This book is a great blend of practical, ready-to-use knowledge and theory. Well-known tools of the trade are described, along with the corresponding background information, which adds up to an exciting and valuable read.
Of course, the authors are not strangers to interested readers: Farmer is well known, as the author of numerous programs and papers on security, while Venema has written very well-known and appreciated software, such as the transmission control protocol (TCP) wrapper, and the Postfix mail system. In fact, this book isn’t the authors’ first collaboration; they are responsible for famous projects like the Coroner’s Toolkit (TCT, 2000), a forensic toolkit, and the Security Administrator Tool for Analyzing Networks (SATAN, 1995), the first product of its kind for penetration testing (its idea lives on in amazing products like Nessus, Nmap, and Retina).
The book starts off with an introduction to the art of computer forensics, and then gets right down to the nitty-gritty, which is, surprisingly, in chapter 2. The emphasis the authors place on the extensive discussion of MACtimes will give readers an idea of just how fundamental the aspect of time is in forensic investigations. The book continues with file system basics, and then provides some in-depth analysis. The notorious rootkits are discussed, and information is provided about processes and memory. Very specific details on subjects like encryption are also discussed.
A basic knowledge of computers, operating systems, networking, and file systems is assumed, since the authors dig deep into the bowels of different operating systems. The book is definitely not targeted at novices. It clearly emphasizes Unix-based operating systems, and includes examples for Solaris, FreeBSD, and Linux throughout, though Microsoft Windows is mentioned a few times as well. Despite a few mentions of Windows, the focus of the book always stays on Unix-based systems; Microsoft Windows just makes a few cameo appearances (which are presented with the same depth as the other covered information). It is unclear whether this focus on Unix is based on the relevance of Unix-based systems as safe environments used by forensic investigators, the percentage of such machines among computers that are subject to an investigation, or just the personal preferences of the authors, though this latter reason seems most likely.
The book is aimed at readers interested in the inner workings of computers and operating systems; even Unix administrators will have to read it twice so they don’t miss any important facts. The work is intended for people who want to gain a deeper understanding of computer systems, or who have to apply forensic techniques themselves. Administrators with a strong interest in the machines they work with on a daily basis will benefit greatly as well.
What distinguishes this book from other books is the authors’ practical background. A unique feature is the creative statistical observations; where else can you read about experiments on the half-life of deleted data on running systems, or the persistence of data and files in memory, all clearly laid out in easy-to-understand diagrams? Farmer and Venema come up with exciting real-world examples, which definitely make this book worth reading, and worth your money.
I would like to thank Benjamin Böck, who provided substantial support in writing this review.