CyberForensics: Understanding Infosec Investigations

Thursday, January 06, 2011

Ben Rothke


CyberForensics: Understanding Information Security Investigations is a recent book written by a cast of industry all-stars. 

The book takes a broad look at cyberforensics with various case studies.  Each of the books 10 chapters takes a different approach to the topic, and is meant to be a source guide to the core ideas on cyberforensics. 

The book notes that there is a cohesive set of concepts that binds cybersecurity investigators to a shared vision, of which is tries to be a source to. 

But at 150 pages, while all of the chapters are well-written and enlightening, the book does not have the breadth and depth needed to be a single source of all things cyberforensics.

Jennifer Bayuk is the books editor, who also wrote the introduction.  Bayuk’s introduction provides a historical background to the subject and puts things into context.  The chapter uses a fantastic visual tool to explain the complete cyberforensic framework.

Chapter 2 is about the Complex World of Corporate CyberForensic Investigations, and does a good job of detailing the various elements involved in getting various corporate departments integrated during an investigation. 

IT in an enterprise setting is fraught with challenges.  Performing a forensic investigation in enterprise IT is even more challenging.  Often these groups have different agendas and react quite different to a forensic event. 

The author uses the analogy of a puzzle, which can be complex to put together, but is challenging and necessary nonetheless.

Many of the chapters take a broader view of the topic, while others are quite detailed.  Perhaps the best chapter in the book is chapter 6 – Analyzing Malicious Software from Lenny Zeltser.  

The chapter is an outgrowth of Zeltser’s SANS Security 569 course on the topic.  The chapter use of a case study to detail the behaviors analysis of malicious code provides an excellent synopsis of how to analyze and debug malicious code.

Chapter 7 on Network Packet Forensics from Eddie Schwartz is another exceptional chapter that provides the reader with a walk-through of using various digital forensic input to solve an incident.

Chapter 10 on Cybercrime and Law Enforcement Cooperation is about how to interface with law enforcement during a cyberforensic investigation.  This may be the Achilles heel of forensics is that getting external cooperation is difficult at best, and often impossible. 

A recent example of this is when a friend of mine who had detailed information about the source of the Stuxnet worm.  He attempted to share the information with law enforcement without much success.  The various organizations were not receptive to it and didn’t to take action on his well-researched claims.

The book is written for an experienced practitioner who wants an overview of current trends.  This is not a for dummies type of book.  Readers are expected to be comfortable with varied topics such as Wireshark packet capture, code analysis, investigations, and more. 

Those looking for an introduction to cyberforensics should definitely consider another title such as Computer Forensics for Dummies.

A problem with books of collaborations such as this is that they often lack a consistent stream of thought.  This book is suffers from that, but to a limited degree. 

It is impossible for ten different authors wring about the same subject not to have different styles.  An example of that is the use of the spelling of both CyberForensics and Cyberforensics in the book.

At 150 pages, the book is a relatively quick initial read, and covers numerous interesting areas. The only downside to the book is that it has a prohibitive list price of $189.00

Cross-posted from RSA Conference

Possibly Related Articles:
SANS Forensics Cyber Security Book Review WireShark
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.