Book Title: Cisco Router and Switch Forensics
Subtitle: Investigating and Analyzing Malicious Network Activity
Author(s): Dale Liu, et al
Date of Publishing: 28 April 2009
Price (UK&US price – full price, not discounted price): £35.99 (UK), $59.95 (USA)
URL of Publisher Site: Syngress
URL of Amazon UK web page: Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity
URL of Amazon UK (Kindle) web page: Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity
URL of Amazon US web page: Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity
URL of Amazon US (Kindle) web page: Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity
This is a very specialized field of study, so to be honest I was really impressed that Syngress even published a book on this topic as it’s so niche. However, it does a great job, pulling together expert opinion and techniques from a plethora of authors (Dale Liu has no less than 10 contributing authors, all experts in their own right), not only covering the technical aspects of forensics on networking equipment, but also putting forensics in context with regard to these devices, i.e. “where forensics fits within the entire process of an investigation, from incident response and data collection to preparing a report and legal testimony.”The book is arranged into 13 numbered chapters following a good introduction and overview to the topic. Chapters 1 and 2 properly set the scene for the analyst, describing what digital forensics is all about, then discussing methods for data analysis on a single PC as well as in an enterprise, then they go on to look at some of the pitfalls forensic analysis face today, such as encryption and virtual machines. Chapter 2 looks into some of the myriad problem an investigator will face when seizing data and explains some of the processes and procedures needed to maintain the chain of evidence. This introduction is a good overview and refresher, but I’d not recommend that it’s the only source an administrator would use to determine if they are fully ready for a forensic investigation. Reading Casey’s “Digital Forensics and investigation” is probably the best start that a potential analyst could have. Chapter 3 takes us into the world of the network administrator and discusses some of the typical threats from social engineering you might face and how social networking sites can help determine where the attacks might be coming from. Chapter 4 and 5 discuss the first response, what the analyst should do when he or she first appears at the scene of the investigation, detailing how to construct a useful network diagram to use as the blueprint map for the forthcoming investigation. Chapter 6 is a primer on Cisco IOS that is necessary before launching into subsequent Chapter 7 and Chapter 8 where we get a glimpse into the mindset of the attacker and how the investigator would go about collecting non-volatile information from a router. Chapter 9 follows with a discussion about volatile data held on the router and how best to get it off. This is always one of the biggest headaches for the digital forensics investigator, and this chapter does a great job of walking you through using tools, such as Wireshark, the Boston Network Simulator and RAT (Router Audit Tool). Chapters 10 and 11 are an introduction to the Cisco IOS on network switches and how you would go about performing forensic analysis (non-volatile and volatile analysis) on those devices. Much of this information is a repeat of the router forensics previously covered but there are subtle differences that are well explained.
Finally, the book concludes with Chapter 12 and 13 where the authors discuss the preparation of your expert witness report, then the final stage of the forensics process: getting ready for expert testimony in court.
All in all this is a well rounded book, good value for money and gives a great insight into performing network forensics on all kinds of Cisco IOS enabled devices. As with any good forensics book, it also looks at the preparation and report admission process that InfoSec Reviewers know is just as important as the technical stuff. Well worth the money and recommended purchase.
Marks: 5 out of 5