Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Book Reviews Books Media

Windows Forensic Analysis 82

Posted by samzenpus from the read-all-about-it dept.
Don Wolf writes "Computer forensics is a rapidly growing discipline and an even faster growing business. Whether it's the natural progression of technological science pertaining to crime or perhaps the digression of a few elite information security professionals, computer forensics is every so slowly gaining credibility in the otherwise PhD dominated field of criminal science. Computer evidence continues to be showcased in some of the most high-profile and controversial court cases in history, from the murder case of Lasie Peterson to the multi-billion dollar Enron scandal. Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice." Keep reading for the rest of Don's review.
Windows Forensic Analysis DVD Toolkit
author Harlan Carvey
pages 416
publisher Syngress
rating 9
reviewer Don Wolf
ISBN 9781597491563
summary Incident Response and Cybercrime Investigation Secrets
While on the road to computer forensic enlightenment I realized early on that many parallels existed between computer forensics and incident response. A number of great authors have published books on incident response, one of which is a gentleman by the name of Harlan Carvey. So when a friendly but cleverly personalized bookstore email rolled in with Harlan's newest book showcased, I thought it might be worthwhile to see what he's been up to.

The book titled "Windows Forensic Analysis", takes a hands-on and in-depth approach to forensic discovery of Windows systems. Some may scoff at the mere suggestion that a point-and-click operating system necessitates the granular analysis of forensics, but make no mistake, beyond Windows' simplicity are numerous complex elements, sometimes cryptic, and many undocumented.

Always looking for a tip here and there, I found more Windows forensics tips here than I have anywhere else. While I've read only about half-a-dozen books on operating system forensics, this one stands out because the material is clearly drawn from the author's experience which, in my opinion, lends real credibility to the book. Granted, technical books are always reviewed for accuracy and truthfulness, but this one carries its own weight with the sheer amount of tips and real-life sidebars. No hash tables, no unnecessary screen dumps, and certainly no reprinted Microsoft documentation. The author does a great job on footnoting and includes plenty of links to additional information. Additionally, there are sections dedicated for FAQ's, as well as "tools and traps".

Having read the book through, I can tell you it flows well from chapter to chapter and continues to draw you in, somewhat unusual for a technical reference — when was the last time you were drawn into a textbook? I'm not sure how one decides to organize the chapters, but I suspect it was not a random decision. Looking back I can see that there is a logical order to the chapter sequence, perhaps suggesting an order in which to forensically process a Windows computer. The book starts with 'live' response, followed by memory analysis, registry analysis, file analysis, and finally rootkit detection — analysis in order of volatility I suppose.

I've heard a lot of praise regarding this books chapter on registry analysis, some claiming it to be worth the price of the book alone. Don't be mislead to believe that it is the crux or single focus of the book, it's not. In my opinion the reason the chapter stands out is because most forensics analysts I've met aren't particularly strong in the area of registry analysis and therefore may find the chapter a revelation. It's true, the chapter is strong and offers exceptional insight, however, I found the book to be almost equally weighted chapter by chapter.

I personally found the chapter regarding memory analysis to be a stand-out. RAM has the potential to store a ton of evidence, however, it's always been viewed as extremely volatile. Not only is it likely to be flushed with a power-cycle, but it's also susceptible to be purged simply through the normal actions of a computer user, or in our case, forensic analysts. I was happy to see a good section on the pros and cons of dumping the many different areas of physical memory. The author proves that there is life after a reboot and demonstrates how to recover at least partial RAM contents from various areas.

Overall there is plenty of theory, plenty of technique, and plenty of command-line examples. On the subject of command-line examples, the author provides a great collection of scripts and examples on the accompanying DVD. The examples all appear to work as describe, a rarity given the many possible computer configurations, just the same the author is thoughtful enough to point out possible exceptions and explanations when there is an opportunity for a particular command or technique to fail.

If I can quote a comment made by one of my associates, he said "The book provided more than just tips and techniques, it provides food for thought and helps one develop their own personal approach to Windows forensics". I totally agree. Furthermore, I found that while I learned a few new things, I also finished the book with lots of questions in mind. Is that a shortcoming of the book? No. Based on the detailed coverage of the book, I was able to identify my own shortcomings and areas I need to explore further. If you want to pursue Windows forensics and already have a good understanding of the principals and ethics of computer forensics, I highly suggest starting with this book.

You can purchase Windows Forensic Analysis DVD Toolkit from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Windows Forensic Analysis More

Windows Forensic Analysis

Comments Filter:
  • I stumbled across this guide to deconstructing a C++ exception.

    http://blogs.msdn.com/slavao/archive/2005/01/30/363428.aspx [msdn.com]

    Lots of this is applicable to any platform, not just Windows.

  • Oh... (Score:1, Funny)

    by heteromonomer ( 698504 )
    Looking at the title I thought it's about forensic analysis of why my windows died.

  • I don't have any experience in this myself. (Score:5, Funny)

    by Paranatural ( 661514 ) on Monday March 31, 2008 @02:17PM (#22923382)
    However I did have a friend who ended up working for the feds 'Internet Crimes Division'. I.E. Child Porn. There are a lot of neat tools out this, write blockers and whatnot.

    However, what I am really writing to say is that people used to ask him what he did for a living, and he'd respond:

    "Oh, I'm in the child porn business."

    Guys who are in that line of work tend to have rather dark senses of humor :)

  • The problem is the WHO that is doing the analysis (Score:1, Informative)

    by Anonymous Coward
    Most of the time, the person doing the analysis is the crooked cop who placed the bogus "evidence" on the computer in the first place, or the same person who is then going to try to "find" that "evidence" in a laboratory situation.

    Anyone who believes there is even *ONE* honest law enforcement agent in the entire U.S.A, probably even the entire world, is incredibly naive.

    --Signed... an unfortunate victim of a crooked cop who planted bogus evidence on my computer systems after perjuring himself on affid
    • Ouch dude, sorry to hear that - I've done more than my fair share of computer evidence seizures and the procedure in my country leaves no room for planting evidence anywhere.

      1. md5sum the suspect drive image
      2. dd it to an acquisition drive
      3. md5 the acquired image and the checksums must match
      4. All of this with you and your lawyer and the plaintiff's lawyer (if applicable) present so that you can make notes of the md5sum, the size of the image, the drive serial number and so on.

      The acquired image is left wi
      • Or suppose that the evidence is planted before or during seizure, before any lawyers get involved. When only one or two cops are coming to pick up someone's equipment, it is highly likely that evidence can be planted without getting noticed.

        md5summing or not, all the trust is placed in the prosecutor's lab. There are too many opportunities for wrongdoing.

        • Re: (Score:2)

          by Sancho ( 17056 )
          Encrypt your drive. When they demand the keys, get your lawyer to demand that a defense expert be involved in the extraction portion of the evidence gathering.
          • How exactly does encrypting your drive protect you from evidence-planting? You forget about external drives and CDRs that may be found lying around...
          • yeah, but when quantum crypto starts shipping, crypto as we know it will be worthless.

            • Re: (Score:2)

              by Sancho ( 17056 )
              Strictly speaking, quantum cryptography really has nothing to do with it. Quantum cryptography has more to do with detecting when a conversation has been overheard. It's useful for transmitting session keys--if the session key conversation was overheard, just don't use those keys. If it wasn't overheard, it's fairly safe to proceed. Quantum cryptography, thus, aids in symmetric key exchange (key exchange, in general, being the hardest part of cryptography between two people--a problem solved by asymmetr
        • Not specific to computer evidence, government mooks have been planting drugs this way for decades. This is why you should know how to handle a search/seize warrant. The cops who show up are going to try to shove you out and leave them to do whatever they want on their own, largely by claiming that they can and getting in your face. They're lying. You're entitled to make them stand on the doorstep while you wait for a witness to arrive and observe them, and if they don't, or do anything out of sight of the w
        • A business client of mine had every computer in his home taken (I believe 5) on charges of child porn being downloaded from his cable IP address. Then the police said they found 4 videos on a PC and kept pressing for him to admit his wrong doing. Luckily he was past law enforcement, and had a lawyer, so he didn't lie. Long story short - 3 months of hassle and all charges were dropped, all equipment returned, and police admitting there were no files found.

          Open wifi along a busy road was most likely to blame.

      • Beware the MD5 defense (Score:2, Interesting)

        by jnv11 ( 576828 )

        There are cases where the use of MD5, which is considered broken quite thoroughly, will get the case thrown out of court. See Bruce Schneier's blog entry about the MD5 defense [schneier.com]. Time to upgrade your hash algorithm. Some smart lawyers are able to use the fact that MD5 is broken to make a judge believe that the evidence could have been doctored to produce an MD5 collision with planted evidence.

        • Re: (Score:2)

          by mav[LAG] ( 31387 )
          Thanks for the heads up - looks like sha256 for me from here on in just to be safe. That having been said, in our courts someone would have to demonstrate how to perform such a plant with successful collision to be taken seriously. Hand-waving in the face of odds to the order of one in a few quintillion doesn't cut it.

    • Exactly that type of nonsense can be found in nearly every piece of paperwork filed by any prosecutor or police officer.


      To be fair, half of that is regular old stupidity and incompetence, rather than actual corruption. Lawyers and police are much the same as everybody else: most of them are idiots who are not capable of doing their job correctly.
    • Anyone who believes there is even *ONE* honest law enforcement agent in the entire U.S.A, probably even the entire world, is incredibly naive.

      and the word of the anonymous coward is to be taken as gospel truth.

      at least on Slashdot.

      the geek who brings this attitude into court has two strikes against him even if can make the argument plausible in his own case.

    • Anyone who believes there is even *ONE* honest law enforcement agent in the entire U.S.A, probably even the entire world, is incredibly naive.

      --Signed... an unfortunate victim of a crooked cop who planted bogus evidence on my computer systems after perjuring himself on affidavit's to get search warrants for them

      Ahh yes, another over generalization brought to us by a fellow slashdot user. I think you are the naive one if you believe 1 crooked cop is representative of the whole.

    • good comment.
      i have seen way toooo many clueless people run forensics tools expecting to find the smoking gun.

      the tools are like 15% of the job.
      it is smartness and more to really make it work.

      sorry scriptkiddies!

  • Where's the chapter on... (Score:3, Interesting)

    by UncleTogie ( 1004853 ) * on Monday March 31, 2008 @02:20PM (#22923406) Homepage Journal

    ..getting certified in your local area? Texas, for example, requires you have a P.I. license for computer forensic work, but online resources on how to actually GET one are mighty scarce...

    • Getting a P.I. in Texas is very difficult. (Score:2, Insightful)

      by Anonymous Coward
      If you look at all the requirements to getting a P.I. license in Texas, you can't help but come to the conclusion that a very powerful law enforcement political lobby has over the years carefully and craftily influenced and "engineered" the legislation in such a way that there seems to be overt intent that the whole P.I. industry to be owned, operated, and staffed by former or retired cops, to the exclusion of everyone else. The laws don't explicitly prohibit someone coming from a non-former-law-enforcement
      • This is one where bureaucracy has gone awry. . .

        I understnad the desire by the State of Texas to regulate a marketplace that has significant opportunities for abuse/legal ramifications. Hence, getting a Private Investigators license makes sense, as does a variety of security consultants. These people can carry guns, can directly interface with the populace and if the wrong characters were introduced to the field, well a lot of bad things could happen to people directly. So, I understand and agree with

    • Re:Where's the chapter on... (Score:4, Insightful)

      by querist ( 97166 ) on Monday March 31, 2008 @02:41PM (#22923584) Homepage
      South Carolina is considering such a law, and there are several states that already have one.

      Also, there are several good certifications out there, such as CCE and GCFA (SANS/GIAC). I know there are others that are only available to law enforcement (which I am not).

      I find two things troubling about this trend:

      1. It seems to be an effort for PIs to grab a new market and ensure their exclusive access to a market. (I know - police can do this, but I'm talking about making a profit doing it.)

      2. Whenever governments start to regulate qualifications for a profession, qualified people are going to be left out or unqualified people will be let in. Either they insist on one specific certification or accreditation, and excellent people without the cert suffer, or they "grandfather" current practitioners and we obtain people who are not qualified. An alternative to the traditional "grandfather" clause could be to "grandfather" current practitioners and give them a license cycle (or some other reasonable period) to meet the requirements. E.g., if the license lasts for two years, you have two years to meet the official requirements or your license will lapse.

      I would strongly recommend continuing ed (which the good certs require) as well, just like doctors, nurses, and engineers (as well as others).
      • The chapter on ethics! Seems that this is more in the realm of Tech Law to me, what most people are terming "Forensics" (Which a quick g00g13 list almost 2 million hits) are actually firms or individuals that reverse engineer application code for the proving of intellectual property violations, provide "expert technical" testimony in court or, in some other way use their grasp of technology to the detriment of any soul that has the unfortunate turn of events that leads you to cross in front of them.

        Hell
    • If you can't dig up the instructions on how to become a PI, then perhaps that line of work is not for you!

    • Re: (Score:2)

      by 0racle ( 667029 )
      Technically, you only need a PI license if you're going to be testifying in a court room.

      • Technically, you only need a PI license if you're going to be testifying in a court room.

        Technically, no. Check the bolded text here:

        "The Private Security Act construes an investigator as one who obtains information related to the "identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; the location, disposition, or recovery of lost or stolen property; the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; or for the purpose of securing evidence for use in court.

        It also covers insurance claims, t'would appear...

  • Encrypt early, encrypt often (and do it properly).
    • Properly?

      Like what, encrypting your disk? Or encrypting your memory? Or realizing that both memory encryption and full disk encryption can both be defeated with physical access?
      • Don't leave your passphrase on a post-it. Don't use a short passphrase. Don't use known-weak algorithms (MD5, SHA1 for hashing, DES for encryption, etc.) Don't leave your pagefile unencrypted, etc, etc. Install a case-open detector that will pull the power.
  • "Whether society will allow it or not, computer forensics geeks will play pivotal roles in the prevalence of justice."

    If society won't allow something, it wouldn't play a pivotal role.
  • And I can say without a doubt that Windows is a huge boon for anyone wanting to dig up dirt on anything anyone else does. That class, which was a 400 level State University class taught me every registry key and every hiding place Windows uses to record everything the user does. Its scary.

    • Re: (Score:3, Insightful)

      by value_added ( 719364 )
      That class, which was a 400 level State University class taught me every registry key and every hiding place Windows uses to record everything the user does. Its scary.

      Hiding place?

      Windows has to store the result of all your pointing and clicking and radio button selection somewhere. How do you expect the back button in Windows Explorer to work, for example, if your last visited directory wasn't recorded somewhere?

      The only scary part in all this is the registry itself. Almost as bad is that if you don't h

      • Re: (Score:2)

        by mgblst ( 80109 )
        Well, windows explorer could record it in memory. It is not like you can close down explorer, run it again and use the back button, so why does it need to store it anywhere over than in its own memory.
        • Well, windows explorer could record it in memory. It is not like you can close down explorer, run it again and use the back button, so why does it need to store it anywhere over than in its own memory.

          I cited a trivial example, but that said, there's numerous (countless, perhaps) places where history of all sorts is typically recorded, by Windows Explorer, by the Run or Open With dialog boxes, by different parts of Windows, by installed applications, and so on. Most people rely on such things as their Star
    • boon means good, right :)

  • How much of a demand is out there for people with strong computer forensic skills? Are most of the jobs 'outsourced' through Service Providers and security vendors, or is there an internal need inside medium-to-large Enterprises?

    I have a strong background in security, networking, PCs/desktop (going all the way back to WFW 3.11), servers, databases, firewalls, IPS, etc, and was looking at adding Forensics to my skillset. I'm genuinely interested in the topic and think I'd be good at it if I put my mind

    • Re: (Score:1, Informative)

      by Anonymous Coward
      I actually have a degree in Computer Forensics, and the only place looking to hire me were police departments, and all of them wanted me to become a police officer for several years before I could even think about doing forensics work.
      • That's probably why there isn't a good cop to be found anywhere.

        Recipe for a bad cop:

        * 1 brilliant young adult with good intentions
        * 1 hopelessly corrupt legal system
        * 1 underfunded municipal system (i.e. all of them!)
        * 4 years

        Yields 1 serving of careless police agent, every time. Serve cold.
    • Sounds like you have the best possible background for computer forensic work. Go do a bio on Harlan, you'll see he has had similar experience. You've also caught on that it is it's own microcosm of specialties. Like any job, you get better with the more time and effort you put into it.

    • Re: (Score:2)

      by cdrguru ( 88047 )
      Corporate security jobs, which you seem to be alluding to, are few and far between in requiring any real "forensic" background or knowledge.

      Most of the people I know and work with that are in computer forensics are either in law enforcement or consulting work. Some very large corporations have the need of a forensic analyst or two but not many. The general preference is to hire an outsider to do the work, someone that is not part of the corporate political scene.

      The one other place that hires forensic ana
  • As the reviewer mentions, forensics and IR work is a quickly growing field. The company I work for does quite a bit of this sort of thing, and even in cases where you would expect not to find much on a disk image, you almost always do. Out of 4 recent clients that we've performed this sort of work for, 3 of them had either prefab or custom malware floating around in their environments - real nasty stuff. The fourth had big fat rootkits installed all over the place. Kind of speaks volumes about the differen

  • My juror experience in a computer forensics trial (Score:4, Interesting)

    by Scorpinox ( 479613 ) on Monday March 31, 2008 @03:38PM (#22924122)
    Just a couple weeks ago I was a juror in a child pornography case, I was in the unique position of being the only geek on the jury in this case that was all about computer evidence.

    The case was simple, the defendant had been caught by his wife viewing the explicit material, the wife took the computer tower to the police along with several floppy disks (this was 6 years ago). The defendant had deleted all the materials, but the forensics expert found the recently viewed material still on the hard drive.

    The computer forensics expert detailed how he recovered the material, by imaging the hard drive and recovering the access dates. The floppies also contained some explicit materials, again which were deleted but then recovered, apparently it was impossible to recover the access dates on the floppy files, the forensic expert testified that some of the dates were in fact accurate, and some not, when from my brief overview, it was obvious that most of the dates were innacurate, so basically the forensics expert screwed up and didn't know what he was talking about in regards to the dates recovered from the floppy.

    The interesting part of the case was that the defendent was charged with 53 counts of "sexual exploitation of children, possession" (having child porn) and 2 counts of "sexual exploitation of children, creating, making, or preparing". Those last 2 counts were charged because the defendant copied the pictures onto a floppy disk, not because he filmed it or put it on a website, he was making a backup of the files. I'm relieved to say that the jury agreed that making a backup of the files is not the same as "creating, making, or preparing", but we did find the guy guilty for possession.

    For anyone thinking about getting into this field, you're likely to have to view a lot of really f*ing disgusting photos, then look at them closely and document everything about those photos. You really are going to need a good stomach for viewing that stuff, I know I probably couldn't do it because just seeing the photos submitted as evidence was enough to almost make me sick, I couldn't imagine having that guys job and have to be exposed to those things all the time.
    • Now see, this is the kind of stuff I just don't understand. If you are going to look at child porn or whatever, why not take the simple steps to protect yourself.

      How hard is it to slipstream a Knoppix CD with truecrypt and all of your codecs, open the case of your laptop and disconnect the hard drive (just in case), pull the battery out of your laptop so you can just pull the plug and have instant off, find a hotspot to download your porn at, boot up on the Knoppix CD, create an encrypted truecrypt volum

      • Actually, the defendant did have some software to completely erase data hidden on a hard drive, but because his wife took the tower halfway through him viewing the stuff, he got caught with it. Plus this was 6 years ago when the guy was running windows 95 on his HP, I don't think he really knew much about this stuff.
    • Well... I have much to say....

      First of all, I think it is unfair to say that all Police officers plant evidence. There are some really decent and intelligent LEOs out there. And.. There are some really indecent and dumb LEOs out there too..

      In my field (and Digital Forensics is my field), there is too much room for error to automatically assume that because someone has CP on their machine, they must be guilty of the criminal act of possessing it, or because they may have had in in a shared folder they must b
      • >>The scariest thing about a criminal prosecution for CP related charges, is to have a "computer illiterate Jury" that can be swayed by a load of crap for a Prosecutor and/or the ignorance of a Detective

        ^ I completely agree with that, I was worried throughout the trial that I would have to educate the jury on simple terms they used in the trial and how the defendant was found with the CP on his computer. Luckily though, it was pretty much moot, since it was obvious that he intentionally was viewing t
  • Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:

    Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130 [rootkit.com], but in a slightly different context (hiding vs finding).

    Bla
  • When a writer doesn't appear to know that the past tense of "mislead" is "misled", I tend to take a jaundiced view of the rest of what is said. It may all be terribly astute, but I'll take my chances on ignoring it and waiting to see the opinions echoed by someone I can respect.
  • Lassie Peterson? What, Scott killed the dog, too?
  • The review author mentioned that he'd read other good books on computer forensics, could anyone offer a small list of titles for starting a small but good library in this field? I'm not likely or especially interested to get into the forensics field, but there have been more than a few occasions where some applied knowledge about computer forensics would've been helpful. I'm gonna take a look at this book, but a pointer to something related to Linux, MacOS, or anything else that'd be useful would be appre

    • Re: (Score:2)

      by Rurik ( 113882 )
      Brian Carrier's File System Forensics [amazon.com] is a staple book for anyone in forensics.

      I think that the majority of others are specialty training guides provided to those in the field, or just basic knowledge gained from experience.

      If you really want to learn more, download Sleuthkit/Autopsy [sleuthkit.org] (Sleuthkit is cmd line forensics tools, Autopsy is a web-based frontend to them) and just play. They're FOSS, and you'll learn more this way than any other. The tools were also written by Brian Carrier, author of the boo

  • Windows Machine Forensic Analysis..... (Score:4, Funny)

    by IHC Navistar ( 967161 ) on Monday March 31, 2008 @08:56PM (#22926908)
    Patient Info:

    CPU: Dual AMD dual core Opteron 276 processors.
    Sound Card: SoundBlaster Audigy II
    Video Card: ATI Radeon 8800 GT
    Memory: 4 GB PC 2700 ECC-Registered.
    Hard Disk: 2x 500GB, 1x 200GB
    Power Supply: 550W

    Notes: Prior to death, subject complained of memory loss, cognitive difficulty after recovering from sleep mode, frequent lock-ups, severe lethargy after sleeping, confusion and sluggishnes when completing complex tasks. Previous medical history notes several near-fatal seizures, necessitating the "re-learning" of basic functions on several different occasions. Cause of seizures is as yet sill unknown, as episodes appeared to happen seemingly at random, usually during inopportune moments. Previous physician notes that resuscitation of the patient was long and time consuming. Resuscitation was further complicated by the fact that the patient was revied in a "hypnotized" state, refusing tto cooperated with medicall staff unless the correct 16-digit alphanumeric "key" was spoken to them, with the key changing after each resuscitation.

    Previous Treatments Administered By Last Attending Physician:

    Prescribed one (1) copy of Linux, but patient refused.

    Time Of Death: 0832, 0901, 1055, 1129, 1344, 1508
    Method Of Death: Fatal Error
    Cause Of Death: Windows

    Precedures performed in determining occurence of death:
    Subject was BSOD on arrival
    Unresponsive to verbal stimuli: (shouting, cursing)
    Unresponsive to Sensory stimuli: (hitting, smacking with keyboard)

    Additional Notes / Instructions:

    As Coroner, it is recommended that the law enforcement agencies involved with the death of the subject investigate Mr. William Henry Gates III, and Steven Anthony Ballmer. Both subjects have known employment at Microsoft Corp. It has been determined by the Office Of The Coroner that a product known colloquially as "Windows", which was/is compiled, manufactured, and sold by Microsoft, while under the direct supervision and control of Mr. Gates and Mr. Ballmer, despite widespread reports of patients expiring from complications and/or adverse reactions after ingesting "Windows".
  • 1. Publish glowing book review on site read by millions of nerds/geeks
    2. Include link to Amazon with a referrer tag
    3. Profit!

    Thanks for helping me figure out step 2! Is this Slashdot's doing or the submitters?
  • I've always had an interest in getting into computer forensics field but do not wish to become a police officer. Is that the only way [slashdot.org]? What would be a basic roadmap toward a career in this field (for somebody that already has a CS degree)?
  • every BSOD tells a story. this is because Windows is connected to the Underworld. the diabolic and maddening part is a BSOD on Manson's computer, for instance, may reveal the details of one of Henry VIIIs death orders, or one of Saddam's.
  • Don, We really appreciate your kind review, and I believe the publisher of this book and Harlan's new book, Perl Scripting for IT Security Professionals [syngress.com] will appreciate it as well.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close