What do you think?
Rate this book
Internet Forensics: Using Digital Evidence to Solve Computer Crime
Because it's so large and unregulated, the Internet is a fertile breeding ground for all kinds of scams and schemes. Usually it's your credit card number they're after, and they won't stop there. Not just mere annoyances, these scams are real crimes, with real victims. Now, thanks to Internet Forensics from O'Reilly, there's something you can do about it.
This practical guide to defending against Internet fraud gives you the skills you need to uncover the origins of the spammers, con artists, and identity thieves that plague the Internet. Targeted primarily at the developer community, Internet Forensics shows you how to extract the information that lies hidden in every email message, web page, and web server on the Internet. It describes the lengths the bad guys will go to cover their tracks, and offers tricks that you can use to see through their disguises. You'll also gain an understanding for how the Internet functions, and how spammers use these protocols to their devious advantage.
The book is organized around the core technologies of the Internet-email, web sites, servers, and browsers. Chapters describe how these are used and abused and show you how information hidden in each of them can be revealed. Short examples illustrate all the major techniques that are discussed. The ethical and legal issues that arise in the uncovering of Internet abuse are also addressed.
Not surprisingly, the audience for Internet Forensics is boundless. For developers, it's a serious foray into the world of Internet security; for weekend surfers fed up with spam, it's an entertaining and fun guide that lets them play amateur detective from the safe confines of their home or office.
This practical guide to defending against Internet fraud gives you the skills you need to uncover the origins of the spammers, con artists, and identity thieves that plague the Internet. Targeted primarily at the developer community, Internet Forensics shows you how to extract the information that lies hidden in every email message, web page, and web server on the Internet. It describes the lengths the bad guys will go to cover their tracks, and offers tricks that you can use to see through their disguises. You'll also gain an understanding for how the Internet functions, and how spammers use these protocols to their devious advantage.
The book is organized around the core technologies of the Internet-email, web sites, servers, and browsers. Chapters describe how these are used and abused and show you how information hidden in each of them can be revealed. Short examples illustrate all the major techniques that are discussed. The ethical and legal issues that arise in the uncovering of Internet abuse are also addressed.
Not surprisingly, the audience for Internet Forensics is boundless. For developers, it's a serious foray into the world of Internet security; for weekend surfers fed up with spam, it's an entertaining and fun guide that lets them play amateur detective from the safe confines of their home or office.
- GenresTechnologyComputers
238 pages, Paperback
First published January 1, 2005
4 people are currently reading
27 people want to read
About the author
Robert Jones
9 booksLibrarian Note: There is more than one author in the Goodreads database with this name.
Robert Jones runs Craic Computing, a small bioinformatics company in Seattle that provides advanced software and data analysis services to the biotechnology industry. He was a bench molecular biologist for many years before programming got the better of him.
Robert Jones runs Craic Computing, a small bioinformatics company in Seattle that provides advanced software and data analysis services to the biotechnology industry. He was a bench molecular biologist for many years before programming got the better of him.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
February 8, 2018
"Internet Forensics" is a highly readable introduction to the techniques, tools and philosophies of defense against -- and analysis of -- threats on the internet (spam, phishing, identity theft, etc.)
The book is aimed at developers and system administrators. Most of these will probably agree with Jones that there is no (and may never be a) "silver bullet" that can drive the scammers from our gates. (IMHO) Enforcement and government organizations are overwhelmed and focused on protecting the state and its infrastructure. Most internet security companies are focused on banks, monied corporations and the rewards of wall street. All of which leaves ordinary citizens under-informed and ill-prepared. Jones suggests that we, the community of developers, administrators, and open source enthusiasts, engage in a kind of collective "neighborhood watch" to block, thwart, uncover and report these scams. A philosophy with which I agree.
Two points: 1) The copyright of this book is 2006 and, although it is not severely dated, it could use some revision. 2) It is quite readable without understanding the Perl scripts. However, although I know that many readers will come to this book with a thorough knowledge of Perl, plowing through these scripts (if you want a thorough read as I did) was more of a challenge for me, with my PHP, C, C++ type of background and may be a challenge to those with more modern languages under their belt. Perl is a fairly unique language with a unique syntax, not easily read by CS people who don't have it in their repertoire. It was probably because of these 2 points (age and language) that I rated the book a 4 rather than a 5.
Excepting those minor criticisms, this was exactly the kind of short introduction I needed to this field to prepare myself for deeper reading. If that's the kind of thing you are looking for then this is a great book to start with!
----------------------------
The rest of this review is a kind of outline of the book's contents, with a comment here and there. Bypass if not interested...
After Chapter 1's introductory material, Jones begins Chapter 2 by discussing internet address tools (which analyze IP addresses, domains, hosting and DNS information) to uncover more data about scammers & spammers. Most of these tools are Unix or web-based although many have counterparts in Windows. He concludes this with an example on dissecting a Spam network.
Chapter 3 covers email. Since we all receive spam and phishing emails, this section gives us something useful to do with these. It tells us how to analyze the 5 classes of email headers -- what various lines mean, which can be easily forged and which can be trusted. Then he covers the practice of hijacking computers to create botnets which act as email (generally spam or phishing) relays - all this presented as background to the detection of this tactic through forensics. This leads us into a discussion of how computers get hijacked through trojans and viruses -- generally payloads in phishing emails. He presents an exercise of unzipping and running what appears to be a text file and is actually an executable containing a virus as a payload. (Since most of these are targeted to Windows, Jones suggests UNIX as the preferred OS for this kind of exercise.) Jones takes us through the tools used to analyze the contents of files like this and uses that to segue into a discussion on rule-based, statistical, and black-list-based email filtering.
Chapter 4 covers obfustication - the methods by which the internet con artist disguises URLs (through padding and various encodings), encodes entire messages (through methods like base64), creates fake domain names that a cursory glance might take for real (bank, paypal, etc.) domain names, and creates submit forms that look like URLs. This is followed by a discussion on redirection (page-based, server-based), ending with a very clever redirection example in what appears to be an ebay.com URL.
Chapter 5 covers the analysis of web pages (generally ones of fake websites engaged in identity theft), covers some of the challenges of saving, mapping out and analyzing these pages and begins to present the first (in a long list) of perl scripts to attack these problems. This chapter also introduces the "Wayback Machine" as a way into scam sites that have been taken down. Here also, Jones covers hidden directories, directory listings and the problem of trying to look inside the "black box" at the server-side scripts of these sites, in some cases using creative guesswork to enter various values into forms and figure out what the form handler is doing in the background. He follows up with an in-depth example. Jones next discusses the emergence of Phishing toolkits around 2004 and explains the criminal ecosystem, with its various specializations, which would have nurtured these. Finally he discusses the Honeynet Project and how it was used to profile a website attack from beginning to end.
Chapter 6 covers the analysis of Web Servers, first covering the analysis of http headers in transactions between browsers and servers. This (2 or 3 pages) serves as a pretty good primer on what http headers are common to all servers and which vary, as well as the purpose of the most important headers. This is followed by a section on analyzing cookies (with examples), followed by further information on server redirection. Then he covers what level of control you have over your own (Apache) headers -- what information you might choose not to share. He wraps up the chapter with another example that covers what he has discussed on redirection , cookies and php scripting and includes some creative guesswork on URLs.
Chapter 7 covers web browsers -- what the server needs to be told about the browser to successfully return a page, and the way that transaction works. This is followed by a discussion of server logs, how to read those logs and what (of use) they might tell you. This has asides on things like detecting how often googlebot visits your site and a bit about the "Robot Exclusion Standard". This chapter also covers parsing Google queries for search terms. Although this was possible in 2006 when the book was written, it is (unfortunately) not possible today after Google has gone to https. This is followed by methods of protecting your privacy at the browser level using external proxies that can mask IP addresses, Privoxy which can process outgoing requests to modify User-Agent and other headers (as well as block cookies, popups and ads.) Then he covers external proxy servers and Proxy Networks which go one step further and protect someone from having their traffic tracked across a network. Jones provides, as an example, TOR, describes how it works and provides pros and cons.
Chapter 8 deals with file contents and gives interesting examples of what can be gleaned from things like Word document metadata and revision logs, and situations where the press and governments have been embarrassed by poorly redacting data in secret documents, which was discovered and caused embarrassment or scandal. He also covers plagarism and its detection (again through his ubiquitous Perl scripts.) He ends with a number of interesting examples on failed redactions and provides recommendations on the right way to redact.
Chapter 9 covers methods to (at least attempt) to track people to their geographic locations. There are the easy methods, like whois or country specific domains. Then there are more sophisticated methods such as the analysis of hostnames (which sometimes reveal general locations or indicate the networks of which they are a part), reverse DNS lookups, analysis of traceroutes, timezone analysis, language analysis (charsets, etc.)
Chapter 10 delves into patterns of activity, including the identification of "signatures" in the files, filenames and servers common to sets of spam or scam campaigns. He gives a perl script to search for these signatures, but also identifies the problems with finding good signature patterns and the problem with variations introduced to beat spam filtering software. On top of that there are (or were) still technical problems with doing things like full text comparison to find matching signatures. Finally he demonstrates how it is possible to use internet search engines uncover links between scam websites and other dubious operations.
Chapter 11 has a couple of great case studies which use all the techniques Jones has discussed in the book: 1) the "Tidball" study -- the analysis of a phishing scam, and 2) a study about uncovering spam networks.
Chapter 12 discusses how to take action, the organizations with whom to connect and (importantly) when not to take action. It includes a discussion on ethical action as opposed to vigilantism.
The book is aimed at developers and system administrators. Most of these will probably agree with Jones that there is no (and may never be a) "silver bullet" that can drive the scammers from our gates. (IMHO) Enforcement and government organizations are overwhelmed and focused on protecting the state and its infrastructure. Most internet security companies are focused on banks, monied corporations and the rewards of wall street. All of which leaves ordinary citizens under-informed and ill-prepared. Jones suggests that we, the community of developers, administrators, and open source enthusiasts, engage in a kind of collective "neighborhood watch" to block, thwart, uncover and report these scams. A philosophy with which I agree.
Two points: 1) The copyright of this book is 2006 and, although it is not severely dated, it could use some revision. 2) It is quite readable without understanding the Perl scripts. However, although I know that many readers will come to this book with a thorough knowledge of Perl, plowing through these scripts (if you want a thorough read as I did) was more of a challenge for me, with my PHP, C, C++ type of background and may be a challenge to those with more modern languages under their belt. Perl is a fairly unique language with a unique syntax, not easily read by CS people who don't have it in their repertoire. It was probably because of these 2 points (age and language) that I rated the book a 4 rather than a 5.
Excepting those minor criticisms, this was exactly the kind of short introduction I needed to this field to prepare myself for deeper reading. If that's the kind of thing you are looking for then this is a great book to start with!
----------------------------
The rest of this review is a kind of outline of the book's contents, with a comment here and there. Bypass if not interested...
After Chapter 1's introductory material, Jones begins Chapter 2 by discussing internet address tools (which analyze IP addresses, domains, hosting and DNS information) to uncover more data about scammers & spammers. Most of these tools are Unix or web-based although many have counterparts in Windows. He concludes this with an example on dissecting a Spam network.
Chapter 3 covers email. Since we all receive spam and phishing emails, this section gives us something useful to do with these. It tells us how to analyze the 5 classes of email headers -- what various lines mean, which can be easily forged and which can be trusted. Then he covers the practice of hijacking computers to create botnets which act as email (generally spam or phishing) relays - all this presented as background to the detection of this tactic through forensics. This leads us into a discussion of how computers get hijacked through trojans and viruses -- generally payloads in phishing emails. He presents an exercise of unzipping and running what appears to be a text file and is actually an executable containing a virus as a payload. (Since most of these are targeted to Windows, Jones suggests UNIX as the preferred OS for this kind of exercise.) Jones takes us through the tools used to analyze the contents of files like this and uses that to segue into a discussion on rule-based, statistical, and black-list-based email filtering.
Chapter 4 covers obfustication - the methods by which the internet con artist disguises URLs (through padding and various encodings), encodes entire messages (through methods like base64), creates fake domain names that a cursory glance might take for real (bank, paypal, etc.) domain names, and creates submit forms that look like URLs. This is followed by a discussion on redirection (page-based, server-based), ending with a very clever redirection example in what appears to be an ebay.com URL.
Chapter 5 covers the analysis of web pages (generally ones of fake websites engaged in identity theft), covers some of the challenges of saving, mapping out and analyzing these pages and begins to present the first (in a long list) of perl scripts to attack these problems. This chapter also introduces the "Wayback Machine" as a way into scam sites that have been taken down. Here also, Jones covers hidden directories, directory listings and the problem of trying to look inside the "black box" at the server-side scripts of these sites, in some cases using creative guesswork to enter various values into forms and figure out what the form handler is doing in the background. He follows up with an in-depth example. Jones next discusses the emergence of Phishing toolkits around 2004 and explains the criminal ecosystem, with its various specializations, which would have nurtured these. Finally he discusses the Honeynet Project and how it was used to profile a website attack from beginning to end.
Chapter 6 covers the analysis of Web Servers, first covering the analysis of http headers in transactions between browsers and servers. This (2 or 3 pages) serves as a pretty good primer on what http headers are common to all servers and which vary, as well as the purpose of the most important headers. This is followed by a section on analyzing cookies (with examples), followed by further information on server redirection. Then he covers what level of control you have over your own (Apache) headers -- what information you might choose not to share. He wraps up the chapter with another example that covers what he has discussed on redirection , cookies and php scripting and includes some creative guesswork on URLs.
Chapter 7 covers web browsers -- what the server needs to be told about the browser to successfully return a page, and the way that transaction works. This is followed by a discussion of server logs, how to read those logs and what (of use) they might tell you. This has asides on things like detecting how often googlebot visits your site and a bit about the "Robot Exclusion Standard". This chapter also covers parsing Google queries for search terms. Although this was possible in 2006 when the book was written, it is (unfortunately) not possible today after Google has gone to https. This is followed by methods of protecting your privacy at the browser level using external proxies that can mask IP addresses, Privoxy which can process outgoing requests to modify User-Agent and other headers (as well as block cookies, popups and ads.) Then he covers external proxy servers and Proxy Networks which go one step further and protect someone from having their traffic tracked across a network. Jones provides, as an example, TOR, describes how it works and provides pros and cons.
Chapter 8 deals with file contents and gives interesting examples of what can be gleaned from things like Word document metadata and revision logs, and situations where the press and governments have been embarrassed by poorly redacting data in secret documents, which was discovered and caused embarrassment or scandal. He also covers plagarism and its detection (again through his ubiquitous Perl scripts.) He ends with a number of interesting examples on failed redactions and provides recommendations on the right way to redact.
Chapter 9 covers methods to (at least attempt) to track people to their geographic locations. There are the easy methods, like whois or country specific domains. Then there are more sophisticated methods such as the analysis of hostnames (which sometimes reveal general locations or indicate the networks of which they are a part), reverse DNS lookups, analysis of traceroutes, timezone analysis, language analysis (charsets, etc.)
Chapter 10 delves into patterns of activity, including the identification of "signatures" in the files, filenames and servers common to sets of spam or scam campaigns. He gives a perl script to search for these signatures, but also identifies the problems with finding good signature patterns and the problem with variations introduced to beat spam filtering software. On top of that there are (or were) still technical problems with doing things like full text comparison to find matching signatures. Finally he demonstrates how it is possible to use internet search engines uncover links between scam websites and other dubious operations.
Chapter 11 has a couple of great case studies which use all the techniques Jones has discussed in the book: 1) the "Tidball" study -- the analysis of a phishing scam, and 2) a study about uncovering spam networks.
Chapter 12 discusses how to take action, the organizations with whom to connect and (importantly) when not to take action. It includes a discussion on ethical action as opposed to vigilantism.
Read
September 8, 2022Great reference book for any Open Source Intelligence investigation and students in Cyber Security
October 27, 2008
Fantastic book, worth at least two reads. At times it reads like a story, other times more like the technical course that it is. This explains IPv4 and IPv6, DHCP, DNS, tracerouting, whois, ARIN, and much more. This is the kind of information that needs to become part of public school curriculum, if we ever expect to actually stop rampant computer virus and spam problems. Plus people ought to understand the way their computers are networked!
Displaying 1 - 3 of 3 reviews