The Eggman said
This is not a book for newbies or the timid! If, however, you have a reasonably solid understanding of networking, protocols, OS layers telecom and hardware this book can help you move to the next level.
I like to refer to this type of book as 'bathroom reading.' What that means is that you can pick it up, turn to just about any page and after a few minutes set it back down with a "gee, I never knew that" feeling that you just learned something useful. Somewhere between a textbook and a reference book. It's not recreational reading, but reading for a purpose. It won't tell you what a packet is, but how to recognize a malformed one. It also provides an in-depth look at many of the more popular investigative software tools you will need to successfully study this arena of computing, communications and security. Also, considering that no one is quite sure exactly _what_ the "cloud" really means, this book presents a detailed insight into the vulnerabilities that may be encountered when implementing this type of shared resource architecture.
Though this book may intimidating to some at first blush, a more detailed examination [and a bit of brain work] will reward the mid-level to advanced networking professional with an excellent insight into the 'bit-level' methodologies and mechanics involved in securing both mature and emerging technologies.
Richard Bejtlich said
Digital Forensics for Network, Internet, and Cloud Computing (DFFNIACC) is one of the worst books I've read in the last few years. You may wonder why I bothered reading a two star book. Blame a flight from the east coast to Las Vegas and not much else to read during those five hours! DFFNIACC is a jumbled collection of incoherent thoughts, loosely bound by the idea of "forensics" but clearly not subjected to any real planning or oversight. This book is very similar to the Syngress book "Botnets" which I gave 2 stars in 2008, and as you might expect features one of the same authors. Save your money and skip DFFNIACC; only the chapter on NetFlow and another offering a general overview of NetWitness are worth reading.
DFFNIACC features all the worst qualities one sometimes finds in Syngress books: nonexistent copyediting, haphazard assortments of uncoordinated chapters from multiple authors, worthless filler chapters, and a lack of focus. I am convinced that no one read this book, or even a rough outline, and asked "what are you talking about?" For example, chapter 1 (the only section in "Part I: Introduction") is titled "What is network forensics?" but the chapter is all about "the Cloud." What? Similarly, Part VI, "The Future of Network Forensics," features two chapters -- "The Future of Cloud Computing" and "The Future of Network Forensics." Again, what is this obsession with "Cloud" and network forensics? I am fully aware of cloud providers who successfully use network forensics in certain circumstances, but network forensics is not some special approach designed for clouds.
On the "filler" topic, chapter 4 is a waste of 16 pages. Can anyone explain why the reader needs an overview of TCP headers, but no other aspects of network traffic? The following chapter, called "Using Snort for Network-Based Forensics," is worthless. The reader sees 19 pages yet no example output.
Elsewhere, I question the author's technical awareness. For example, p 25 says "The Advanced Packaging Tool apt-get utility can be used to retrieve and install tcpdump in most Unix implementations." Maybe that's true for Debian-based Linux operating systems, but I don't see too many Unix admins using Apt elsewhere. On p 35 the author says, while discussing recommended snap lengths for capture, "If you are interested in DNS data, you should set s = 4096 or greater." Why? On p 28 the author writes that the -w option for tcpdump "writes the results to file. This could also be accomplished by IO redirection at the command line." No, if you use "IO redirection" you're going to write a text-based representation of traffic to disk, not the libpcap format version of network traffic enabled by -w.
I unfortunately found other sections to be just annoying. Several times in the book the author mentions "our ISP" and "Portland State University." This is supposed to be important, because...? These chapters required a copyeditor to sit down with the author and ask "how do you think a reader is supposed to make sense of this material?" Regarding figures in the book, multiple diagrams (2-16, 3-17, etc.) are completely unreadable. Others are fuzzy, show text far too small, or otherwise add nothing. The book probably introduces three or more competing "models" or discussions of detection and response, clearly reflecting the multiple authors. Why didn't they collaborate on one section? Finally, I was very annoyed to see on p 306 the author clearly paraphrase work I had done on the four forms of Network Security Monitoring data. Unfortunately, despite citing other authors, they ignore my work and don't even really understand what they're talking about.
The only bright spot in this book is chapter 6, and that is because it covers NetFlow v9. Most books on NetFlow don't cover v9, so I liked seeing at least some coverage. The chapter was fairly well written as well.
In short, skip DFFNIACC. It's as bad as "Botnets." I want several hours of my life back.
Comments