Friday, September 14, 2012

Network Forensics Books


Recently, I picked up a copy of both "Network Forensics: Tracking Hackers Through Cyberspace" by Sherri Davidoff and Jonathan Ham and "Mastering Windows Network Forensics and Investigation 2e" (MWNFI) by Steve Anson, Steve Bunting, Ryan Johnson and Scott Pearson.  Coming off of host-based forensic stint for the first half of the year I was looking to advance some skills and pick up some more knowledge on network forensics.  Both these books came out this year and have some good offerings.  

I first read MWNFI and thought it was pretty good.  It was a quicker read for me as I felt a lot of it rehashed a lot of Harlan Carvey's Windows Forensic books.  So if you've read those this is a good refresher.  If not it's a good way to start learning digital forensic knowledge.  The book has a good layout and explained things clearly with scenarios and example data.  I feel the book really gave me the most value in its chapters and references for Windows event logs.  It provides a great reference for various Windows event logs to check for and variations in codes that may appear in that log.  It also does a decent job on touching how to present some of the investigation data.  However, I would say this book is better at explaining Windows forensics than it is in net forensics.  So, I found it disappointing in that regard.

Network Forensics, on the other hand, was exactly what I wanted.  This book covers network forensics superbly!  The authors break down each facet of network investigations from covering the fundamentals and then diving into the technical aspects of the investigation process from devices you may encounter to protocols.  You will learn how to go from capturing evidence, to analyzing the data and finally how to interpret it and place it in context for your needs.  Every chapter provides a lot of knowledge and you can tell the authors have a lot of practical knowledge that bleed into the text.  They provide analysis examples with a Case Study at the end the chapters.  Which was a great way to summarize the chapters in my opinion.  It was fun because you're tracking malicious activity while you're reading and they break it down in a technical matter that is easy to follow.

I would say MWNFI is a good reference to have; but if you're already up on recent Windows forensics you won't find a lot of value in the book.  I honestly keep it because of the event log reference.  Network Forensics, to me, is a must for anyone.  It's an invaluable reference source for the topic.  I will probably end up going back to it throughout the years as it covers a lot of stuff I have not seen yet, it's incredibly technical and easy to follow.  I have faith you will not regret the decision to buy the book.