Forensic Discovery (Addison-Wesley Professional Computing Series) / Edition 1

Hardcover (Print)
Buy Used
Buy Used from
(Save 38%)
Item is in good condition but packaging may have signs of shelf wear/aging or torn packaging.
Condition: Used – Good details
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Hardcover)
  • All (16) from $1.99   
  • New (4) from $66.91   
  • Used (12) from $1.99   
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any coupons and promotions
Seller since 2014

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

2005 Hardcover New

Ships from: san francisco, CA

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Seller since 2008

Feedback rating:


Condition: New

Ships from: Chicago, IL

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Sort by


Computer forensics, the art and science of gathering and analyzing digital evidence, reconstructing data and attacks, and tracking perpetrators, is becoming ever more important as IT and law enforcement professionals face an epidemic in computer crime. In Forensic Discovery, two internationally recognized experts present the most thorough and realistic guide to the subject ever published. Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing a powerful approach that can often recover evidence considered lost forever.

The authors draw on their extensive firsthand experience to cover everything from file systems to memory, kernel hacks to malware. Along they way, they expose a wide variety of computer forensics myths that stand in the way of success. You'll find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for using many of today's most powerful forensic tools. The authors are singularly well-qualified to write this book: They personally created many of those tools--from the legendary SATAN network scanner to the powerful Coroner's Toolkit for analyzing UNIX break-ins.

After reading this book you will be able to

  • Understand essential forensics concepts: volatility, layering, and trust
  • Gather the maximum amount of reliable evidence from a running system
  • Recover partially destroyed information--and make sense of it
  • Timeline your system: understand what really happened when
  • Uncover secret changes to everything from system utilities to kernel modules
  • Avoid cover-ups and evidence traps set by intruders
  • Identify the digital footprints associated with suspicious activity
  • Understand file systems from a forensic analyst's point of view
  • Analyze malware--and prevent it from escaping
  • Capture and examine the contents of main memory on running systems
  • Walk through unraveling an intrusion, one step at a time
  • Use your evidence to apprehend intruders--and make sure it stands up in court

This book's companion Web site contains complete source and binary code for open source software discussed in the book, plus additional computer forensics case studies and resource links.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Think of it as CSI: Unix, Linux, and Windows. The creators of the legendary SATAN and Coroner’s Toolkit security packages have written the definitive guide to forensics problem solving, analysis, and discovery.

Forensic data can be found everywhere you look -- if you know how. So Dan Farmer and Wietse Venema systematically explain how information and traces of past events persist, and how to recover and assess them.

You’ll learn how computer architecture impacts your analysis; then master the crucial concept of timelining: drawing on host- and network-based information to understand what happened when. (The authors present a case study intrusion that lasted a full year.)

Farmer and Venema systematically demonstrate how to examine file systems and evaluate the trustworthiness of the data you capture. You’ll learn how to identify subversions of user processes and operating systems -- from simple changes to malicious kernel modules. There’s a chapter on uncovering the hidden purpose of malware. You’ll even learn how to discover clues in RAM (for example, decrypted contents of encrypted files).

This book is about the spirit and thinking involved in successful forensic analysis. It’s not a “cookbook.” But there are more than enough specific techniques and tools coverage to make you effective in real-world investigations. There are plenty of examples, too: from Solaris, FreeBSD, Linux, occasionally Windows. Strikingly, however, the underlying principles remain constant regardless of environment. And whether you’re a sysadmin or law enforcement professional, you need to know them. Bill Camarda, from the February 2005 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780201634976
  • Publisher: Addison-Wesley
  • Publication date: 12/30/2004
  • Series: Addison-Wesley Professional Computing Series
  • Edition description: First Edition
  • Edition number: 1
  • Pages: 217
  • Product dimensions: 7.20 (w) x 9.58 (h) x 0.77 (d)

Meet the Author

Dan Farmer is author of a variety of security programs and papers. He is currently chief technical officer of Elemental Security, a computer security software company. Together he and Wietse Venema, have written many of the world's leading information security and forensics packages, including the SATAN network security scanner and the Coroner's Toolkit.

Wietse Venema has written some of the world's most widely used software, including TCP Wrapper and the Postfix mail system. He is currently a research staff member at IBM Research. Together, he and Dan Farmer have written many of the world's leading information security and forensics packages, including the SATAN network security scanner and the Coroner's Toolkit.

Read More Show Less

Read an Excerpt

Today, only minutes pass between plugging in to the Internet and being attacked by some other machine—and that's only the background noise level of nontargeted attacks. There was a time when a computer could tick away year after year without coming under attack. For examples of Internet background radiation studies, see CAIDA 2003, Cymru 2004, or IMS 2004.

With this book, we summarize experiences in post-mortem intrusion analysis that we accumulated over a decade. During this period, the Internet grew explosively, from less than a hundred thousand connected hosts to more than a hundred million (ISC 2004). This increase in the number of connected hosts led to an even more dramatic—if less surprising—increase in the frequency of computer and network intrusions. As the network changed character and scope, so did the character and scope of the intrusions that we faced. We're pleased to share some of these learning opportunities with our readers.

In that same decade, however, little changed in the way that computer systems handle information. In fact, we feel that it is safe to claim that computer systems haven't changed fundamentally in the last 35 years—the entire lifetime of the Internet and of many operating systems that are in use today, including Linux, Windows, and many others. Although our observations are derived from today's systems, we optimistically expect that at least some of our insights will remain valid for another decade.What You Can Expect to Learn from This Book

The premise of the book is that forensic information can be found everywhere you look. With this guiding principle in mind, we develop tools to collect information from obviousand not-so-obvious sources, we walk through analyses of real intrusions in detail, and we discuss the limitations of our approach.

Although we illustrate our approach with particular forensic tools in specific system environments, we do not provide cookbooks for how to use those tools, nor do we offer checklists for step-by-step investigation. Instead, we present a background on how information persists, how information about past events may be recovered, and how the trustworthiness of that information may be affected by deliberate or accidental processes.

In our case studies and examples, we deviate from traditional computer forensics and head toward the study of system dynamics. Volatility and the persistence of file systems and memory are pervasive topics in our book. And while the majority of our examples are from Solaris, FreeBSD, and Linux systems, Microsoft's Windows shows up on occasion as well. Our emphasis is on the underlying principles that these systems have in common: we look for inherent properties of computer systems, rather than accidental differences or superficial features.

Our global themes are problem solving, analysis, and discovery, with a focus on reconstruction of past events. This approach may help you to discover why events transpired, but that is generally outside the scope of this work. Knowing what happened will leave you better prepared the next time something bad is about to occur, even when that knowledge is not sufficient to prevent future problems. We should note up front, however, that we do not cover the detection or prevention of intrusions. We do show that traces from one intrusion can lead to the discovery of other intrusions, and we point out how forensic information may be affected by system-protection mechanisms, and by the failures of those mechanisms.Our Intended Audience

We wrote this book for readers who want to deepen their understanding of how computer systems work, as well as for those who are likely to become involved with the technical aspects of computer intrusion or system analysis. System administrators, incident responders, other computer security professionals, and forensic analysts will benefit from reading this book, but so will anyone who is concerned about the impact of computer forensics on privacy.

Although we have worked hard to make the material accessible to nonexpert readers, we definitely do not target the novice computer user. As a minimal requirement, we assume strong familiarity with the basic concepts of UNIX or Windows file systems, networking, and processes.Organization of This Book

The book has three parts: we present foundations first, proceed with analysis of processes, systems, and files, and end the book with discovery. We do not expect you to read everything in the order presented. Nevertheless, we suggest that you start with the first chapter, as it introduces all the major themes that return throughout the book.

In Part I, "Basic Concepts," we introduce general high-level ideas, as well as basic techniques that we rely on in later chapters.

  • Chapter 1, "The Spirit of Forensic Discovery," shows how general properties of computer architecture can impact post-mortem analysis. Many of the limitations and surprises that we encounter later in the book can already be anticipated by reading this chapter.
  • Chapter 2, "Time Machines," introduces the concept of timelining, using examples of host-based and network-based information, including information from the domain name system. We look at an intrusion that stretches out over an entire year, and we show examples of finding time information in non-obvious places.

In Part II, "Exploring System Abstractions," we delve into the abstractions of file systems, processes, and operating systems. The focus of these chapters is on analysis: making sense of information found on a computer system and judging the trustworthiness of our findings.

  • Chapter 3, "File System Basics," introduces fundamental file system concepts, as well as forensic tools and techniques that we will use in subsequent chapters.
  • Chapter 4, "File System Analysis," unravels an intrusion by examining the file system of a compromised machine in detail. We look at both existing files and deleted information. As in Chapter 2, we use correlation to connect different observations, and to determine their consistency.
  • Chapter 5, "Systems and Subversion," is about the environment in which user processes and operating systems execute. We look at subversion of observations, ranging from straightforward changes to system utilities to almost undetectable malicious kernel modules, and detection of such subversion.
  • Chapter 6, "Malware Analysis Basics," presents techniques to discover the purpose of a process or a program file that was left behind after an intrusion. We also discuss safeguards to prevent malware from escaping, and their limitations.

In Part III, "Beyond the Abstractions," we look beyond the constraints of the file, process, and operating system abstractions. The focus of this part is on discovery, as we study the effects of system architecture on the decay of information.

  • Chapter 7, "The Persistence of Deleted File Information," shows that large amounts of deleted file information can survive intact for extended periods. We find half-lives on the order of two to four weeks on actively used file systems.
  • Chapter 8, "Beyond Processes," shows examples of persistence of information in main memory, including the decrypted contents of encrypted files. We find large variations in persistence, and we correlate these variations to operating system architecture properties.

The appendices present background material: Appendix A is an introduction to the Coroner's Toolkit and related software. Appendix B presents our current insights with respect to the order of volatility and its ramifications when capturing forensic information from a computer system.Conventions Used in This Book

In the examples, we use constant-width font for program code, command names, and command input/output. User input is shown in bold constant-width font. We use $ as the shell command prompt for unprivileged users, and we reserve # for super-user shells. Capitalized names, such as Argus, are used when we write about a system instead of individual commands.

Whenever we write "UNIX," we implicitly refer to Solaris, FreeBSD, and Linux. In some examples we include the operating system name in the command prompt. For example, we use solaris$ to indicate that an example is specific to Solaris systems.

As hinted at earlier, many examples in this book are taken from real-life intrusions. To protect privacy, we anonymize information about systems that are not our own. For example, we replace real network addresses with private network addresses such as or, and we replace host names or user names. Where appropriate, we even replace the time and time zone.Web Sites

The examples in this book feature several small programs that were written for the purpose of discovery and analysis. Often we were unable to include the entire code listing because the additional detail would only detract from the purpose of the book. The complete source code for these and other programs is made available online at these Web sites:

On the same Web sites, you will also find bonus material, such as case studies that were not included in the book and pointers to other resources.

Read More Show Less

Table of Contents

Ch. 1 The spirit of forensic discovery 3
Ch. 2 Time machines 17
Ch. 3 File system basics 39
Ch. 4 File system analysis 59
Ch. 5 Systems and subversion 87
Ch. 6 Malware analysis basics 117
Ch. 7 The persistence of deleted file information 145
Ch. 8 Beyond processes 161
App. A The coroner's toolkit and related software 187
App. B Data gathering and the order of volatility 193
Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted January 17, 2005


    A trifle unsettling. The authors go through ways to do analysis on a computer, to see if it has been broken into. They focus on unix and linux machines, though most of their work also pertains to Microsoft computers. The discussion can also give you insight into how these operating systems run, and specifically how they handle file management. Because an understanding of the general picture is vital to seeing how an attack might be conducted. Naturally, a lot of space is devoted to studying what rootkits can do, and the traces they might leave. But the authors also take us down to the hardware. One very insightful chapter delves into how deleted files might persist on your computer, and for how long. We all know how Peter Norton in the 1980s was the first to introduce an undo for file deletion under MSDOS. But this book goes further. The authors studied several computers for how long a deleted file's contents might actually still exist on the disk, before being overwritten. While they only studied a few computers, they claim, probably reasonably, that these had typical usage. One was an ftp and web server, for example. They found half lives ranging from 12 days to 35 days. So be careful! If those files are your sensitive data, more stringent measures might be needed to fully erase them.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)