When I first saw the title for Digital Forensics with Open Source Tools by Cory Altheide and Harlan Carvey (Syngress, April 2011, ISBN: 9781597495868), I thought to myself “Oh great, another mash up of Carrier’s File System Forensic Analysis, Farmer & Venema’s Forensic Discovery and the freely available Sleuthkit documentation.” What I found, however, was a well-written, detailed and concise book detailing many of the most important, and freely available, open source tools that could be wielded in the name of system forensics and incident response. I’ve known both authors, Cory Altheide and Harlan Carvey, for quite some time and both are well known in forensic circles. The voice throughout the book is consistent and it’s difficult to see where one author picks up and the other leaves off (well, when the conversation switches to RegRipper I’m fairly certain that Harlan is the predominate voice).
The first chapter in Digital Forensics with Open Source Tools (DFwOST for short) outlines what constitutes a ‘free’ vs. ‘open’ tool, the various licenses and the benefits of standardizing on a mixed bag of non-commercial tools – hint, portability between jobs is a big bonus. Chapter 2, surprisingly, shows you how to build your own open source examination platform and walks the read through the installation and configuration of software, interpreters and other tools for both a Linux or Windows host. Chapters 3 through 7 provide overviews, tips and tricks on everything from disk and file system analysis techniques to searching for artifacts on Windows, Linux and OS X systems in addition to Internet specific artifacts like those left by browsers and mail clients. Chapter 8 gives a somewhat high-level view of file analysis concepts and provides some file-specifc format information for the investigator-on-the-go (who can really remember the various metadata available in a PDF file anyway?). Chapter 9 discussed the automation of analysis and some of the tools used to help extract common files, create timelines and work with graphical investigative environments like PyFLAG and the Digital Forensics Framework. Finally, the Appendix provides some high-level information on some complimentary, though not open, tools to help with the forensic process.
I can honestly say that I read this book in a matter of hours – not to mention in one sitting. My forensic knowledge and training did allow me to read through the book at a fairly decent pace but I think that even the most green of forensic analysts would walk away with a more detailed knowledge of the forensic process and the open source tools that could be used to undertake a forensic exercise. The book is not going to explain the file system and its intricacies at any great length but really, there are other books already written that do that. Also, the book won’t show you how to do everything with the tools it mentions but it certainly will point the reader at some new tools that they may have never known about previously. It’s safe to say that DFwOST is certainly no substitute for forensic training or experience but if you already have all of the standard forensics books on your bookshelf (you know the ones), you’d do well to save a slot for DFwOST as a quick reference for some of the newer tools not covered in those older tomes.