(Approx.
1,194 words)
Real Digital Forensics
Review by Jim DuWaldt, a member of the North Orange
County Computer Club, California
www.noccc.org
editor(at)noccc.org
Obtained from APCUG with the author's permission for
publication by APCUG member groups.
About the authors: Keith L. Jones leads the computer
forensics and electronic evidence discovery practices at Red Cliff Consulting.
Richard Bejtlich is the founder of TaoSecurity, a network security monitoring
consultancy. Curtis W. Rose provides support to criminal investigations and
civil litigation as an executive vice president at Red Cliff Consulting.
This book (with included DVD) intends to teach
Computer Forensics for both Windows and Linux systems, that is, gathering
evidence from infected machines and the network they operate in so that the
intended victim can effectively react to a successful penetration.
Or, to quote the book: "...give new forensic
investigators more than words to learn new skills." "We use the same
tools attackers use... the same methods rouge employees make... [collect] the
same media we typically collect...this book takes a practical, hands-on
approach to solving problems...[with] techniques you can employ
immediately."
The clear implication is that the book is aimed at
the inexperienced practitioner. As usual, TCP/IP knowledge is a good
idea. There is one staring oddity: to use one of the tools you need to
alter your kernel! From pg 208: "Please download and install the
NASA-enhanced kernel..." This takes more than just a beginner's skill!
The context for the procedures is provided by five
scenarios which are a mix of internal and external threats as seen from the
point of view of admins or law enforcement. As the techniques are
presented, it is explained how they might be applied to these scenarios, as
opposed to stepping through the scenarios and describing the methods.
Richard Bejtlich's books usually focus on evidence
gathered by network monitoring. Instead, Part I ("Live Incidence
Response") begins with host-focused procedures for both Windows and Linux
(one chapter for each). Live Response techniques invoke a series of
programs on the suspect machine in order to gather "volatile data,"
that is, system state that will not survive a reboot or
shutdown. This explanation is entirely suitable for creating your
own Live Response software and procedures.
Networks return to the center of attention in Part II
("Network-Based Forensics"). There is a brief but well-done review of
the types of data (Full Context, Session, Statistical, and Alert Data) that
should be collected and the software to collect them (Tcpdump, Snort, and many
others) as well as the five steps of intrusion (recon, exploitation,
reinforcement, consolidation, and "pillage"). A Cop/Drug Ring
analogy is employed to describe these four data types which, given the
popularity of CSI, might be good for rank beginners but will be less useful to
anyone with more experienced. This section also has separate chapters on
analysis of the information for Windows and *NIX machines.
Part III ("Acquiring a Forensic
Duplication") presents open and closed tools for the forensic cloning of a
suspect disk, regardless of the operating system. Its chapter on legal
paperwork is very efficient but it would be great if the authors had photos or
illustrations of what they use, if only as an example. The material on
disk duplication, on the other hand, had lots of excellent photos and screen
shots for both the commercial (EnCase and FTK) and open source products (DD,
DD_resume, DCFLDD and NED).
Part IV (Forensic Analysis Techniques) shows you what
to do with your new disk image. Methods for disk analysis begin with
looking for and recovering deleted files, what to do when that is not possible,
discerning strings of interest from NBE (Network-Based Evidence) and Live
Response findings (like the name of an executable) and searching the disk for
them.
This is followed by techniques for reconstructing
emails (even Outlook and Outlook Express proprietary formats can be analyzed by
open source tools), pages visited while web browsing including reconstructing
emails sent with web clients, and the examination of the Windows Registry (good
for finding recently-accessed documents or evidence of programs subsequently
deleted).
(Currently only commercial applications are available
for analyzing the Registry which is odd, considering that scripting languages,
like Python for example, have Registry access libraries.)
Multiple chapters focus on examining unknown files to
determine their use, with an emphasis on Microsoft-formatted documents and on
the examination of unknown Windows and *NIX executables. This includes
static analysis with tools like strings.exe and hexWorkshop and disassemblers
like IDA to discover system calls or modify a binary file in order to, for
example, bypass password security. Missing are instructions on using a
product like VMware to set up a virtual machine environment for protecting the
rest of the system from the foreign executable; they only mention that you
*should* use something like VMware when in fact it is vitally important to do
so or you could wind up with yet another infected computer!
Part V ("Creating a Complete Forensic
Toolkit") succinctly describes creating CDs for a Live Response toolkit.
(But, why not do this in the first part of the book?) It also describes
the use of a Knoppix disk which allows you to examine a suspect system without
having to boot it from its (possibly) contaminated disk or be concerned about
your 'clean' OS being cleverly contaminated by a suspect hard drive.
Part VI ("Mobile Device Forensics")
describes gleaning and examining data from PDAs like Palms and iPaqs (with
additional information about how they manage memory and how to access internal
debugging consoles), USB and CF drives. Forensic examination of USB/CF
devices using a loopback is well illustrated and an example of recovering a
deleted file is shown. The chapters also illustrate that, while some PDAs
have good forensic tools available (like later Palms and iPaqs), the earlier
ones do not: sifting through evidence on a Palm III, for example, is limited to
hex and string searches.
Part VII ("Online-Based Forensics")
presents methods for determining where an email originated from via header
examination, and how determined users could cover their tracks. Finally,
they leverage searching for DNS records into a lesson on manipulating the
entire VeriSign TLD (Top Level Domain) file in a large (100GB+) Postgres
database, allowing them to find all DNS names owned by, in their example, the
company Foundstone.
My only complaints about the book are the sudden
request to change the kernel and a failure to put front and center the
necessity of using a virtual machine environment before executing potentially
hazardous code.
Otherwise it was a typical Bejtlich security book (no
offense to the other authors), containing the basis for immediately creating
Standard Operating Procedures, in particular for Live Response, proper forensic
documentation, and creating forensic-compliant duplicate drives. It
definitely has a place on my security bookshelf, alongside The Tao of Network
Security and Extrusion Detection.
The book is published by Addison-Wesley
(http://www.awprofessional.com/bookstore/product.asp?isbn=0321240693&rl=1),
ISBN 0-321-24069-3, and lists for $55. User group members can get a 30%
discount if their group belongs to the UG program.; it sells for $34.64 at
Amazon.com (new).
This article has been provided to
APCUG by the author solely for publication by APCUG member groups. All other
uses require the permission of the author (see e-mail address above).