: New: Book Report: Digital Forensics with Open Source Tools

It's a book about how to look over a hard drive and find out "what happened here?" This is a useful skill for computer security—you might want to figure out how a virus or hacker took over a machine just based on the changes they left behind to files. This might occasionally be useful to a computer repair person; maybe a hard drive got a little messed up such that it lost the "directory" information saying that the file Great_American_Novel.txt is in sector 1234... but you know that file contains the text "best of times". It seems like you ought to be able to recover the file if you have that information, and maybe you can.

This book talks about the process by which you do these things. It's a pretty interesting problem. How many files are on a typical hard drive nowadays? A lot. How do you sift through all of those to find those that help you figure out how someone or something misused a computer? You don't just turn on the affected computer and start clicking around looking for stuff, not any more than you would run through a crime scene knocking things over for a quick once-over. Instead you copy the disk image onto some other machine. There are tools to reconstruct files, whether that means regular files, files "forgotten" by corrupted directories, files marked-for-deletion but with their bits still there, file fragments partially written-over but with some old bits left behind in the cracks at the ends of the sectors... There are tools to reconstruct timelines: this file was accessed at this time, that file was created at that time.

I'm neither a security person nor a repair person, but I still got something out of this book. It doesn't just talk about reconstructing files. It also talks about the common things computers record about what we do even when we're not obviously working with a file. When you browse the internet, your browser is helpfully caching copies of those visited pages on your hard drive. If you're someone like me who hasn't got around to using webmail, then whenever your machine tries to send/get email to/from the greater internet, it probably logs something about how that went. And so on and so forth. If you mess something up and want to know Hey, is there some "historical log" I can look at to figure out what I messed up? the answer might be Yes.

Tags: book capabilities

blog comments powered by Disqus