Daniel Geer introduces the notion of forensics as a "craft" in his Foreword to Network Forensics, Tracking Hackers Through Hyperspace, and Sherri Davidoff and Jonathan Ham tackle the daunting task of explaining forensic investigation as a craft, introduce the tools of the trade, and demonstrate how to become a craftsman admirably well.
The book begins by providing foundational material for three important forensic concepts. The authors illustrate the role network forensics plays in an investigation by using real world cases, explain the different kinds of evidence and how evidence must be collected to be admitted into courts, and introduce an investigative methodology, OSCAR (Obtain information, Strategize, Collect evidence, Analyze, Report). The authors next explain the forensic value of the hardware elements found in most networks. They then provide a cursory discussion of protocols and warm my heart by recommending W. Richard Stevens' TCP/IP Illustrated for those who want to understand TCP/IP networking. [Stevens actually published three volumes in the TCP/IP Illustrated series and a complementary UNIX network Programming.]
A chapter on evidence acquisition provides succinct, insightful discussions of physical interception and traffic acquisition: I particularly like that the authors make a point to answer what, why, and how. A chapter on packet analysis uses case studies, sample commands and console ouput (or screenshots) of methods to explain how to analyze protocols, flows, and higher level traffic, all done very much in the style of TCP/IP Illustrated.
A chapter on statistical flow analysis illustrates how traffic (network) activity can be used to identify not only suspicious or malicious activity, but the parties who perform them - and their objectives (targets). This chapter explains how "intel" can be gathered from multiple locations, aggregated and then analyzed. The authors list a dizzying number of tools and their uses, and put the methodology and tool kit to work in a case study: following how the authors compose a theory of the case of The Curious Mr. X should be great fun for any wannabe investigator.
The good stuff just keeps coming. Chapters on wireless network forensics and network intrusion detection follow form, and the case studies here (HackMe, Inc. and InterOptic Saves the Planet) were only less interesting to me because I was familiar with these scenarios. Chapters on finding and using logs, middleboxes (firewalls, routers, switches), and web proxies as sources of evidence are equally valuable for organizations that want to instrument their networks so that they can contend with and recover from incidents.
Davidoff and Ham conclude the book with two chapters on advanced topics: network tunneling and malware evolution. These chapters hint at how the craft of network forensics must evolve to keep pace with formidable adversaries.
With so much information freely available via the web today, and especially with a subject matter that seems to evolve at Internet pace, there is always a temptation to think that a book offers too narrow a snapshot of an evolving landscape. Network Forensics , Tracking Hackers Through Cyberspace (Hardcover, Kindle) disproves this assertion by providing perspective, context, and most important, a methodology that you can practice. And practice... And practice...