Book Review - Forensic Discovery by Dan Farmer and Wietse Venema
Security professionals who find themselves trying to piece together an attack will find a lot of value in the book Forensic Discovery by Dan Farmer and Wietse Venema (Addison-Wesley).
Part 1 - Basic Concepts: The Spirit of Forensic Discovery; Time Machines
Part 2 - Exploring System Abstractions: File System Basics; File System Analysis; Systems and Subversion; Malware Analysis Basics
Part 3 - Beyond the Abstractions: The Persistence of Deleted File Information; Beyond Processes
Appendix: The Coroner's Toolkit and Related Software; Data Gathering and the Order of Volatility
As attacks become more and more common in today's computing environment, it's important to know how to preserve evidence in such a way that 1) you can trace what happened and 2) the information is admissible as evidence in case of prosecution. Farmer and Venema do a good job in showing a system administrator what steps need to be taken to safely analyze an attack. The book is targeted towards readers with a solid understanding of Windows and Unix file systems, networking, and processes. Readers without that background knowledge will get some of the conceptual information but will bog down on the details. And there are plenty of details... For instance, the authors show how information can persist in memory and on disk far longer than might be expected. In some cases, we could be talking months or years. Using tools that they recommend, you can analyze this "empty space" and find important clues as to what may or may not have happened. It also underscores the importance of freezing a computer's state as soon as possible after an incident so that this empty space doesn't get overwritten and lost for analysis.
Definitely a worthwhile addition to the bookshelf of security analysts who live this stuff on a daily basis...