Forensic Discovery

Ben Rothke writes "When most people think of forensics, television shows like Quincy and CSI come to mind. Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators. In the real world, (unlike television, where the crime must be solved by the end of the family hour), crimes are solved with slow, deliberate and methodical steps. The prodigious incidence of digital crime has elevated computer forensics to a critical role within the field of information security. The focus of computer forensics is twofold: first is the attempt to determine whether a breach has occurred and to stop the perpetrator; second is prosecution of the offender, if the breach was a criminal activity." Read on for Rothke's review of Forensic Discovery.

Forensic Discovery
author	Dan Farmer & Wietse Venema
pages	198
publisher	Addison Wesley Professional
rating	10
reviewer	Ben Rothke
ISBN	020163497X
summary	Forensic Discovery overview

Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics.

An image of a pipe by artist René Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct.

The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book.

The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation.

Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time.

Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data.

Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them.

Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage.

Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier.

The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched.

---

You can purchase Forensic Discovery from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

huh!?

So crimes arn't solved by old ladies finding a lipstick, some shoes and avoiding being shot!? Thats it! I'm never donating to "Help the aged" again!

Nice going...

Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators. In the real world, (unlike television, where the crime must be solved by the end of the family hour), crimes are solved with slow, deliberate and methodical steps.

Great. Now the criminals know they probably won't be caught. Good job!

Quincy!?!

Quincy, M.E.? I was two years old* when that show went off the air. Raise yor hands, Slashdotters, how many of you think of Quincy when you think of forensics?

*http://us.imdb.com/title/tt0074042/ [imdb.com]

Re:Quincy!?!

CSI is laughable in how little it reflects reality. If you want a more relistic TV-based view on forensics, try the Discovery channel show "The New Detectives". It's still going to gloss over a LOT of details (it's TV) but rarely do they present something patently wrong as fact, as happens all the time on CSI.

For more info on CSI's lack of attention to detail try this site:

http://www.angelfire.com.nyud.net:8090/jazz/jboze3 131/csifacts.htm [nyud.net]

Computer forensics

I met a young, single woman who did computer forensics for the police. She told me over dinner that while she thought her work was important, it caused her a lot of stress in her life. She said there were many times where she recovered images from the computer of a sex criminal that were really indiscribable.

She was really good looking and had a body that you normally don't find on a girl geek. But, man, I wasn't about to start dating some chick who comes home from work sobbing from prowling through gigabyes to violent sexual jpegs and avis. I guess that's why someone so damn good looking and smart was still single...

Re:Computer forensics

Sounds like she needs some consoling. And I think I know just the man for the job.

You still got her number?

In all seriousness...

Sounds like she needs some consoling.

Well, it was that "some" in "some consoling" that I wasn't sure about. How much? She's telling me on the first date that she's under tremendous stress. I appreciate her honesty and respect her for that but I suspect that if she feels the need to divulge that on a first date, the level of consoling is likely to be more than "some". That's what I was worried about. To be dating a girl with a face and a body like that who knows her way around computers like a pro and who is doing a job that is clearly a service to mankind sounds like a geek's wildest dreams come true. But therein lies the problem: this is the kind of girl who most of us would fall head-over-heels for. I was afraid of getting really wrapped up in her and then having to endure of heartache of having her crying in my arms once a week or more. Or having her push me away in bed because she had seen something at work that had turned her off of sex for the next two weeks. You can call me an ass or a dumbshit but seriously think about it for a moment. This was going to be a major emotional roller-coaster for me.

I'm reminded of some poor sap here on slashdot who was telling us what it's really like to have a nympho girlfriend. It sounds great until you are presented with the reality of the situation, namely, that she absolutely needed sex every time he put his arm around her. Look, I still think that woman I dated was very desirable on many, many levels but I also think I did the right thing by stopping that relationship before I got sucked into her work as well.

How to deal with "pictures."

The Dutch police has a huge database of all kinds of (child pornography) pictures. Of each picture they have a hash. When they confiscate the pc of somebody who is suspected of having child pornography, the first thing they do is run the hashes against the pictures on the system. This saves them from having to look at all those pictures, they can now focus on the unknown ones. Great thing is also that the hashes are admissable in Court as evidence.

Except for 'Monk', right?

It is based on a true story isn't it? Isn't it!

Encrypted disks?

Not that I would ever have anything to hide, but how safe is data on an encrypted disk, in particular linux encrypted filesystems like this [sourceforge.net]? It seems to me that with a little encryption you would pretty easily foil the efforts of any local forensics people.

Re:Encrypted disks?

It depends on what you mean by "local forensics people". Most true forensics professionals are pretty good at what they do, and I haven't yet met one that wasn't. People don't typically get jobs like that without going through a decent amount of training and certification.

The mere presence of encrypted data is usually a tip-off to a decent examiner that something interesting is in there. There are even programs and statistical methods for finding different types of encrypted data on a drive. And there are all sorts of ways to recover passphrases...if you have enough evidence to get the suspect to talk, they'll usually give it up. Not every forensic technique is a technical one...

Most of all, there is a lot of data that can't be encrypted to cover one's tracks, especially in the corporate environment where firewalls and other security systems log activity.

Scientists don't do police work

>Where such shows deviate from reality is the
>unrealistic speed at which the actors are able to
>identify, apprehend and prosecute the perpetrators.

What is also unrealistic is that the CSI guys ever see a suspect. The go to the crime and spend the rest of the time in a lab or sometimes in court.

They would never ever talk to a suspect.

Forensic Science

The primary purpose of forensic science is to pretend to be a real science so as to fool people into thinking that there are reliable ways of tracking down who you are if you commit a crime. It's the myth of forensic science that keeps the crime rate down, not actual forensic science successes. Ask N forensic scientists when someone died, how long it was since their last meal and so on and you'll get N differet answers. But programs like CSI help to mislead people into thinking this stuff actually works.

In the days of yore the torture was used much leass than people imagine. Just the threat of torture was enough to make people confess. The same goes with forensic science. A cop says: "we have your DNA and we know it's you for sure" and that's enough to make someone confess. And as long as programs like CSI keep airing people will continue to fall for it.

In fact, the fact that forensic science is 90% bull is probably one of the best kept secrets left in the Western world.

I don't care.

Where such shows deviate from reality is the unrealistic speed at which the actors are able to identify, apprehend and prosecute the perpetrators.

Frankly, I don't care. I don't care that in reality it would take 3-4 months to get the DNA processed because of the massive queue of other cases that need DNA processed. I don't care that real-live CSIs would never, ever, ever see a suspect or a crime scene. You can't really do a series that way. I don't have cable or sattellite so I haven't seen the show, but I doubt that even New Detectives goes without showing the suspects.

I like have interesting characters, I like a good story. That's I still read Agatha Christie novels and watch the Poirot mysteries, even though Christie cheated on a regular basis.

Just my $.02

The thing I hate most about CSI

The thing I hate most about CSI is when they zoom in on digital photographs or video tapes from crappy security cameras. Sure getting DNA results in 6 minutes is a little bit of a stretch used to get the crime solved in less than 3 months, not presenting evidence that isn't there.

"Forensic Discovery"

Yup, there's really nothing quite like stumbling upon a crime scene. Looks good, smells good, no nightmares or traumatic flashbacks. So get your Vapo-Rub and 35mm camera and come on down to "Forensic Discovery!"

An entry level book

For starting out [dummies.com]. (Will they have Phishing For Dummies next?)

Minor correction, nit-picking

Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server.

SATAN was also known as SANTA to those sensitive to sacrilegious references. Also, it's TCP Wrappers.

I'll Bite...

Hi all,

Noticed that this post was hovering around 30 posts, and so i thought i would toss in some relevent tidbits that are pretty interesting.

I graduated with a CS degree, and now i run a data warehouse, and architect an enterprise java application. Things are going well, but as many of us are aware, it may not be going so well for everyone that just graduated...

case in point - a buddy of mine got a good job out of school, but it isn't great, not like what we all pictured when we signed up in the midst of the boom 5 years ago! About a month ago, an old friend of ours called up and said he had positions available for Forsenic Scientists (paid bank). I kept asking what portion was related to CS or technology, and he kept replying - NONE! The only part is the ability to methodically research details and clues! Can anyone say.... debugging?!

Anyways... i started to think about it, and compared with some of the criminal justice majors i know, CS grads really are more capable to handle that kind of stuff. Just like abstract puzzles, RPGs, and even some of the "lock-picking" articles i have been seeing. Anyone have a simliar tale? Anyone know of a school that has a curriculum that tailors to that kind of profession?

Thanks! ~tim

Cut TV some slack

unlike television, where the crime must be solved by the end of the family hour

Have you thought about what you're (implicitly by your implied criticism] asking for?

Which is it you want, an "episode" that lasts three months? A season that consists of the same 20-ish (or whatever number) episodes it does now, only randomly scattered across the episodes in the order in which they "really occurred"? On every scene change, white text on the bottom of the screen that says "[random time period] later"?

It's like asking for "total realism" in science fiction... you are aware that faster than light travel is, at best, totally unproven and most likely completely impossible? (Save the discussion on the possibility of FTL for sci.physics, please, this is just an example.)

So many fan-boy types ask for things that if they got them, they'd hate even more. I for one am glad the characters aren't making constant references to the amount of time something is taken, and I for one am glad that when they dig through an entire day of garbage in Los Vegas, they show about ten seconds of walking around, followed by the necessary discoveries. Are you seriously asking them to show the five or six hours it might have taken in real life? You feel free to watch it, I can guarantee I wouldn't.

What's next?

You're telling me that it takes longer than an hour to solve a crime? I've been to football games -- I know that what's on the TV is what's actually happening in real time. If it's on the TV, it must be real.

Besides, who wants to watch a show where they uncover one clue a week, or get a subpoena, or nothing happens that week? Surprisingly, people don't want to watch real life when they turn on the TV (and don't even try to say that reality TV has anything to do with real life).

Forensic Discovery Fraud

I've got lovely news for you: Unless you are able to watch a computer from the time it is put on the network to the time that removed for evidence collection, you can say *VERY*LITTLE* about what someone may or may not have done with that computer.

Here's a little story from several years back. A friend of mine who was doing deployed support for one of the armed services used an account at a major American university, which he was authorized to used, to download/store updated cisco images due to limited bandwidth contraints at the tip of the spear where he was working. Well, as it turns out that particular university's computer systems was {c,h}acker infested (due to a certain VIP's daughter attending that institution at that particular point in time). His password was sniffed (this was in the days when ssh was not that wide spread) and his connections to that university's computers were hijacked on a fairly regular basis (he thought his lousy connections were due to all the sat. hops his packets were taking to get from ship to shore).

Well, about 6 months after this started, he got a little visit from a few "computer crime investigators". The experience was enlightenting, but not in a positive way. After he was presented with the "evidence", which consisted of bogified last log... I'm sorry, there is no host called swedish.chef.bork.bork.bork), he told the investigators that he felt that his telnet sessions might have been hijacked and he was told "that is only a theoretical attack and is not possible". The investigators then proceeded to tear his life apart (forced out of a job, seized all his work tools, searched two residences including one belonging to a foreign national for which they had neither permission or a warrant, froze his savings, initiated a tax audit, got him kicked him out of his house, interviewed family, friends, coworkers, boss/boss' boss telling them that he was a criminal about to be put away for a very long time, etc.) It took him almost 10 years to recover from the ignorance of some LE investigator turned "computer investiagor" who thought telnet session hijacking was "only theortical" because he didn't realize that hunt and jugernaut hand been in wide distribution among the cracker community 10 months prior to the investigation. The "forensics" that were used is this investigation were nothing short of fraud. I believe that computer forensics investigators should be bonded and licensed so that they can be sued into oblivion in the event of malpractice.

So, the next time your are forced to interface with *ANY* "computer investigator", remember, that nothing they say, do or "discover" has anything to do with reality/"The Truth"(tm), so much as it has *EVERYTHING* to do with what they think they can get away with in court with a jury of your "peers".

Uh....

Isn't that why we have those

"MONDAY 11:30AM"

captions on almost each scene? Doh? I remember reading one that said "TWO MONTHS LATER" on Law&Order. Again, i didn't RTFA, but I think the article submitter should be clearer on what he means by "fast".

Talk about anti-forensics and get fired!

I wish people would talk about the work of The Grugq who got fired from @stake [stake.com] after publishing an article [phrack.org] in Phrack [phrack.org] Magazine. He will be talking in Jakarta, Indonesia at BCS2005 [bellua.com] in March, Blackhat [blackhat.com] Singapore and Amsterdam in in April. (and he will probably never speak in USA because he embarasses and ridicules the profession and ... the FBI.

The Art of Anti-forensics by The Grugq

After reading the review [slashdot.org] of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake [stake.com] after writing a Phrack Article [phrack.org] in which he exposed numerous flaws in The Coroner's Toolkit [porcupine.org] by Dan & Wietse. Before you read this book, check out the video [hert.org] (bittorrent) of The Grugq on The Art of Defiling [packetstormsecurity.com] and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 [bellua.com] in Jakarta, in April at Black Hat [blackhat.com] in S'pore and Amsterdam and at HITB2005 [hackinthebox.org] Bahrain.

Re:That is why CSI sucks

Forensic Files is another great show. I guess these types of shows, while still entertaining, cater to those who prefer their gore with a little more grey matter :)

CSI isn't too bad, but compared to ogrish.com, "it ain't shit" :)

Re:That is why CSI sucks

Unfair comparison. The whole time issue is all based on pacing. The big time-waster when it comes to forensics is DNA analysis, as that department is generally the department that gets it in the pants when it comes to the budget.

Re:That is why CSI sucks

I especially hate it when (this seems to predominate on CSI, but I've seen it on other shows as well) they "digitally enhance" security camera video to identify an attacker, read a license plate, etc. Usually, I can overlook it for the sake of the plotline every now and again. But, the final straw came for me a few weeks ago on CSI when they had an ATM security cam and the pulled a reflection off of the pupil of the third person in line and enhanced it to ID the criminal (second in line) who was facing away from the camera. They literally took a single grey pixel from the video and "enhanced" it to a beautifully rendered, studio-lit 8"x10" black and white portrait of the criminal.

And, oh yea, if you put deer feces into an NMR, it's not going to spit out a graph with a bunch of peaks on it and print below the graph: "deer feces". On the other hand, I'm not sure which is worse...when they do that with the NMR, or when they NMR identifies 50 compounds in a sample, all with names like "n-methyl hydride deoxynitrate", and the CSI goes, "Oh, yea, those are the major components of plumber's grease that was used between 1970 and 1978 in the Western United States." They might as well have the NMR spit out a graph with a caption: "The bus driver did it! The motorcyclist was only his *accomplice*."

Then, of course, there's the small issue of unlimited budget. If real CSIs solved crimes like they do on TV, they'd be spending somewhere between $15M and $50M per case. :-)

Re:Computer Forensics = FRAUD (fbi puts files in)

This poster is totally incorrect. I have served as a computer forensic expert in both civil and criminal cases, and can tell you this poster does not understand the process. For example, the prosection and defense may find an impartial examiner or use two examiners and make two copies of the seized disk or disks. Forensic tools with copy capabilities such as EnCase will make a bit-for-bit copy (including non-allocated sectors, file slack space, etc) of the disks and perform an MD5 checksum over the contents.

I now perform my work on the copy. Any results I obtain can be demonstrated in court, as can the fact that the MD5 hash is the same and that my disk is still identical to the other party's copy.

If chain of evidence is maintained, I should get the disk as it was when it was seized. Once I have it and copy it, it is effectively tamperproof, because of two persons each having a copy, the MD5 hash, additional checksums built into EnCase copy structures AND the fact that we can always recompare our copy to the original to determine it is still bit for bit.

The scientific validity of computer forensic methods can be subjected to a Frye or Daubert hearing, where scientific experts can defend the method. EnCase has already been through these hearings and no credible argument has been advanced against its validity.

If you competent defense counsel or civil counsel, this should not be a concern.