Posted on Leave a comment

No Maps For These Territories

A Profound and Moving Statement About the Human Condition


You don't need to be a fan of William Gibson to get a lot out of "No Maps for These Territories." Taking the simple form of Gibson expounding on a raft of subjects from the backseat of a car en route from Los Angeles to Vancouver, intercut with a breathtaking visual melange to illustrate his points, "Maps" is a good reminder of how truly profound have been the changes in the world in the last few years, as well as what it means to be human -- the only animal that makes maps, after all.

Despite the whole "cyberpunk" label (which he rejects, anyway) Gibson comes across as intelligent, thoughtful and a rather nice person, and he looks at least a good decade and a half younger than his mid-50's baby-boomer age. And his description of his writing process is the most accurate distillation of how creativity works that I've ever heard. There isn't any BS coming from this back seat; Gibson speaks from the heart and it shows.

Oddly enough, it's the hardcore fans who might be the most disappointed in this film. Gibson is almost self-deprecating in talking about his work and his fame. But it's a film that deserves to be seen, and listened to with great attention. It's also done with a stunning style that adds to, rather than distracts from, the content. The film begins with frenetic, quick-cut images, but ends up in a beautiful, elegiac mood as we drive down a fog-shrouded bridge while U2's Bono reads from Gibson's unpublished Memory Palace. The end result is moving, haunting and worth many repeat viewings to take it all in.

William Gibson

William Ford Gibson (born March 17, 1948) is an American-Canadian speculative fiction writer and essayist widely credited with pioneering the science fiction subgenre known as cyberpunk. Beginning his writing career in the late 1970s, his early works were noir, near-future stories that explored the effects of technology, cybernetics, and computer networks on humans—a "combination of lowlife and high tech"—and helped to create an iconography for the information age before the ubiquity of the Internet in the 1990s. Gibson coined the term "cyberspace" for "widespread, interconnected digital technology" in his short story "Burning Chrome" (1982), and later popularized the concept in his acclaimed debut novel Neuromancer (1984). These early works of Gibson's have been credited with "renovating" science fiction literature in the 1980s.
After expanding on the story in Neuromancer with two more novels (Count Zero in 1986, and Mona Lisa Overdrive in 1988), thus completing the dystopic Sprawl trilogy, Gibson collaborated with Bruce Sterling on the alternate history novel The Difference Engine (1990), which became an important work of the science fiction subgenre known as steampunk.
In the 1990s, Gibson composed the Bridge trilogy of novels, which explored the sociological developments of near-future urban environments, postindustrial society, and late capitalism. Following the turn of the century and the events of 9/11, Gibson emerged with a string of increasingly realist novels—Pattern Recognition (2003), Spook Country (2007), and Zero History (2010)—set in a roughly contemporary world. These works saw his name reach mainstream bestseller lists for the first time. His most recent novels, The Peripheral (2014) and Agency (2020), returned to a more overt engagement with technology and recognizable science fiction themes.
In 1999, The Guardian described Gibson as "probably the most important novelist of the past two decades", while The Sydney Morning Herald called him the "noir prophet" of cyberpunk. Throughout his career, Gibson has written more than 20 short stories and 12 critically acclaimed novels (one in collaboration), contributed articles to several major publications, and collaborated extensively with performance artists, filmmakers, and musicians. His work has been cited as influencing a variety of disciplines: academia, design, film, literature, music, cyberculture, and technology.

Please watch the film case the player malfunctions. 

From the back of a chauffeured limousine equipped with a computer, cell phone and digital cameras, legendary science-fiction writer William Gibson, author of "Neuromancer," embarks on an unusual cross-country trip. In this technological cocoon, the man who created the term "cyberspace" comments on an array of subjects -- including his literary success, what led to his writing career and how the modern world is starting to resemble the futuristic one he writes about.
Original Language:
Mark Neale
Mark Neale
Mark Neale
Release Date (Streaming):
Sound Mix:
Posted on Leave a comment

VI6: Network Investigations

Network Investigations

Eoghan Casey, ... Terrance Maguire, in Handbook of Digital Forensics and Investigation, 2010

Publisher Summary

In order to conduct an investigation involving computer networks, practitioners need to understand network architecture, be familiar with network devices and protocols, and have the ability to interpret the various network-level logs. Practitioners must also be able to search and combine large volumes of log data using search tools like Splunk or custom scripts. Digital forensic analysts must be able to slice and dice network traffic using a variety of tools to extract the maximum information out of this valuable source of network-related digital evidence. This chapter provides an overview of network protocols, references to more in-depth materials, and discusses how forensic science is applied to networks. To help investigators interpret and utilize this information in a network-related investigation, this chapter focuses on the most common kinds of digital evidence found on networks, and provides information that can be generalized to other situations. This chapter assumes a basic understanding of network topology and associated technologies. Digital investigators must be sufficiently familiar with network components found in a typical organization to identify, preserve, and interpret the key sources of digital evidence in an Enterprise. This chapter concentrates on digital evidence associated with routers, firewalls, authentication servers, network sniffers, Virtual Private Networks (VPNs), and Intrusion Detection Systems (IDS).

Overview of Enterprise Networks

Digital investigators must be sufficiently familiar with network components found in a typical organization to identify, preserve, and interpret the key sources of digital evidence in an Enterprise. This chapter concentrates on digital evidence associated with routers, firewalls, authentication servers, network sniffers, Virtual Private Networks (VPNs), and Intrusion Detection Systems (IDS). This section provides an overview of how logs from these various components of an Enterprise network can be useful in an investigation. Consider the simplified scenario in Figure 9.1 involving a secure server that is being misused in some way.

Logs generated by network security devices like firewalls and IDSs can be a valuable source of data in a network investigation. Access attempts blocked by a firewall or malicious activities detected by an IDS may be the first indication of a problem, alarming system administrators enough to report the activity to digital investigators. As discussed in Chapter 4, “Intrusion Investigation,” configuring firewalls to record successful access as well as denied connection attempts gives digital investigators more information about how the system was accessed and possibly misused. By design, IDS devices only record events of interest, including known attack signatures like buffer overflows and potentially malicious activities like shell code execution. However, some IDSs can be configured to capture the full contents of network traffic associated with a particular event, enabling digital forensic analysts to recover valuable details like the commands that were executed, files that were taken, and the malicious payload that was uploaded as demonstrated later in this chapter.

Routers form the core of any large network, directing packets to their destinations. As discussed in the NetFlow section later in this chapter, routers can be configured to log summary information about every network connection that passes through them, providing a bird's eye view of activities on a network. For example, suppose you find a keylogger on a Windows server and you can determine when the program was installed. Examining the NetFlow logs relating to the compromised server for the time of interest can reveal the remote IP address used to download the keylogger. Furthermore, NetFlow logs could be searched for that remote IP address to determine which other systems in the Enterprise were accessed and may also contain the keylogger. As more organizations and ISPs collect NetFlow records from internal routers as well as those at their Internet borders, digital investigators will find it easier to reconstruct what occurred in a particular case.

Digital investigators may be able to obtain full network traffic captures, which are sometimes referred to as logging or packet capture, but are less like a log of activities than like a complete videotape of them—recorded network traffic is live, complete, and compelling. Replaying an individual's online activities as recorded in a full packet capture can give an otherwise intangible sequence of events a very tangible feel.

Authentication servers form the heart of most enterprise environments, associating activities with particular virtual identities. Logs from RADIUS and TACACS servers, as well as Windows Security Event logs on Domain Controllers, can help digital investigators attribute activities to a particular user account, which may lead us to the person responsible.

Practitioner's Tip: Virtual Identities

Because user accounts may be shared or stolen, it is not safe to assume that the owner of the user account is the culprit. Therefore, you are never going to identify a physical, flesh-and-blood individual from information logs. The universe of digital forensics deals with virtual identities only. You can never truly say that John Smith logged in at 9:00 am, only that John Smith's account was authenticated at 9:00 am. It is common, when pursuing an investigation, to conflate the physical people with the virtual identities in your mind and in casual speech with colleagues. Be careful. When you are presenting your findings or even when evaluating them for your own purposes, remember that your evidence trail will stop and start at the keyboard, not at the fingers on the keys. Even if you have digital images from a camera, the image may be consistent with the appearance of a particular individual, but as a digital investigator you cannot take your conclusions any farther.

As discussed later in this chapter, VPNs are often configured to authenticate via RADIUS or Active Directory, enabling digital investigators to determine which account was used to connect. In addition, VPNs generally record the remote IP address of the computer being used to connect into the network, as well as the internal IP address assigned by the VPN to create a virtual presence on the enterprise network. These VPN logs are often critical for attributing events of concern within an organization to a particular user account and remote computer.

Practitioner's Tip: Tracking Down Computers within a Network

When a computer is connected to a network it needs to know several things before it can communicate with a remote server: its own IP address, the IP address of its default router, the MAC address of its default router, and the IP address of the remote server. Many networks use the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to computers. When a networked system that uses DHCP is booted, it sends its MAC address to the DHCP server as a part of its request for an IP address. Depending on its configuration, the server will either assign a random IP address or a specific address that has been set aside for the MAC address in question. In any event, DHCP servers maintain a table of the IP addresses currently assigned.

DHCP servers can retain logs to enable digital investigators to determine which computer was assigned an IP address during a time of interest, and potentially the associated user account. For instance, the DHCP lease in Table 9.1 shows that the computer with hardware address 00:e0:98:82:4c:6b was assigned IP address starting at 20:44 on April 1, 2001 (the date format is weekday yyy/mm/dd hh:mm:ss where 0 is Sunday).

Table 9.1. DHCP Lease

lease {starts 0 2001/04/01 20:44:03;ends 1 2001/04/02 00:44:03;hardware ethernet 00:e0:98:82:4c:6b;uid 01:00:e0:98:82:4c:6b;client-hostname "oisin";}

Some DHCP servers can be configured to keep an archive of IP address assignments, but this practice is far from universal. Unless you are certain that archives are maintained, assume that the DHCP history is volatile and collect it as quickly as possible.

A DHCP lease does not guarantee that a particular computer was using an IP address at a given time. An individual could configure another computer with this same IP address at the same time, accidentally conflicting with the DHCP assignment or purposefully masquerading as the computer that originally was assigned this IP address via DHCP. The bright side is that such a conflict is often detected and leaves log records on the systems involved.

The same general process occurs when an individual connects to an Internet Service Provider (ISP) via a modem. Some ISPs record the originating phone number in addition to the IP address assigned, thus enabling investigators to track connections back to a particular phone line in a house or other building.

Obtaining additional information about systems on the Internet is beyond the scope of this chapter. See Nikkel (2006) for a detailed methodology on documenting Internet name registry entries, Domain name records, and other information relating to remote systems.