Digital Forensics with Open Source Tools,
Cory Altheide and Harlan Carvey
ISBN 978-1-56749-586-8. amazon.com USD 46.99. 46.99 USD. Table of Contents
Reviewed by Richard Austin Jul 17, 2011
It's sometimes said that the the cost of digital forensics inhibits adoption of the technology. While it is true that the proprietary, commercial tools can be quite pricey, this book reminds us that many important analysis tasks can be performed using Open Source tools.
In a brief 264 pages the authors present an excellent overview of how to perform common forensic tasks using solely Open Source tools. After a brief introductory chapter, the authors launch into building an analysis system capable of running the tools. While they do cover building a Windows system, this is very much a Linux-based book as many of the tools are only available for Linux-based systems. However, don't let your "Linux-Phobia" deter you as the authors provide good background, some clear examples and a lot of illustrations. They also get many kudos from your humble correspondent for using freely available forensic images (from Simson Garfinkel's "digital corpora", etc) so you can follow along and see the same results as shown in the book.
Having covered creation of the examination system, the next chapters cover disk/file system analysis, operating system artifacts, Internet artifacts and file analysis. The progression is logical and builds from the basics of sectors on a disk through the analysis of an email container file such as an Outlook folder (PST).
I am particularly impressed with how they chose to structure the split between platform and application artifacts. Many authors spend time duplicating (and mis-duplicating) material when an application (such as Firefox) can run on both Windows and Linux. Altheide and Carvey chose to cover the platforms (Windows, Linux and OS X) and then cover the application-related material separately. So in the chapter on file analysis, you will find discussion of zip files independent of whether the file was created on a Linux or Windows system.
The book concludes with a catch-all chapter that introduces some graphical environments and provides some excellent discussion on the advantages and perils of constructing timelines. An appendix covers some useful tools (FTK Imager, Case Notes, etc) that are not Open Source but are available at no cost.
Regardless of whether you are a system administrator curious about just how much of that CSI-stuff you can really do or an experienced forensic practitioner interested in what Open Source tools can offer, this book is a worthwhile read. The authors, both veterans from the trenchlines of incident response and digital forensics, select a useful set of Open Source forensic tools, consolidate the documentation normally scattered across dozens of man pages or project websites and provide solid tips and tricks of the trade in how they may be effectively used in practice. A minor frustration is the uneven level of detail with some topics being presented at the tutorial level (e.g., The Sleuth Kit) and others being more or less just recipes that list command-line options and show tool output. Perhaps a second edition will even out the coverage and make the book even more useful.