Forensics for Network, Internet, and Cloud Computing

Tuesday, September 06, 2011

Tony Campbell


Article by John Hughes

Book Review: Digital Forensics for Network, Internet, and Cloud Computing

Another book that has in its title a theme of virtualization or cloud computing in but in reality this book is primarily about network forensics, in which, it is my option, that it does quite a reasonable job. 

However, it does have a number of shortfalls, but more on that later.

The book consists of 368 pages, divided into six parts with a total of 13 chapters.  Part 1 sets the scene.  Part 2 then goes on to describe how to capture network traffic and evidence. 

In particular, it describes a number of the key tools in networking analysis, including TCP dump, Wireshark, fiddler and Snort.  Part 3 shows how to analyze evidence with open source software. 

However, and quite bizarrely, the first chapter in this section describes the TCP protocol.  Surely one should describe this before delving into the intricacies of Wireshark?  Part 4 goes on to describe a number of commercial network forensics applications, namely NetWitness Investigator and SilentRunner. 

Part 5 provides guidance to the forensics investor on how to make a case, including incorporating network forensics into incident response plans and admissibility requirements. 

Part 6 concludes the book by looking at the future of network forensics.  Chapter 12 in this section is about the future of cloud computing ñ a total of just 20 pages! One has to ask oneself whether having just 20 pages on this subject deserves iCloud Computing to be in the title?

So, what of the shortfalls?  Given that many of the network attacks are web-based, I wished it had provided an overview of the HTTP protocol and the various techniques in session management (e.g. cookies) and attacks against it (e.g. XSS). 

It did quite a good job in providing an overview of TCP/IP, however, the book would have been so much better if it included an overview of HTTP, as well as some of the types of web attacks one could encounter. 

The quality of the book, in places, was not to the level I would have expected.  There were a number of screenshots that were unreadable.  In addition, the book was very inconsistent in having a reference section. 

A number of chapters had a very long and complete reference section, while a few chapters had no reference section at all, yet it was obvious that they required a reference section.  Poor screenshots and lack of references seems like laziness on behalf of the author and publisher.

As a result of these problems with the book, I only gave it a score of 3.  However, it would not have taken much to attain a score of 4, with just a little additional care and attention from the author and publisher.

Closing summary   

Although this book disappointed me, I still think it is a valuable addition to a forensics investigator's bookshelf, especially if the investigator is not so familiar with the mysterious world of networking. 

However, I would advise any person wanting to get into this field to read a number of more detailed books describing the key open source tools in this area, namely, Wireshark, nmap and Snort.  Definitely don't expect this to be a book on the issues around Cloud Forensics.

Reviewer Name:   John Hughes

Reviewer Qualifications:   CLAS, ITPC, M Inst ISP, ISO 27001 Lead Auditor, CGFE, MBCS

Book Title: Digital Forensics for Network, Internet, and Cloud Computing

Subtitle: A Forensic Evidence Guide for Moving Targets and Data

Authors: Terrence V. Lillard, Clint P. Garrison, Craig A. Schiller, James Steele

Publisher: Syngress (The title is out of print with no plans for a new edition)

Date of Publishing: 2 July 2010

Cross posted from InfoSec Reviews

Possibly Related Articles:
Information Security
HTTP Security Forensics Cloud Computing Network Security Book Review WireShark TCP
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.