Kessler - Forensic Science Communications - January 2004
January 2004 - Volume 6 - Number 1
Guide to Computer Forensics and Investigations
Bill Nelson, Amelia Phillips, Frank Enfinger, and Chris Steuart
Thomson Course Technology, Boston, Massachusetts, 2004
Gary C. Kessler
Computer and Digital Forensics
In the realm of computer forensics professional books, it is difficult to define the best book. Computer and network forensics is such a multidisciplinary topic that the first hurdle is determining what the primary focus should be. I prefer a book that focuses on technology, providing procedures and guidelines that explain both how and why. Providing the appropriate elementary computer science and data communications background is essential if a book is to provide a good educational foundation for the subject. Legal aspects are also essential because cyberforensics examiners must be well versed in the laws that guide their work. However, not all computer forensics is the purview of law enforcement, so I come back to preferring the technical focus.
Given this bias, the Guide to Computer Forensics and Investigations is the best book that I have found. Although a relatively new field, the number of books on cyberforensics has grown dramatically in the last few years. Many things make this book outstanding.
It is practical. Assuming that the reader has a firm grasp of computer and network basics (the preface states that the reader should have an "A+ and Network+ or equivalent,") the book provides a good basis of computers and networking as they apply to cyberforensics. As an example, the discussion of Microsoft operating systems does not discuss in detail Windows' multitasking and multithreading capabilities, but it does go into significant detail on the Windows and DOS boot process and file systems. The book is not Windows-centric; however, it provides very good coverage of the Mac and Unix/Linux boot processes and file systems as well as the structure of CDs and redundant array of independent disks (RAID) file systems. There are also chapters offering good descriptions of E-mail investigations and image file examinations.
The book is oriented towards the computer forensics professional. There are chapters providing an overview of the profession, establishing a cyberforensics laboratory, processing a scene, maintaining the evidentiary chain, writing reports, and giving testimony. Whereas the information is oriented towards law enforcement, the information is applicable to the free-lance cyberforensics analyst as well as the corporate information security officer. Although the book is not a legal treatise, there is sufficient coverage of applicable laws to provide the examiner with appropriate safeguards. Because of this broad coverage, the book is an excellent student text because it provides an introduction to the broad spectrum of the professional and the technical aspects of the field.
Finally, the book includes case studies and hands-on exercises that are useful for personal and classroom educational uses. A wide variety of software and hardware computer forensic tools are introduced, and trial versions of some software are provided in the book's accompanying CD.
If I have any complaint with the book, it is that it lacks some of the more advanced topics related to network forensics. Specifically, the coverage of transmission control protocol/Internet protocol (TCP/IP), Internet infrastructure, Internet service providers, chat rooms, anonymizers (a server or site on the Internet that allows users to mask their identify and location), cryptography, and steganography (hidden writing) is minimal. But this is a minor issue given the otherwise broad coverage.
In summary, this book provides an excellent overview of the computer forensic professional and process. I highly recommend it to professionals, teachers, and students.