SANS Digital Forensics and Incident Response Blog

Book Review: Digital Forensics with Open Source Tools

I was excited awhile back to learn Digital Forensics with Open Source Tools was being written and even more pleased when I heard who its authors were. I worked almost exclusively with open source tools while beginning my foray into the digital forensics world and happily continue using them today, so I knew this book would be of great interest to me. I had a general idea of what I thought the book would be like, but what I found in it was so much better than I expected. This book is an excellent introduction to open source forensic tools, but in many ways it's also a "how to do forensics" book. In the interest of full disclosure, I did receive a review copy of this book without cost to me, although I did buy a second copy to keep at my office as well.

Digital Forensics with Open Source Tools was written by Cory Altheide and Harlan Carvey. Both authors are very well known and respected in the digital forensics and incident response world. The book is published by Syngress and is 255 pages in length, counting nine chapters and a single appendix. If ordered from the publisher, the cost is $59.95 for either the print version or e-book.

Chapter 1 begins with an introduction to the concepts and definition of digital forensics. Topics such as the goals and processes of digital forensics are well covered and explained. After these topics, the chapter goes on to explain what "open source" is and the differences between "free" and "open" followed by an explanation of different open source licenses. Finally, the chapter concludes with four points on the benefits of open source tools.

Chapter 2 is when the hands on portion begins, providing the necessary information to prepare your exam system. Software and interpreters needed to prepare an Ubuntu Linux installation are presented, so the reader can follow along with the examples that are to come. They do an excellent job of walking the reader through the process of installing programs from source code using the GNU Autotools System (./configure, make and make install). The use of APT (no, not that APT) for obtaining files is also covered, along with how to extract files from tarballs. Methods of mounting forensic images in your Linux system are covered and I found that to be a good refresher. It also introduced me to XMount, which I was previously unfamiliar with. After this, the chapter goes into explaining how to set up a Windows machine for those who do not have or do not wish to use Linux.

Chapter 3 is titled Disk and File System Analysis and begins with Media Analysis Concepts and a File System Abstraction Model. This is immediately followed by an introduction to The Sleuth Kit (TSK). A quick run-through on installing TSK is given and then each category of tools in it is explained. This part of the book is also done very well, not only telling you what each category is for, but giving good examples of tool usage and output. This chapter covers a lot of ground and continues on to talk about partitioning and disk layouts, RAID, image containers (EWF, AFF, etc), hashing, file carving and finally finishing up with forensic imaging. This chapter really does a great job of preparing the reader for all that is to come, laying down basic forensic concepts and tool information for anyone doing open source digital forensics, with much of the information equally useful to those not using open source tools.

Chapters 4, 5 and 6 present information on artifacts specific to Windows, Linux and Mac OS respectively. These chapters provide great info on what the forensic examiner can/should look for to accomplish their case goals. Good coverage is given to each OS with open source tools recommended to aid in your examination with examples given. It's a really good introduction for the new examiner, as well as a great refresher for the experienced reader.

Chapter 7 was of particular interest to me and I think it will be to many forensics professionals, especially those doing law enforcement related investigations. This chapter covers Internet artifacts and does a nice job of covering the top four web browsers (IE, Firefox, Chrome & Safari), providing methods and examples for parsing cookies, json files and other browser remnants. The authors then cover different types of Internet mail artifacts and presents some tools I was not familiar with and was definitely glad to learn about.

File Analysis is the subject of Chapter 8. I must say I learned quite a bit from this chapter. Types of data available in various file types are presented with methods of extraction given. I particularly found helpful the discussion on the various document types, but there was really nothing in the chapter I couldn't put to use. Am I starting to sound like a fanboy yet? I thought so.

The final chapter talks about automating analysis and extending capabilities. It starts off talking about two gui frameworks, PyFLAG and the Digital Forensics Framework. I had installed PyFLAG once quite awhile back and had forgotten what a pain it could be to get set up and configured, but this reminded me as I installed it anew. Another tool I had heard of but not yet tried is fiwalk and it is covered as well. The chapter concludes with information on understanding file times and timelines.

Appendix A consists of information on free, though non-open source digital forensics tools. As the authors point out, sometimes there simply is no open source tool for the job at hand. Tools like FTK Imager, Mandiant Highlighter and the tools available from Woanware are covered along with others. I had tried most of the tools mentioned at some point and know they're of good quality. Likewise, I plan to try out all the others and see if they fit my needs.

I'm sure it didn't take long for you to figure out I really liked this book. In my opinion, it's a book that has been needed in the digital forensics world for a long time, so I'm really happy it's finally been written. One other thing I wanted to mention was that I agree with Andrew Hay in his review of this book when he mentions the "voice" of the book stays consistent, despite the fact there were two authors. They did an excellent job keeping the flow of the book intact when the text switches between authors.

Who needs this book? Personally, I think most examiners can gain from reading it, especially those with limited knowledge of non-commercial tools. I believe newcomers will benefit the most and think it would be well suited for use in an introductory digital forensics class. The foundation it lays will be perfect for the student to build upon and continue their forensic training and work. Further, I see it as a book I and many others will refer back to regularly while conducting examinations. As you can guess, I definitely recommend this book.

Ken Pryor is a police officer and GCFA with the Robinson, Illinois Police Department. He became a police officer in 1987 and has been working in the area of digital forensics since 2008. He can be contacted at


Posted June 22, 2011 at 2:33 PM | Permalink | Reply

Andrew Hay

Yeah, that Andrew Hay guy is fantastic :)

Posted June 22, 2011 at 3:19 PM | Permalink | Reply

Frank McClain

Good job, Ken! Very thorough and good points made. 1

Posted June 22, 2011 at 9:43 PM | Permalink | Reply

Stacey Edwards

Awesome review, Ken. I'll definitely have to check out this book now. Looks like there are quite a few topics, if not all, that would be very helpful for examinations. Thanks!

Posted June 24, 2011 at 3:29 PM | Permalink | Reply


Great write up! This is one of the books that I saw at a recent conference, and I was also impressed! It's definitely one that I'm going to have to pick up.