"Handbook of Computer Crime Investigation: Forensic Tools and Technology," Kosiba, FSC, April 2003
April 2003 - Volume 5 - Number 2
Handbook of Computer Crime Investigation:
Forensic Tools and Technology
Edited by Eoghan Casey
Academic Press, San Diego, California, 2002
Timothy P. Kosiba
Information Technology Specialist Forensic Examiner
Information Technology Division
Federal Bureau of Investigation
Because many criminals are using more sophisticated technology, there is a need for investigators in law enforcement, forensic science, and corporate computer security to be more knowledgeable in the forensic analysis of seized digital evidence. There are several books on the market outlining the important components of using computers in the field of forensics, but one book is a compilation of some of the necessities. Eoghan Casey’s Handbook of Computer Crime Investigation: Forensic Tools and Technology contains chapters written by different authors knowledgeable in the chapter’s subject. The book outlines some of the important aspects of computer forensics that are grouped under three major headings: Tools, Technology, and Case Examples. Some of the early chapters have short examples of cases. Casey offers the last three chapters to examine how the law addresses the technology.
Chapter 1 is an introduction to valuable fundamental information about computers, digital systems, and electronic evidence. Chapter 2 is an introduction to the production of electronic data discovery material.
The section on Tools (Chapters 3 - 6) is sparse. Although there is an abundance of tools on the market, Chapter 3 is dedicated to EnCase® (Guidance Software, Pasadena, California). The author of this chapter is employed by Guidance Software, so the material is extensive. He addresses issues relating to tool testing and examiner qualifications and portrays a glimpse at what the future may hold for the field of digital forensics. Chapter 4 addresses incident response tools. The author, from Ohio State University’s network security, describes two sets of tools collectively known as the flow-tools and the review set. He offers a case example for clarification.
The author of Chapter 5 focuses on how network intrusion detection applications that analyze network traffic and secure log repository applications can benefit forensic investigation. The authors of Chapter 6, Tool Testing and Analytical Methodology, state that soon computers may be running on completely different operating and file systems; “therefore, examiners should not become overly reliant on tools and must develop a solid understanding of the underlying technology and related forensic examination techniques.” (p. 115) They offer several case examples in which the tools and methodology were applied.
Chapters 7 - 11 effectively cover the topics on Windows® (Microsoft Corporation, Redmond, Washington), UNIX® (The Open Group, http://www.opengroup.org), networks, wireless, and embedded systems. Chapter 7 concentrates on Microsoft® Windows NT® and Microsoft® Windows 2000®. The author assumes a minimum level of a systems analyst’s proficiency. The material is thorough, but the author subtly endorses EnCase® through screen captures. The UNIX® material goes immediately into the restoration and analysis of tape media with specific procedures that also cover hard disks and UNIX® systems. The illustrated examples are well-defined, but brief. If UNIX® is not a strength of the reader, additional sources of information will be required.
Chapter 9 on network analysis is very detailed, addressing the increasing number of Internet attacks and intrusions. The areas covered include TCP/IP protocols, some utilities, communication equipment, and a brief explanation of logs. Chapter 10 is devoted to wireless network analysis and what information can be developed from this environment. The author includes a good reference for wireless terms and acronyms. Chapter 11 outlines embedded systems—computers that are embedded within equipment and programmed for a specific task. The author includes telephones, microwave ovens, cameras, and medical instruments in his discussion of the systems.
Chapters 12-14 cover an important issue of computer forensics that involves laws governing this discipline. Although Casey’s book provides real cases in homicide, child pornography, Internet gambling, and computer intrusions to exemplify the applicability of certain statutes, this book is not a good reference for understanding the legal aspects of the computer forensics field, considering the current laws and how quickly they must adjust to the varying sophistication of today’s crimes.
Overall, this book provides a detailed explanation of forensic facets within network technologies and the Windows® operating system. While giving a good evaluation of wireless and embedded systems, it gives limited coverage of UNIX® and forensic tools. Although Eoghan Casey’s Handbook of Computer Crime Investigation: Forensic Tools and Technology could not be considered a comprehensive desk reference, it is valuable to a novice in understanding the fundamentals in the field of digital forensics.