Computer Evidence: Collection & PreservationChristopher L.T. Brown
Charles River Media, Hingham (MA) © 2006
394 pages, US$49.95
Reviewed by Nicole Beebe, Gary C. Kessler,1 and Marcus Rogers
An editted version of this book review was published in the March 2006 issue of the Journal of Digital Forensic Practice.
Most books on computer forensics in the past have presented the process of digital investigation from the perspective of law enforcement, which makes sense given the historic evolution of the field. A refreshing trend in the last year or so, however, has been the publication of books that focus more on the information technology aspects of computer forensics. Chris Brown's book joins the short list of books in this latter category.
Brown, founder of Technology Pathways (the vendor of ProDiscover), has written the first book to focus almost entirely on evidence dynamics, defined as "any force that affects evidence in some way." Given the enormous pool of digital storage devices, myriad ways in which computers and networks might be configured, and the variety of ways in which computers might be found in the field, the actual investigation is often much more straight-forward than the acquisition of the data in a forensically sound fashion.
And this is the raison d'Ítre for the book "Because these four phases [collection, preservation, filtering, and presentation] cover such a broad area, books and courses that try to address each area usually relegate evidence collection to its simplest form, disk imaging, leaving all but the most basic questions unanswered" (from the Introduction).
Brown's book is divided into five parts: computer forensics and evidence dynamics (58 pg.), information systems (66 pg.), data storage systems and media (58 pg.), artifact collection (90 pg.), and maintaining evidence (56 pg.). It is clear where the meat of the book lies. The first three parts of the book nicely prepare the reader for the fourth part -- preparing a methodology and tool set for acquiring digital evidence, collecting volatile data, imaging, and gathering data from large systems the hardest aspects of bringing together everything you need to analyze computers in a structured way based upon some orderly engineering principles.
The book also contains reference and additional reading lists at the end of each chapter, plus eight appendices that provide very useful information (although the list of agencies and contacts will be the first part of the book to become out-of-date). In addition, the book's CD-ROM provides the reader with samples of the software discussed in the book.
An early chapter on Rules of Evidence, Case Law, and Regulation is particularly noteworthy. Most books in this genre only give lip service to the legal aspects but Brown has provided nice coverage for the practitioner, particularly when it comes to giving testimony as an expert witness. The treatment on law is somewhat U.S.-centric yet still sets the stage well for the practitioner.
The first chapter's mention of Locard's principle and Henry Lee's crime scene analysis is a nice way to tie computer forensics in to criminalistics. But the use of the term filtering as a phase of the computer forensic process is non-standard and a bit surprising. This term does not appear to be used in any other model and, indeed, has a lot of negative connotations from a legal perspective. Analysis and interpretation are probably better terms and more truly represent what should occur in this phase of the process.
One deficiency of the book is that it focuses almost entirely on "classical" computer devices; there is little mention of digital cameras, personal digital assistants (PDAs), cell phones, portable music players, BlackBerrys, and the other myriad devices that are increasingly subject to digital investigation. That said, the general processes and methods described here would still apply to these other devices.
Another deficit is that the book is very Windows-centric. This is not surprising given that the majority of cases and forensic tools (including those by Technology Pathways) are Windows-based. Although the processes described in the book are applicable to any examiner, the reader will be disappointed if looking for extended coverage of *NIX case scenarios.
These few limitations notwithstanding, Brown has an engaging writing style that allows a reader to relate to the author as a peer rather than as a pontificator from The Mount. The material in the book is technically current and accurate, although it is not intended for a reader who is brand new to the world of computers; while it might be appropriate as a basic computer forensics text, it assumes that the reader already has some familiarity and comfort with computers and networks.
The bottom line is that Brown's book should be an essential entry in the digital forensics professional's library as it provides in-depth, timely information presented in a cohesive and practical fashion. It is a high-quality reference text and well worth the cost. This book will raise the bar for other authors.
1) Full disclosure footnote: Gary Kessler was a technical reviewer of this book during its preparation.