Computer Forensics Column

On-line copies Dan Farmer and Wietse Venema's column series for the Doctor Dobb's Journal. Links will be added to this page as columns appear in print.

A short list of errata is listed here.

Forensic Computer Analysis: an Introduction by Dan and Wietse (September 2000).
An introduction to the subject of computer forensic analysis and to some of the technical traps and pitfalls that one needs to be aware of.
What are MACtimes? by Dan (October 2000).
Reconstructing the past from file access patterns, using the time stamps that are recorded by UNIX and Windows file systems. This column introduces the mactime tool.
Strangers in the night by Wietse (November 2000).
An intruder leaves behind a running program of unknown origin. The executable file is deleted. How does one figure out the purpose of a running program without triggering a possible logical bomb?
Wanted, dead or alive by Wietse (December 2000).
An intruder compromises a friend's machine and deletes most of the files. To investigate the case, Dan and Wietse write the first version of their file recovery tools and stumble from discovery into discovery. By looking at file access time patterns of deleted file inodes, Wietse finds that deleted file information can stay around much longer than expected.
Bring out your dead by Dan (January 2001)
This is part two on Dan and Wietse's experiences with recovering files from a thrashed machine. Dan presents the lazarus program, an amazing tool to sift through deleted information.
Being prepared for intrusion by Dan and Wietse (April 2001)
This column is not about intrusion detection - it is about being prepared for the intrusion that will inevitably happen. The column discusses how to instrument hosts and networks, so that you can find out what happened, and so that you can avoid being taken by complete surprise.

Meanwhile, we have continued work on the book that is based on these columns and more. We hope to be done by the end of 2002.