great "best practices" guide to active surveillance. --David Wall
Topics covered: Monitoring computer systems for evidence of malicious activity, and reacting to such activity when it's detected. With coverage of Windows and Unix systems as well as non-platform-specific resources like Web services and routers, the book covers the fundamentals of incident response, processes for gathering evidence of an attack, and tools for making forensic work easier.
Book Description
Written by FBI insiders, this updated best-seller offers a look at the legal, procedural, and technical steps of incident response and computer forensics. Including new chapters on forensic analysis and remediation, and real-world case studies, this revealing book shows how to counteract and conquer today’s hack attacks.
Download Description
This is one of the first books available that explains what to do after you've been hacked. Written by FBI insiders, this book reveals the computer forensics process and offers authoritative solutions designed to counteract and conquer hacker attacks.
Customer Reviews:
You must buy..........2007-01-17
You must buy if you are beginner, intermedium or advanced in forensic computers.
Ok book but File System Forensic is better.......2006-05-24
I liked this book, but it is scattered in its topics. A lot of the information can be found online, and the tools aren't what we use on a daily basis. I'm not sure if any of them are commercial tools in this book.
I liked File System Forensics by Brian Carrier better. Even though it had a smaller area to cover it provided a better introduction to the area and I could see how it could be used in a class better. Still, this book does have a lot of good content and makes a nice addition.
Best incidence reponse book out.......2005-03-04
This is no doubt the best incidence reponse book out. I highly recommend this for anyone either in the field, learning to get into the field, or running a small to medium sized company without a team of experts. My entire network admin team uses this as a reference at the side of their desk.
Excellent basic reference.......2004-05-15
I read the book in about three days and found it to be a good primer for one leaning towards computer forensics. While some of the technology and tools described in the book will undoubtedly change within the next few months, a lot of the basic principles will remain pertinent for a long time to come. I heartily recommend this book for anyone with more than just a casual interest in Computer Security.
The Very Best Computer Forensics Primer Out There (1/04).......2004-01-22
As an attorney and a formally-trained computer forensics examiner and instructor who has been tilling the fields of digital evidence for some time, I'm always on the prowl for the next great computer forensics tool or text that's going to help me find the next smoking gun...or at least be confident I haven't overlooked it. I've built a substantial library of books and articles on computer forensics, some very good and some a complete waste of money. But, this book is the best of the best.
From its step-by-step detail of the forensic process to its copious and helpful illustrations and screen shots to its unvarnished discussion of the tools in the marketplace, the second edition of Incident Response and Computer Forensics is, for my money, the most valuable resource any computer forensic examiner could have on their shelf. Many of the techniques and shortcuts detailed are "trade secrets" in that I've never seen them described in print. Unlike other forensic guides that assume the reader owns a costly forensic software suite, this book fairly splits its emphasis between Linux tools, shareware and the best software packages. That means the reader can begin the learning process at once, without investing anything more than their time and interest.
Another strength is that the book neither presupposes a too-high level of knowledge or experience nor dumbs down its content such that an expert wouldn't derive any value. There's something here for everyone who cares about computer forensics, from the neophyte to the grizzled veteran. When I paid $50.00 for this tome at a big box bookstore, I worried I was paying too much. Now, I'd think it cheap at twice the price.
As another reviewer pointed out, it doesn't devote a chapter to the law, but that is not to say that legal considerations are ignored. To the contrary, I think the authors do an excellent job of giving a useful "heads-up" where needed and not moving out of their depth.
I don't know these guys, but I'd sure like to shake their hands for a job well done! Thanks.
Craig Ball is an attorney and certified computer forensic examiner based in Montgomery, Texas, who teaches and consults with attorneys and the courts on matters of computer forensics and electronic discovery.
Book Description
The only book available on the market that addresses and discusses in-depth forensic analysis of Windows systems. Windows Forensic Analysis DVD Toolkit takes the reader to a whole new, undiscovered level of forensic analysis for Windows systems, providing unique information and resources not available anywhere else. This book covers both live and post-mortem response collection and analysis methodologies, addressing material that is applicable to law enforcement, the federal government, students, and consultants. This book also brings this material to the doorstep of system administrators, who are often the front line troops when an incident occurs, but due to staffing and budgets do not have the necessary knowledge to effectively respond. The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else, as they were created by the author.
Customer Reviews:
Unique and helpful.......2007-10-06
This book is essential for understanding how to analyze memory dumps, albeit many forensic investigators will usually turnoff a computer instead of getting a memory capture to do a more traditional analysis.
The included scripts are very helpful. This book unlike many other books in this genera is designed for the technical professional. Forensic analysis is often like a who done it mystery, and having some more tools in your toolkit will assist you in thinking outside the box. The registry analysis was thorough and essential for a recent project. The memory dump analysis scripts were helpful in a recent Defcon Capture the Flag Competition. A sample chapter is avaliable online.
This is a Must Read before it goes on your reference shelf.......2007-10-03
Often times when you read reviews of technical books the reviewers will say, 'This book deserves a place on your reference shelf.' I have read many and thought the only reason it deserves a place on my shelf is to hold up the other books.
This book presents innovative ideas that will have you sitting at your computer trying the many scripts provided on the accompanying DVD. If you cannot wait and jump right to the Registry analysis chapter you will not be disappointed. However I would take each chapter and each set of scripts and examples and walk yourself through what amounts to a multifaceted Windows investigation.
While Harlan Carvey references ProDiscover, and many of the scripts are designed for ProDiscover, this book is not a tutorial for ProDiscover. This book is an in depth look at Windows, or more importantly the underpinnings of Windows, and what can be discovered with the right mindset and tools.
I for one can only hope that this is not the last of Carvey's books on Windows, Live Response, the Registry and the many ever changing issues facing examiners.
Excellent Book.......2007-09-18
A well written, easy to read must have for anyone who works in the field of computer forensics.
Not only for the "Registry Analysis" chapter ..........2007-09-13
Imagine that you are a computer forensic analyst, and have to answer a question like "is it possible to find out which commands user John Doe ran, and when?", or "is it possible to prove that user X connected the same USB device to these two machines?" (and many others of the same type). Up to a few months ago, your best bet was to knock your head on the monitor, googling on a huge number of sometimes not-always-so-useful computer forensics websites and forums (they seem to sprout like mushrooms, these days), and crossing your fingers hoping to find an answer in the short time left to conclude your investigation.
Fortunately, after the publication of "Windows Forensic Analysis" by Harlan Carvey, you will find answers to these questions (and many more) in a single place, much handier that wandering around the Internet. This book is really a must for everybody working in computer forensics (or planning to do so) -- not necessarily just for windows systems. As a matter of fact, what this book teaches you, besides specific techniques working on Windows, is a methdology by which you can set up experiments that enable you to find answers to your own questions and that can be used also for other operating systems.
The book covers both live response (Chap. 1 and Chap. 2 describe collection and analysis of volatile data, respectively), and post-mortem analysis (Chap. 4, 5, and 6). In addition, two topics not covered by other computer forensics books are Memory Analysis (Chap. 3) and Rootkits Detection (Chap. 7).
The style of the book is a nice mixture of both methodology and practice, and contains the description of many techniques and tools that can be used to properly extract and analyze various type of digital evidence.
The accompanying DVD contains a large number of Perl scripts, written by Harlan Carvey, that implement most of the techniques described in the book.
The book assumes that the reader has a basic knowledge of computer forensics, and as such it does not cover computer forensic techniques (like mass storage imaging and file system analysis), but focuses on the analysis of artifacts produced either by the Windows OS or by its typical applications when operated by a user. This makes it unique in the computer forensics book arena, and an invaluable tool in the computer forensic bag of any specialist working in the area (much more valuable than your favourite computer forensic software, since no tool can ever substitute knowledge).
In summary, I totally agree with Troy Larons's quote reported on the book cover ("The Registry Analysis chapter alone is worth the price of the book"), but be assured that also all the other chapters are at the same level of the Registry Analysis one.
Not just for forensics, but for a deeper understanding of Windows itself........2007-08-26
I bought this book after reading Richard Bejtlichs review and can say I am not disappointed at all. Clearly this book is well worth the time and the money. After reading just half of the first chapter I was so engrossed I couldn't put the book down. I worked through the entire book, trying most of the tools, advice and experiments/labs that were included. The inclusion of the tools (on the included DVD) not only in Pearl but in .exe format was really a great touch. I'd consider this one of the best books written, not just for forensics but for a deeper understanding of Windows itself.
Customer Reviews:
Computer Forensics: Principles and Practices.......2007-08-15
A nonsense book. It should have been useful 6-7 years ago but, at the present it doesn't say anything which can help you both to learn computer forenics and to perform your day-by-day analisys.
Buy something other
Book Description
The evidence is in--to solve Windows crime, you need Windows tools
An arcane pursuit a decade ago, forensic science today is a household term. And while the computer forensic analyst may not lead as exciting a life as TV's CSIs do, he or she relies just as heavily on scientific principles and just as surely solves crime.
Whether you are contemplating a career in this growing field or are already an analyst in a Unix/Linux environment, this book prepares you to combat computer crime in the Windows world. Here are the tools to help you recover sabotaged files, track down the source of threatening e-mails, investigate industrial espionage, and expose computer criminals.
* Identify evidence of fraud, electronic theft, and employee Internet abuse
* Investigate crime related to instant messaging, Lotus Notes(r), and increasingly popular browsers such as Firefox(r)
* Learn what it takes to become a computer forensics analyst
* Take advantage of sample forms and layouts as well as case studies
* Protect the integrity of evidence
* Compile a forensic response toolkit
* Assess and analyze damage from computer crime and process the crime scene
* Develop a structure for effectively conducting investigations
* Discover how to locate evidence in the Windows Registry
Customer Reviews:
In a world with few Windows-specific options, this is a helpful forensics book.......2006-10-10
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
WF is a great guide to forensic investigation of Windows. By this I mean WF presents Windows from the perspective of the important directories, files, and registry entries that help an analyst discover malfeasance. WF also covers some of the core applications one would expect to review during host-based forensics, like email, Web browsing history, and P2P application usage. I expected coverage of popular Windows application formats relevant to investigations, like .doc, .ppt, and .xls, but those were missing.
WF addresses the core operational aspects of host-centric forensics, like forming a team and acquiring evidence from live and dead targets. I did not think these sections were as good as material from what I consider the book best suited for all-around hands-on forensic use -- "Incident Response: Computer Forensics, 2nd Ed" by Mandia, Prosise, and Pepe. Live response is one area where I thought WF didn't shine too brightly. I did like the frequent mini-case studies which shared stories from the author's investigative experiences.
A few other aspects of WF resulted in me offering a four star review. I thought the discussion of "vampire taps" on p 157 revealed a real lack of contact with modern network monitoring methods. I don't know anyone who uses or recommends such a contraption in an era of network taps. I continue to question the need to build so-called "sniffing cables," especially when proper interface configuration serves the same purpose. Furthermore, a remotely managed sensor will not be able to hide its traffic on the network anyway, so savvy intruders can usually find them (unless a completely separate management network is run out-of-band). "Chapter 7" was also way too short -- 2 pages!
Although I liked the case studies, I thought there were far too many "gray box" entries. These contain useful hints, but their frequent appearance sometimes interrupted flow of the book. This indicates a need for better organization. Finally, I felt the recent Syngress book "Winternals" did a decent job explaining how to analyze malware, rootkits, and rogue processes on Windows. WF didn't explore this key aspect of Windows incident response.
Overall, however, I would recommend reading WF if you need to understand data sources from Windows systems. I suggest concentrating on the sections that explain where you'll find quality information on Windows, and rely on other sources for generic forensics guidance. I could see readers using WF as a primer for learning about key Windows artifacts, then searching for them in the image files in "Real Digital Forensics."
Finally, the right book for Windows forensics.......2006-06-03
I have to say, like the next geek, I get frustrated by the lack of Linux/Unix use on the desktops of the corporate world; however, the fact is that Windows desktops outnumber Linux/Unix desktops by way more than 100:1. For this reason, it has been very frustrating to me that so many security books focus on Linux/Unix. I don't care if it's the best platform (though I agree); it's not the most common and we need tools on and for Windows.
This book tells you how Windows file systems work and how to perform forensic analysis on these systems. However, it's more than this - it is a great all around book on forensics analysis and the computer crime investigation process. I highly recommend this resource.
Tom Carpenter - Author: CWSP Certification Official Study Guide
Excellent focus on corporate security.......2006-05-24
Just read through my copy of this book. I do Cisco work as a CCSE and SANS certified network security specialist, but have been called on to do some investigations at work as the resident "security geek".
I read Brian Carrier's book on file system forensics, which is much deeper into data structures and is a very good book, but this book gives a better holistic look at investigations. We run a mostly Windows shop, and I'm happy to see a book that doesn't just cover Unix stuff. I want to pick up Windows Forensics and Incident Recovery next and see how they compare.
Definitely recomment!
Book Description
Digital evidence--evidence that is stored on or transmitted by computers--can play a major role in a wide range of crimes, including homicide, rape, abduction, child abuse, solicitation of minors, child pornography, stalking, harassment, fraud, theft, drug trafficking, computer intrusions, espionage, and terrorism.
Though an increasing number of criminals are using computers and computer networks, few investigators are well-versed in the evidentiary, technical, and legal issues related to digital evidence. As a result, digital evidence is often overlooked,
collected incorrectly, and analyzed ineffectively. The aim of this hands-on resource is to educate students and professionals in the law enforcement, forensic science, computer security, and legal communities about digital evidence and computer crime.
This work explains how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence. As well as gaining a practical understanding of how computers and networks function and how they can be used as evidence of a crime, readers will learn about relevant legal issues and will be introduced to deductive criminal profiling, a systematic approach to focusing an investigation and understanding criminal motivations.
Readers will receive access to the author's accompanying Web site which contains simulated cases that integrate many of the topics covered in the text. Frequently updated, these cases teaching individuals about:
* Components of computer networks
* Use of computer networks in an investigation
* Abuse of computer networks
* Privacy and security issues on computer networks
* The law as it applies to computer networks
* Provides a thorough explanation of how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence
* Offers readers information about relevant legal issues
* Features coverage of the abuse of computer networks and privacy and security issues on computer networks
* Free unlimited access to author's Web site which includes numerous and frequently updated case examples
Customer Reviews:
Very complete book........2006-11-10
It describe all aspects about digital crimes using a clear language. It's very good for neubies.
Excellent book from a real expert.......2003-09-03
This is an excellent book from a real expert.
Everyone and their brother are writing books about computer security and digital forensics.
The difference here is that Eoghan Casey knows what he is talking about.
Excellent book!
The book of digital crime.......2002-01-14
If you are new to this world this is where you should begin. Digital Evidence contains all the knowledge one could amass by obtaining PHD in computing. Especially when you don't have time for a Diploma. I have bought 5 books pertain to digital crime from USA and UK. But this is the one and only book I am recommending to any one in any continent who want to learn or new to this arena. All the other books in this field for Attorneys or with similar requirements are some what academic and may be boring. The CD-ROM accompanying the book gives you much needed hands on training, otherwise which will cost you at least US $ 4000, if you are to go to a training centre to do the same.
Best computer forensic book available.......2001-06-28
Sometimes, defense attorneys have it easy: one slip-up by the prosecution and evidence is thrown out. Knowing that, law enforcement goes to great lengths to ensure that evidence is appropriately collected and protected. That works well in the physical world, where law enforcement has many generations' worth of experience. But in the modern world of computers and digital networks, where the simple act of rebooting a computer is enough to wipe out large amounts of evidence, law enforcement clearly needs thorough guidance.
Such a resource is here: Digital Evidence and Computer Crime, an excellent book that details the elements of digital crime. Author Eoghan Casey does a superb job of applying forensic science to computers. The information presented here is critical to a diverse audience: law enforcement, attorneys, forensic scientists, and systems administrators, for instance.
While cybercrime law is in some ways similar to other aspects of criminal law, it nonetheless has its own language and categories. For instance, jurisdiction is a key element in both the physical and digital realms, but it is a much trickier concept in the latter. Casey develops this topic and many more. Those new to computers and networks need not worry: the book begins with an explanation of how they function. With the basics out of the way, Casey details how computers can be used in crime and how the evidence created from these activities can be used for later analysis....The accompanying CD-ROM contains simulated cases that integrate many of the topics covered in the text. In all, the book and CD are an excellent introduction to an increasingly important area of law enforcement.
University Text Book.......2001-06-09
This text was used for the digital evidence and computer crime class that I just completed. The book is clear and easy to understand. It goes into detail only when needed. I was concerned that this information would quickly become out of date, but the ideas presented are current and provide a solid background for understanding any newer technologies that come down the road. I usually sell my books after the semester ends, but I have decided to keep this one.
Customer Reviews:
A Neophyte's Perspective.......2007-06-27
While I'm not a computer security specialist, by any means, nor do I even
have a lot of in depth knowledge regarding computers in general, I was
surprised at how much I did understand, and also at the fact that I did learn quite a bit. The authors' intended audience obviously was not a neophyte such as myself, but even a beginner can find many aspects of computer security interesting and eye opening. Stopping often to look up
words and ideas that appeared Martian,(to this super-neophyte,) I laud the authors' clear and succinct writing style.
Nice look at Unix forensics!.......2006-09-01
I must admit that some parts of this book are "over my head". However, this book packs quite a punch with much insight into forensics and explanations that are detailed and accompanied by MANY practical examples. The authors do a fine job of making this book interesting and they actually keep it rather short (believe me, most books on the subject are). One possible flaw is that I'd probably prefer for it to have a bit more theory and a bit less practical examples.
Forensic Discovery is a great resource.......2005-07-04
I read forensic discovery last week on the plane home from San Francisco. After a few chapters I was hooked and could barely put it down to eat. This book is absolutely recommended for anyone at all interested in security concepts as well as system administrators or anyone who would need to understand the way that information exists and persists on computer systems.
More informative than books twice its size.......2005-05-17
This book is full of information on every single step involved in forensic incident response. I've had articles published on this same topic, and found this book informative above and beyond my prior research and industry experience. If you haven't had much IR experience on the UNIX side, you need this book.
Superb forensics book on evidence discovery.......2005-04-20
I enjoyed the book ("Forensic Discovery") since it came when I was preparing for my SANS forensics certification (GCFA). Obviously, the "household" names on the cover caught my attention as well. I used TCT and other tools created by the authors and thus my expectations for the book were pretty high. It did deliver! I picked up a whole lot of tidbits on file system forensics as well as malware and compromised system investigation. Unlike some other volumes, this book does not seek to be comprehensive; instead, it focuses on the fun things and focuses on them well.
In particular, I liked authors' ideas and tips on the OOV (order of volatility) of evidence. While not new, they are extremely well-presented in the book. Other highly useful sections were the ones on time stamps and their analysis and file deletion analysis (with thorough persistence of deleted file analysis). I did not like the sections on malware analysis that much, likely because some other book go way more in-depth then this one (like, for example recent Szor's book on viruses).
The book mostly covers Unix, Windows is also mentioned a couple of times.
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
Amazon.com
Computer security is a crucial aspect of modern information management, and one of the latest buzzwords is incident response--detecting and reacting to security breaches. Computer Forensics offers information professionals a disciplined approach to implementing a comprehensive incident-response plan, with a focus on being able to detect intruders, discover what damage they did, and hopefully find out who they are.
There is little doubt that the authors are serious about cyberinvestigation. They advise companies to "treat every case like it will end up in court," and although this sounds extreme, it is good advice. Upon detecting a malicious attack on a system, many system administrators react instinctively. This often involves fixing the problem with minimal downtime, then providing the necessary incremental security to protect against an identical attack. The authors warn that this approach often contaminates evidence and makes it difficult to track the perpetrator. This book describes how to maximize system uptime while protecting the integrity of the "crime scene."
The bulk of Computer Forensics details the technical skills required to become an effective electronic sleuth, with an emphasis on providing a well-documented basis for a criminal investigation. The key to success is becoming a "white hat" hacker in order to combat the criminal "black hat" hackers. The message is clear: if you're not smart enough to break into someone else's system, you're probably not smart enough to catch someone breaking into your system. In this vein, the authors use a number of technical examples and encourage the readers to develop expertise in Unix/Linux and Windows NT fundamentals. They also provide an overview of a number of third-party tools, many of which can be used for both tracking hackers and to probe your own systems.
The authors explain their investigative techniques via a number of real-world anecdotes. It is striking that many of the same hacks detailed in Cliff Stoll's classic The Cuckoo's Egg are still in use over 10 years later--both on the criminal and investigative fronts. It is up to individual companies whether or not to pursue each attempted security violation as a potential criminal case, but Computer Forensics provides a strong argument to consider doing so. --Pete Ostenson
Topics covered: Overview of computer crime investigative response, including extensive descriptions of hacking techniques. Frequent examples are used to demonstrate how to extract evidence from a violated computer system. Appendices include sample incident-response forms.
Customer Reviews:
Computer Forensics.......2007-05-21
This book is good for those not familiar computers. It keeps the material at a high level for the layman. Do not purchase if you are intending to receive in depth, technical analysis and techniques for training as a professional investigator. If you are just trying to gain an overview of the topic, this book should fulfill your requirements. It does a good job of directing the reader to appropriate external resources and tools to perform the forensic tasks the book discusses.
Great for general computer forensics information.......2005-03-03
Computer Forensics, Incident Response Essentials, is a great book for two groups of people:
1) All computer forensics investigators looking for a better description of the process of collecting and analyzing
data. The book provides great descriptions of the methods for maintaining chain of custody and storage. This is done through the use of example forms and scenarios. Since evidence handling principles are easily overlooked, this book seeks to provide pragmatic techniques for proper evidence preservation.
2) Someone interesting in learning what computer forensics is about. This book is great at providing a high-level description of what computer forensics is used for and how it works. The book does not go into intricate detail on any one software package. Instead, it provides you with a great overview description of numerous software packages and tools. By doing this, the reader can attain a better understanding of what value computer forensics can provide. Since the field is relatively new, it is important for people to understand what computer forensics is capable of.
I highly recommend this book if you are just getting into the field, or if you are tired of reading books that continually tout Encase as the only solution. This book is a critical addition to any computer forensic investigators library.
Good Introduction to Computer Forensics Investigations.......2005-02-06
This book is a couple years old now, but the fundamentals remain essentially the same. Kruse and Heiser are seasoned experts in computer forensics and incident response and they have managed to boil down years of knowledge and experience into a format that is easy to read and understand. While security experts may not learn anything new from this book, those entering the field will find it invaluable. It is comprehensive and detailed while remaining easy to read. The foundation provided by reading and understanding this book can be used to move forward into more technical areas. Computer Forensics is not fluff by any means though and could easily be kept nearby as a handy reference for a computer forensic investigation.
(...)
Great book!.......2004-12-31
Very readable and interesting.
The authors really know what they are talking about.
Très complet........2003-10-03
Ce livre présente dans un langage très clair l'essentiel de la recherche de preuves numériques. La couverture est d'ailleurs très représentative du contenu, les sciences forensiques, et en particulier celles relatives aux ordinateurs prenant une importance de plus en plus grande .
Les lecteurs trouveront dans le Guide du Cyberdétective paru aux Editions Chiron des applications pratiques de ces investigations dans la vie courante. Les deux ouvrages se complètent, bien que le dernier n'existe pour l'instant qu'en Français.
Books:
- Foundations of Financial Management (The Mcgraw-Hill/Irwin Series in Finance, Insurance, and Real Estate)
- Fundamentals of WiMAX: Understanding Broadband Wireless Networking (Prentice Hall Communications Engineering and Emerging Technologies Series)
- Game Development Essentials: An Introduction
- Ghosthunters And The Muddy Monster Of Doom! (Ghosthunters)
- GoldMine 6 for Dummies
- Half Life 2 Mods For Dummies (For Dummies (Computer/Tech))
- History: Fiction or Science? (Chronology, No. 1)
- How to Do Everything with Adobe Acrobat 7.0
- Inside Com (Microsoft Programming Series)
- Introduction to Management Science
Books Index
Books Home
Recommended Books
- Practical Switching Power Supply Design
- National Geographic Concise History of the World: An Illustrated Time Line
- Computer Accounting Essentials with Microsoft Business Solutions Great Plains 8.0
- Images in the Dark: An Encyclopedia of Gay and Lesbian Film and Video
- Global Strategy
- Love, Life, Goethe: Lessons of the Imagination from the Great German Poet
- Iceman Inheritance : Prehistoric Sources of Western Man's Racism, Sexism and Aggression
- Introduction to Financial and Management Accounting: A User Perspective
- Foundations and Evaluation: Contexts and Practices for Effective Philanthropy
- MY DATE WITH SATAN: Stories
EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide
Forensic Discovery (Addison-Wesley Professional Computing Series)
Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series)
Windows Forensics and Incident Recovery (The Addison-Wesley Microsoft Technology Series)
