Book Review

Digital Evidence and Computer Crime: Forensics Science, Computers and the Internet, 2nd ed.

Eoghan Casey
Elsevier Academic Press, Amsterdam © 2004
ISBN 0-12-163104-4 (hardback)
690 pages, US$62.95
An editted version of this book review was published in the September, 2007 (Vol. 32, #3) issue of Criminal Justice Review.

Eoghan Casey's Digital Evidence and Computer Crime is, in the opinion of this reviewer, the single most comprehensive, useful professional reference — or graduate-level textbook — in the computer forensics field today. This is not meant to slight other excellent books that are out there, but no other book that I have seen has this text's balance of breadth and depth.

In Casey's words, "This book draws from four fields: Law, Computer Science, Forensic Science, and Behavioral Evidence Analysis." A legal framework is essential to guiding the actual practice of computer forensics for both the criminal and civil investigator. Indeed, the discussions of relevant statutes and decisional law is particularly interesting as it compares U.S. laws with those of several other countries (albeit almost all in Europe). The international flavor is an important contribution and segue to books specializing in international cyberlaws, particularly as an increasing number of digital investigations involve more than one country.

The computer science basis provides the technical background that one needs to understand the devices being analyzed. The good news about the near-constant references to computer forensics in television shows such as CSI and Law & Order is that the public is aware that a lot of information can be obtained from computers. The bad news is that non-computer people believe that the pertinent incriminating or exculpatory information will make itself known as soon as the digital investigator walks into the same room as the computer being examined. The plethora of devices containing digital evidence is staggering, ranging from the traditional computer (Windows, Mac, and Linux desktop and laptop computers) to mobile devices (cell phones, PDAs, cameras, music players, and more). To understand how these devices function, how data is stored on them, and how data can be recovered from them — and then convince a judge and jury about the integrity and reliability of that evidence — requires a solid understanding of computer science principles.

Forensics science provides the basis for understanding the process by which scientific information is assembled and used as evidence in courts of law. Computer forensics professionals must particularly understand this aspect of digital investigations, from identification and preservation to reporting and presentation.

Finally, the behavioral evidence analysis perspective provides the reader with some insights into the behavior and motivation of the individuals being investigated. Computers are not analyzed in a vacuum but as part of a larger case. Knowing about the suspect or owner of a computer, coupled with other evidence and information, can give vital clues to the digital investigator in finding secrets held within digital devices.

These four fields, then, provide the perfect mix with which one has to approach the study of computer forensics and digital investigations; it is a multidisciplinary field that requires knowledge from many aspects of the real world and the cyberworld. And just as it is unlikely to find a single individual with total expertise in all related subject matter, Casey is joined by seven contributors who provide additional expertise, depth, and perspective.

The book itself is divided into five parts. Part 1 (7 chapters, 180 pages) is titled "Digital Investigation." This section of the book provides a solid introduction into the raison d'Ítre for the book — the relationship between computers and crime, and how one investigates a computer crime. Chapters in this section review the history of computer investigations, as well as laws related to technology. An overview is also provided about the investigative process and crime reconstruction as related to digital evidence. This is followed by chapters offering an analysis of criminal behavioral and how one presents digital evidence in testimony. Part 2 (6 chapters, 166 pages) is titled, simply, "Computers." This section starts out with two chapters that provide the necessary computer hardware and software background to understand how digital evidence is acquired from computer systems, as well as how the forensic science process is applied to computers. The rest of this section has chapters on the forensics examination of Windows, Unix, Mac, and handheld computers.

Part 3 (5 chapters, 162 pages) is called "Networks." Like the previous section, this one starts out with two chapters that provide the necessary technology and protocol background for understanding how digital evidence is acquired from networks, as well as how the forensic science process is applied to network data. Networks are particularly complex to examine due to the fact that they are dynamic, it is impossible to "secure the scene," and they can be large (spanning several states, countries, or continents). The remaining chapters cover ways in which information can be acquired from network devices, network logs, TCP/IP (the Transmission Control Protocol/Internet Protocol suite form the lingua franca of the Internet), and Internet applications.

Part 4 (4 chapters, 106 pages) is called "Investigating Computer Crime." This section takes a step back and looks at the big picture of investigating crimes involving computers. The chapters here discuss the investigation of computer intrusions, Internet sex offenders, and cybertsalking. Digital evidence as an alibi — and how to corroborate or refute such evidence — is also discussed.

The final part is titled "Guidelines" (2 chapters, 20 pages) and provides some basic procedures for handling and examining digital evidence. This section is followed by a detailed bibliography, glossary, and index.

Casey's book is extraordinarily well-written and very thorough; the few missing or sparsely-covered topics (e.g., more could be written about TCP/IP and various file systems, the coverage of cryptography is a little weak, and there's no mention of whole-disk encryption or steganography) are amply covered by other literature and any such deficiencies are more than made up for by the overall contents and quality of the book.

Digital Evidence and Computer Crime is a must-have in the reference library of any computer forensics professional, laboratory, and/or practice. Despite the focus on law and forensics process, the book is not intended just for the law enforcement community; it can be used equally well in the private sector, by either third-party forensics examiners or forensics investigators that are part of an organization's information security group. The information is timely and practical, and presented in a very readable manner.

The bottom-line is: I spent my own money to purchase (the first copy of) this book. No volume can get a higher recommendation than that.