You arrive at work and the first message in your voicemail is from one of your users saying that the webserver is “behaving strangely.” Your first thought is that it’s luser time, but you haven’t read your first ticket yet this morning so you figure you might as well take a leisurely stroll through the system while you sip your coffee.

Disk space looks okay. Load’s a little high, but not unusual. Process listing looks good, well, except you don’t run imapd on this machine. You run *lsof* on the process and the CWD (current working directory) is /tmp/.haxyourass. You feel your stomach sink and you can see the rest of your day pretty much going to hell. You’ve been hacked and some unscrupulous ne’er do well has installed software in /tmp and is sapping precious cycles from your webserver (among other things).

These are the types of case studies that Jones, Bejtlich, and Rose tackle in their book titled Real Digital Forensics. The book starts out by describing a half dozen scenarios ranging from intellectual property theft to good old fashioned external intrusion. The natural progression of the topics made it enjoyable to read. I found myself eagerly anticipating learning how to uncover the clue that would finally implicate the bad guy.

The highlights:

• discussed both Windows and Linux
• each acquisition/discovery was done with both commercial and freeware tools¹
• talked about network based evidence
• explained the difference between volatile vs. non-volatile evidence
• forensic duplication (harddrives, PDAs, flash memory)

¹Reconstructing a registry was the only thing for which they were unable to offer a freeware alternative.