Forensic Discovery (Hardcover)

Dan Farmer, Wietse Venema

  • 出版商: Addison Wesley
  • 出版日期: 2005-01-09
  • 定價: $1,650
  • 售價: 9.0$1,485
  • 語言: 英文
  • 頁數: 240
  • 裝訂: Hardcover
  • ISBN: 020163497X
  • ISBN-13: 9780201634976
  • 相關分類: 資訊安全Computer-networks
  • 立即出貨(限量)

買這商品的人也買了...

商品描述

Description:

"Don't look now, but your fingerprints are all over the cover of this book. Simply picking it up off the shelf to read the cover has left a trail of evidence that you were here.

    "If you think book covers are bad, computers are worse. Every time you use a computer, you leave elephant-sized tracks all over it. As Dan and Wietse show, even people trying to be sneaky leave evidence all over, sometimes in surprising places.

    "This book is about computer archeology. It's about finding out what might have been based on what is left behind. So pick up a tool and dig in. There's plenty to learn from these masters of computer security."
   --Gary McGraw, Ph.D., CTO, Cigital, coauthor of Exploiting Software and Building Secure Software

"A wonderful book. Beyond its obvious uses, it also teaches a great deal about operating system internals."
   --Steve Bellovin, coauthor of Firewalls and Internet Security, Second Edition, and Columbia University professor

"A must-have reference book for anyone doing computer forensics. Dan and Wietse have done an excellent job of taking the guesswork out of a difficult topic."
   --Brad Powell, chief security architect, Sun Microsystems, Inc.

"Farmer and Venema provide the essential guide to 'fossil' data. Not only do they clearly describe what you can find during a forensic investigation, they also provide research found nowhere else about how long data remains on disk and in memory. If you ever expect to look at an exploited system, I highly recommend reading this book."
   --Rik Farrow, Consultant, author of Internet Security for Home and Office

"Farmer and Venema do for digital archaeology what Indiana Jones did for historical archaeology. Forensic Discovery unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder."
   --Richard Bejtlich, technical director, ManTech CFIA, and author of The Tao of Network Security Monitoring

"Farmer and Venema are 'hackers' of the old school: They delight in understanding computers at every level and finding new ways to apply existing information and tools to the solution of complex problems."
   --Muffy Barkocy, Senior Web Developer, Shopping.com

"This book presents digital forensics from a unique perspective because it examines the systems that create digital evidence in addition to the techniques used to find it. I would recommend this book to anyone interested in learning more about digital evidence from UNIX systems."
   --Brian Carrier, digital forensics researcher, and author of File System Forensic Analysis

The Definitive Guide to Computer Forensics: Theory and Hands-On Practice

Computer forensics--the art and science of gathering and analyzing digital evidence, reconstructing data and attacks, and tracking perpetrators--is becoming ever more important as IT and law enforcement professionals face an epidemic in computer crime. In Forensic Discovery, two internationally recognized experts present a thorough and realistic guide to the subject.

Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing a powerful approach that can often recover evidence considered lost forever.

The authors draw on their extensive firsthand experience to cover everything from file systems, to memory and kernel hacks, to malware. They expose a wide variety of computer forensics myths that often stand in the way of success. Readers will find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for writing one's own forensic tools. The authors are singularly well-qualified to write this book: They personally created some of the most popular security tools ever written, from the legendary SATAN network scanner to the powerful Coroner's Toolkit for analyzing UNIX break-ins.

After reading this book you will be able to

  • Understand essential forensics concepts: volatility, layering, and trust
  • Gather the maximum amount of reliable evidence from a running system
  • Recover partially destroyed information--and make sense of it
  • Timeline your system: understand what really happened when
  • Uncover secret changes to everything from system utilities to kernel modules
  • Avoid cover-ups and evidence traps set by intruders
  • Identify the digital footprints associated with suspicious activity
  • Understand file systems from a forensic analyst's point of view
  • Analyze malware--without giving it a chance to escape
  • Capture and examine the contents of main memory on running systems
  • Walk through the unraveling of an intrusion, one step at a time

The book's companion Web site contains complete source and binary code for open source software discussed in the book, plus additional computer forensics case studies and resource links.

 

 

Table of Contents:

Preface.

About the Authors.

I. BASIC CONCEPTS.

1. The Spirit of Forensic Discovery.

    Introduction.

    Unusual Activity Stands Out.

    The Order of Volatility (OOV).

    Layers and Illusions.

    The Trustworthiness of Information.

    The Fossilization of Deleted Information.

    Archaeology vs. Geology.

2. Time Machines.

    Introduction.

    The First Signs of Trouble.

    What's Up, MAC? An Introduction to MACtimes.

    Limitations of MACtimes.

    Argus: Shedding Additional Light on the Situation.

    Panning for Gold: Looking for Time in Unusual Places.

    DNS and Time.

    Journaling File Systems and MACtimes.

    The Foibles of Time.

    Conclusion.

II. EXPLORING SYSTEM ABSTRACTIONS.

3. File System Basics.

    Introduction.

    An Alphabet Soup of File Systems.

    UNIX File Organization.

    UNIX File Names.

    UNIX Pathnames.

    UNIX File Types.

    A First Look Under the Hood: File System Internals.

    UNIX File System Layout.

    I've Got You Under My Skin: Delving into the File System.

    The Twilight Zone, or Dangers Below the File System Interface.

    Conclusion.

4. File System Analysis.

    Introduction.

    First Contact.

    Preparing the Victim's File System for Analysis.

    Capturing the Victim's File System Information.

    Sending a Disk Image Across the Network.

    Mounting Disk Images on an Analysis Machine.

    Existing File MACtimes.

    Detailed Analysis of Existing Files.

    Wrapping Up the Existing File Analysis.

    Intermezzo: What Happens When a File Is Deleted?

    Deleted File MACtimes.

    Detailed Analysis of Deleted Files.

    Exposing Out-of-Place Files by Their Inode Number.

    Tracing a Deleted File Back to Its Original Location.

    Tracing a Deleted File Back by Its Inode Number.

    Another Lost Son Comes Back Home.

    Loss of Innocence.

    Conclusion.

5. Systems and Subversion.

    Introduction.

    The Standard Computer System Architecture.

    The UNIX System Life Cycle, from Start-up to Shutdown.

    Case Study: System Start-up Complexity.

    Kernel Configuration Mechanisms.

    Protecting Forensic Information with Kernel Security Levels.

    Typical Process and System Status Tools.

    How Process and System Status Tools Work.

    Limitations of Process and System Status Tools.

    Subversion with Rootkit Software.

    Command-Level Subversion.

    Command-Level Evasion and Detection.

    Library-Level Subversion.

    Kernel-Level Subversion.

    Kernel Rootkit Installation.

    Kernel Rootkit Operation.

    Kernel Rootkit Detection and Evasion.

    Conclusion.

6. Malware Analysis Basics.

    Introduction.

    The Dangers of Dynamic Program Analysis.

    Program Confinement with Hard Virtual Machines.

    Program Confinement with Soft Virtual Machines.

    The Dangers of Confinement with Soft Virtual Machines.

    Program Confinement with Jails and chroot().

    Dynamic Analysis with System-Call Monitors.

    Program Confinement with System-Call Censors.

    Program Confinement with System-Call Spoofing.

    The Dangers of Confinement with System Calls.

    Dynamic Analysis with Library-Call Monitors.

    Program Confinement with Library Calls.

    The Dangers of Confinement with Library Calls.

    Dynamic Analysis at the Machine-Instruction Level.

    Static Analysis and Reverse Engineering.

    Small Programs Can Have Many Problems.

    Malware Analysis Countermeasures.

    Conclusion.

III. BEYOND THE ABSTRACTIONS.

7. The Persistence of Deleted File Information.

    Introduction.

    Examples of Deleted Information Persistence.

    Measuring the Persistence of Deleted File Contents.

    Measuring the Persistence of Deleted File MACtimes.

    The Brute-Force Persistence of Deleted File MACtimes.

    The Long-Term Persistence of Deleted File MACtimes.

    The Impact of User Activity on Deleted File MACtimes.

    The Trustworthiness of Deleted File Information.

    Why Deleted File Information Can Survive Intact.

    Conclusion.

8. Beyond Processes.

    Introduction.

    The Basics of Virtual Memory.

    The Basics of Memory Pages.

    Files and Memory Pages.

    Anonymous Memory Pages.

    Capturing Memory.

    The savecore Command.

    Static Analysis: Recognizing Memory from Files.

    Recovering Encrypted File Contents Without Keys.

    File System Blocks vs. Memory Page Technique.

    Recognizing Files in Memory.

    Dynamic Analysis: The Persistence of Data in Memory.

    File Persistence in Memory.

    The Persistence of Nonfile, or Anonymous, Data.

    Swap Persistence.

    The Persistence of Memory Through the Boot Process.

    The Trustworthiness and Tenacity of Memory Data.

    Conclusion.

Appendix A. The Coroner's Toolkit and Related Software.

    Introduction.

    Data Gathering with grave-robber.

    Time Analysis with mactime.

    File Reconstruction with lazarus.

    Low-Level File System Utilities.

    Low-Level Memory Utilities.

Appendix B. Data Gathering and the Order of Volatility.

    Introduction.

    The Basics of Volatility.

    The State of the Art.

    How to Freeze a Computer.

    Conclusion.

References.

Index.

商品描述(中文翻譯)

描述:
不要再看了,你的指紋已經留在這本書的封面上了。只是從書架上拿起來看封面就已經留下了你在這裡的痕跡。如果你覺得書的封面糟糕,那麼電腦更糟糕。每次使用電腦,你都會在上面留下大象般的蹤跡。正如Dan和Wietse所展示的,即使是試圖偷偷摸摸的人也會在各個地方留下證據,有時候還會出乎意料地留下證據。這本書是關於電腦考古學的。它是關於根據留下的痕跡找出可能存在的東西。所以拿起工具,開始挖掘吧。從這些電腦安全大師身上,你可以學到很多東西。-Gary McGraw博士,Cigital的CTO,Exploiting Software和Building Secure Software的合著者。

一本很棒的書。除了明顯的用途外,它還教授了很多關於操作系統內部的知識。-Steve Bellovin,Firewalls and Internet Security, Second Edition的合著者,哥倫比亞大學教授。

對於從事電腦取證的人來說,這是一本必備的參考書。Dan和Wietse在一個困難的主題上做得非常出色,消除了猜測的困惑。-Brad Powell,Sun Microsystems的首席安全架構師。

Farmer和Venema提供了關於“化石”數據的基本指南。他們不僅清楚地描述了在取證調查中可以找到什麼,還提供了其他地方找不到的關於數據在磁盤和內存中存留多長時間的研究。如果你曾經期望查看一個被入侵的系統,我強烈推薦閱讀這本書。-Rik Farrow,顧問,Internet Security for Home and Office的作者。

Farmer和Venema對於數字考古學所做的工作,就像印第安納·瓊斯對於歷史考古學所做的工作一樣。Forensic Discovery以啟發人心和娛樂性的方式揭示了隱藏的寶藏,展示了一種以時間為中心的電腦取證方法如何揭示出最聰明的入侵者。-Richard Bejtlich,ManTech CFIA的技術總監,The Tao of Network Security Monitoring的作者。

Farmer和Venema是老派的“駭客”:他們喜歡從各個層面理解計算機,並找到應用現有信息和工具解決複雜問題的新方法。-Muffy Barkocy,Shopping.com的高級網絡開發人員。

這本書從一個獨特的角度介紹了數字取證,因為它不僅考察了創建數字證據的系統,還介紹了尋找數字證據的技術。我推薦這本書給任何對從UNIX系統中獲取數字證據感興趣的人。-Brian Carrier,數字取證研究員,File System Forensic Analysis的作者。

電腦取證的權威指南:理論與實踐。

電腦取證是收集和分析數字證據、重建數據和攻擊、追蹤犯罪者的藝術和科學,隨著IT和執法專業人員面臨電腦犯罪的流行,它變得越來越重要。在Forensic Discovery中,兩位國際知名的專家提供了實用的指南,幫助讀者掌握電腦取證的技巧和理論。