Computer Forensics. Incident Response Essentials
by Warren G. Kruse II and Jay G. Heiser
Addison-Wesley, 2002.
Index, Annotated Bibliography, 8 appendices. ISBN 0-201-70719-5. $39.99.

Reviewed by  Robert Bruen   January 9, 2002


The field of computer forensics is coming into its own these days. It was always important to discover how someone broke into your machine, but now there is a greater need to find who broke in and follow up with legal action. The follow up action requires evidence, which in turn must meet much higher standards than most sysadmins were familiar with. In the old days we looked at logs and changed files to figure out what happened. Now we need to be very careful not to contaminate the disk, or even cache (good luck) and preserve that state of the disk. Moreover, once the disk has been designated as compromised, there is something called the chain of custody that is critical. If the disk is now evidence in a trial, there had better be a log of everyone who touched the disk, they ought to have been appropriate people and they should have done nothing to alter the disk contents. A failure to do this could cause the case to be thrown out of court.

The chain of evidence is not the only new idea for sysadmins. There are other procedures that must be followed, as well as small bumps in the road that can cause major problems along the road. The new demands of forensics are somewhat foreign to most techies, but this book can help you step through them. In general, the good techie will want to take a close look at the disk to what has happened. Fortunately, there are a set of tools available, with more coming, to help in this. Kruse and Heiser provide urls to many of them, along with explaining how they work.

The authors are coming at this from the point of view of cops who have learned how computers work, as opposed to computer guys who learned about investigation. This is not a criticism, but rather just a note to explain their approach. It is good introductory text for anyone who wants to learn about computer forensics. If you are comfortable with systems operations, the book is quick read. If you have never looked at a disk drive in raw mode, you will have to go a little slower.

The main topics addressed are that of using the net to track down an intruder and disk and file analysis. They explain about Unix systems for the Windows folks and they cover the criminal justice system. For anyone who expects to handle a break-in incident, this book is something that ought to have been read in advance. The book is well organized with a good number of illustrations. The tools presented are both free and commercial, which is helpful for getting started. They explain in detail how to use the tools that protect the disk contents while being copied, pointing the obvious that one should work on a copy not the evidence. This little mistake could easily ruin the whole process.

I liked the book, although it is a bit elementary in the technical sense, but helpful in its organization and the information on the legal aspects. One more book the security professional ought to read.