Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Digital Forensics with Open Source Tools

Digital Forensics with Open Source Tools

5.0 1
by Cory Altheide

See All Formats & Editions

Digital Forensics with Open Source Tools is the definitive book on investigating and analyzing computer systems and media using open source tools. The book is a technical procedural guide, and explains the use of open source tools on Mac, Linux and Windows systems as a platform for performing computer forensics. Both well-known and novel forensic methods are


Digital Forensics with Open Source Tools is the definitive book on investigating and analyzing computer systems and media using open source tools. The book is a technical procedural guide, and explains the use of open source tools on Mac, Linux and Windows systems as a platform for performing computer forensics. Both well-known and novel forensic methods are demonstrated using command-line and graphical open source computer forensic tools for examining a wide range of target systems and artifacts.

Written by world-renowned forensic practitioners, this book uses the most current examination and analysis techniques in the field. It consists of 9 chapters that cover a range of topics such as the open source examination platform; disk and file system analysis; Windows systems and artifacts; Linux systems and artifacts; Mac OS X systems and artifacts; Internet artifacts; and automating analysis and extending capabilities. The book lends itself to use by students and those entering the field who do not have means to purchase new tools for different investigations.

This book will appeal to forensic practitioners from areas including incident response teams and computer forensic investigators; forensic technicians from legal, audit, and consulting firms; and law enforcement agencies.

    • Written by world-renowned forensic practitioners
    • Details core concepts and techniques of forensic file system analysis
    • Covers analysis of artifacts from the Windows, Mac, and Linux operating systems

    Editorial Reviews

    From the Publisher

    "This is highly detailed material. Although the introductory chapter adopts an easy pace, with overviews of important technical concepts, most of the other chapters get right down to the practice of forensic analysis. This is not a book you’re going to want to read in bed: you’ll want this right next to a computer – preferably two or three computers running different operating systems – so that you can try the techniques for yourself as you work your way through. The authors admit that this book does not cover everything you need to know. For instance, it focuses entirely on ‘dead drive’ forensics – offline systems. Analysing running systems often requires high-level proprietary tools. But it does give an excellent grounding in the methods of digital forensic analysis and provides a valuable first step in learning the technicalities."--Network Security, May 2012, page 4

    "Digital Forensics – MacGyver Style! The practical solutions of this book, Digital Forensics with Open Source Tools, save the day when commercial tools fail. During an incident, the clock ticks. Response teams scramble to pull anything together to solve the immediate challenge. Cory Altheide and Harlan Carvey take you through the tools and tactics that you need – the ones that in a pinch will get the job done. A welcome addition to my library."--Rob Lee, SANS Institute

    "Intended for students and new computer professionals, or those new to open source applications, this guide to digital forensics provides practical instructions for many common tasks in data recovery and analysis using open source tools. Beginning with a discussion of setting up an open source examination platform and tool set, the work covers disk and file system analysis, Windows, GNU/Linux and Mac OS X systems and artifacts, Internet artifacts, file analysis and automated analysis. The volume includes numerous code examples and tips and tricks as well as an appendix of software tools."--Reference and Research Book News

    "Intended for students and new computer professionals, or those new to open source applications, this guide to digital forensics provides practical instructions for many common tasks in data recovery and analysis using open source tools. Beginning with a discussion of setting up an open source examination platform and tool set, the work covers disk and file system analysis, Windows, GNU/Linux and Mac OS X systems and artifacts, Internet artifacts, file analysis and automated analysis. The volume includes numerous code examples and tips and tricks as well as an appendix of software tools. Chapter examples assume a basic knowledge of the Linux command line interface."--Reference and Research Book News

    "The authors intended this book for two types of readers: complete novices in the world of digital forensics, and seasoned practitioners who are interested in learning more about open source tools that could help them in their work. And although it might seem difficult to merge the knowledge in such a way to make for an interesting book for both groups, in my opinion, the writers managed to do it beautifully."--Net-Security.org

    Product Details

    Elsevier Science
    Publication date:
    Sold by:
    Barnes & Noble
    NOOK Book
    File size:
    3 MB

    Related Subjects

    Read an Excerpt

    Digital Forensics with Open Source Tools

    By Cory Altheide Harlan Carvey


    Copyright © 2011 Elsevier, Inc.
    All right reserved.

    ISBN: 978-1-59749-587-5

    Chapter One

    Digital Forensics with Open Source Tools


    • Welcome to "Digital Forensics with Open Source Tools"

    • What Is "Digital Forensics?"

    • What Is "Open Source?"

    • Benefits of Open Source Tools


    In digital forensics, we rely upon our expertise as examiners to interpret data and information retrieved by our tools. To provide findings, we must be able to trust our tools. When we use closed source tools exclusively, we will always have a veil of abstraction between our minds and the truth that is impossible to eliminate.

    We wrote this book to fill several needs. First, we wanted to provide a work that demonstrated the full capabilities of open source forensics tools. Many examiners that are aware of and that use open source tools are not aware that you can actually perform a complete investigation using solely open source tools. Second, we wanted to shine a light on the persistence and availability (and subsequent examination) of a wide variety of digital artifacts. It is our sincere hope that the reader learns to understand the wealth of information that is available for use in a forensic examination.

    To continue further, we must define what we mean by "Digital Forensics" and what we mean by "Open Source."


    At the first Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics was defined as:

    The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

    While digital forensics techniques are used in more contexts than just criminal investigations, the principles and procedures are more or less the same no matter the investigation. While the investigation type may vary widely, the sources of evidence generally do not. Digital forensic examinations use computer-generated data as their source. Historically this has been limited to magnetic and optical storage media, but increasingly snapshots of memory from running systems are the subjects of examination.

    Digital forensics is alternately (and simultaneously!) described as an art and a science. In Forensic Discovery, Wietse Venema and Dan Farmer make the argument that at times the examiner acts as a digital archaeologist and, at other times, a digital geologist.

    Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs.... Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages or process ID numbers.

    This mental model of digital forensics may be more apropos than the "digital ballistics" metaphor that has been used historically. No one ever faults an archaeologist for working on the original copy of a 4000-year-old pyramid, for example. Like archaeology and anthropology, digital forensics combines elements from "hard" or natural science with elements from "soft" or social science.

    Many have made the suggestion that the dichotomy of the art and science of forensic analysis is not a paradox at all, but simply an apparent inconsistency arising from the conflation of the two aspects of the practice: the science of forensics combined with the art of investigation. Applying scientific method and deductive reasoning to data is the science—interpreting these data to reconstruct an event is the art.

    On his Web site, Brian Carrier makes the argument that referring to the practice as "digital forensics" may be partially to blame for some of this. While traditional crime scene forensic analysts are tasked with answering very discrete questions about subsets of evidence posed to them by detectives, digital forensic examiners often wear both hats. Carrier prefers the term "digital forensic investigation" to make this distinction clear.

    Goals of Forensic Analysis

    The goal of any given forensic examination is to find facts, and via these facts to recreate the truth of an event. The examiner reveals the truth of an event by discovering and exposing the remnants of the event that have been left on the system. In keeping with the digital archaeologist metaphor, these remnants are known as artifacts. These remnants are sometimes referred to as evidence. As the authors deal frequently with lawyers in writing, we prefer to avoid overusing the term evidence due to the loaded legal connotations. Evidence is something to be used during a legal proceeding, and using this term loosely may get an examiner into trouble. Artifacts are traces left behind due to activities and events, which can be innocuous, or not.

    As stated by Locard's exchange principle, "with contact between two items, there will be an exchange." This simple statement is the fundamental principle at the core of evidence dynamics and indeed all of digital forensics. Specific to digital forensics, this means that an action taken by an actor on a computer system will leave traces of that activity on the system. Very simple actions may simply cause registers to change in the processor. More complex actions have a greater likelihood of creating longer-lasting impressions to the system, but even simple, discreet tasks can create artifacts. To use a real-world crime scene investigation analogy, kicking open a door and picking a lock will both leave artifacts of their actions (a splintered door frame and microscopic abrasions on the tumblers, respectively). Even the act of cleaning up artifacts can leave additional artifacts—the digital equivalent to the smell of bleach at a physical crime scene that has been "washed."

    It is important to reiterate the job of the examiner: to determine truth. Every examination should begin with a hypothesis. Examples include "this computer was hacked into," "my spouse has been having an affair," or "this computer was used to steal the garbage file." The examiner's task is not to prove these assertions. The examiner's task is to uncover artifacts that indicate the hypothesis to be either valid or not valid. In the legal realm, these would be referred to as inculpatory and exculpatory evidence, respectively.

    An additional hitch is introduced due to the ease with which items in the digital realm can be manipulated (or fabricated entirely). In many investigations, the examiner must determine whether or not the digital evidence is consistent with the processes and systems that were purported to have generated it. In some cases, determining the consistency of the digital evidence is the sole purpose of an examination.

    The Digital Forensics Process

    The process of digital forensics can be broken down into three categories of activity: acquisition, analysis, and presentation.

    Acquisition refers to the collection of digital media to be examined. Depending on the type of examination, these can be physical hard drives, optical media, storage cards from digital cameras, mobile phones, chips from embedded devices, or even single document files. In any case, media to be examined should be treated delicately. At a minimum the acquisition process should consist of creating a duplicate of the original media (the working copy) as well as maintaining good records of all actions taken with any original media.

    Analysis refers to the actual media examination—the "identification, analysis, and interpretation" items from the DFRWS 2001 definition. Identification consists of locating items or items present in the media in question and then further reducing this set to items or artifacts of interest. These items are then subjected to the appropriate analysis. This can be file system analysis, file content examination, log analysis, statistical analysis, or any number of other types of review. Finally, the examiner interprets results of this analysis based on the examiner's training, expertise, experimentation, and experience. • Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. This consists of generating a report of actions taken by the examiner, artifacts uncovered, and the meaning of those artifacts. The presentation phase can also include the examiner defending these findings under challenge.

    Note that findings from the analysis phase can drive additional acquisitions, each of which will generate additional analyses, etc. This feedback loop can continue for numerous cycles given an extensive network compromise or a long-running criminal investigation.

    This book deals almost exclusively with the analysis phase of the process, although basic acquisition of digital media is discussed.


    Generically, "open source" means just that: the source code is open and available for review. However, just because you can view the source code doesn't mean you have license to do anything else with it. The Open Source Initiative has created a formal definition that lays out the requirements for a software license to be truly open source. In a nutshell, to be considered open source, a piece of software must be freely redistributable, must provide access to the source code, must allow the end user to modify the source code at will, and must not restrict the end use of the software. For more detail, see the full definition at the Open Source Initiative's site.

    "Free" vs. "Open"

    Due to the overloading of the word "free" in the English language, confusion about what "free" software is can arise. Software available free of charge (gratis) is not necessarily free from restriction (libre). In the open source community, "free software" generally means software considered "open source" and without restriction, in addition to usually being available at no cost. This is in contrast to various "freeware" applications generally found on Windows system available solely in binary, executable format but at no cost.

    This core material of this book is focused on the use of open source software to perform digital forensic examinations. "Freeware" closed source applications that perform a function not met by any available open source tools or that are otherwise highly useful are discussed in the Appendix.

    Open Source Licenses

    At the time of this writing, there are 58 licenses recognized as "Open Source" by the Open Source Initiative. Since this is a book about the use of open source software and not a book about the intricacies of software licensing, we briefly discuss the most commonly used open source licenses. The two most commonly used licenses are the GNU Public License (GPL) and the Berkeley Software Distribution License (BSD). To grossly simplify, the core difference between these two licenses is that the GPL requires that any modifications made to GPL code that is then incorporated into distributed compiled software be made available in source form as well. The BSD license does not have this requirement, instead only asking for acknowledgment that the distributed software contains code from a BSD-licensed project.

    This means that a widget vendor using GPL-licensed code in their widget controller code must provide customers that purchase their widgets the source code upon request. If the widget was driven using BSD license software, this would not be necessary. In other words, the GPL favors the rights of the original producer of the code, while the BSD license favors the rights of the user or consumer of the code. Because of this requirement, the GPL is known as a copyleft license (a play on "copyright"). The BSD license is what is known as a permissive license. Most permissive licenses are considered GPL compatible because they give the end user authority over what he or she does with the code, including using it in derivative works that are GPL licensed. Additional popular GPL-compatible licenses include the Apache Public License (used by Apache Foundation projects) and the X11/MIT License.


    There are great many passionate screeds about the benefits of open source software, the ethics of software licensing, and the evils of proprietary software. We will not repeat them here, but we will outline a few of the most compelling reasons to use open source tools that are specific to digital forensics.


    Excerpted from Digital Forensics with Open Source Tools by Cory Altheide Harlan Carvey Copyright © 2011 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
    Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

    Meet the Author

    Cory Altheide is a Security Engineer at Google, focused on forensics and incident response. Prior to returning to Google, Cory was a principal consultant with MANDIANT, an information security consulting firm that works with the Fortune 500, the defense industrial base and the banks of the world to secure their networks and combat cyber-crime. In this role he responded to numerous incidents for a variety of clients. Cory has authored several papers for the computer forensics journal Digital Investigation and was a contributing author for UNIX and Linux Forensic Analysis (2008)&The Handbook Of Digital Forensics and Investigation (2010). Additionally, Cory is a recurring member of the program committee of the Digital Forensics Research Workshop (DFRWS).
    Harlan Carvey is a senior information security researcher with the Dell SecureWorks Counter Threat Unit - Special Ops (CTU-SO) team, where his efforts are focused on targeted threat hunting, response, and research. He continues to maintain a passion and focus in analyzing Windows systems, and in particular, the Windows Registry.

    Harlan is an accomplished author, public speaker, and open source tool author. He dabbles in other activities, including home brewing and horseback riding. As a result, he has become quite adept at backing up and parking a horse trailer.

    Harlan earned a bachelor’s degree in electrical engineering from the Virginia Military Institute, and a master’s degree in the same discipline from the Naval Postgraduate School. He served in the United States Marine Corps, achieving the rank of captain before departing the service. He resides in Northern Virginia with his family.

    Customer Reviews

    Average Review:

    Post to your social network


    Most Helpful Customer Reviews

    See all customer reviews

    Digital Forensics with Open Source Tools 5 out of 5 based on 0 ratings. 1 reviews.
    Anonymous More than 1 year ago