I met Chet Hosmer at DFRWS in Providence, Rhode Island, earlier this year. Over lunch I explained my upcoming digital forensics book to him, and he was very supportive. When I arrived back in England a copy of one of his books was waiting for me, along with an encouraging note.
Well, the DFIR book project has taken a backseat over the last few months due to me taking on a new psychology of religion research project, but maybe it’ll come back. In the meantime I thought I’d take a look at Chet’s book and write a quick review of it.
Ensuring the integrity of evidence is one of the most important parts of the digital forensic investigation process, and yet according to some reports it is one of the most frequently overlooked in courses on the subject.
The title of Hosmer, Bartolomie & Pelli’s book is Executing Windows Command Line Investigations While Ensuring Evidentiary Integrity, and as far as I can tell it is the only book that gives a step-by-step guide to the Windows command line for DFIR practitioners.
Sensibly, the book begins with a discussion of the impact of Windows command line investigations. Not only does this set the scene for why the book’s subject is important, it also helps investigators to understand some of the situations in which command line investigations might be necessary and some of the vulnerabilities they might come across.
Various cybercrimes are discussed, from hacktivism to extortion, crimes against children to botnets. Having given an overview of the most common types of cybercrime seen today, the book then provides some direct examples of recent activity, including the Heartbleed OpenSSL vulnerability and the POODLE attack vulnerability.