Guide to Computer Forensics and InvestigationsBill Nelson, Amelia Phillips, Frank Enfinger, Chris Steuart
Thomson Course Technology, Boston © 2004
Gary C. Kessler
Computer & Digital Forensics
This book review was published in the January 2004 issue of the FBI's Forensic Science Communications.
In the space of computer forensics professional references and text books, it is hard to define the "best" book. Computer and network forensics is such a multidisciplinary topic sort of Joe Friday meets Linus Torvalds that the first hurdle is determining what the primary focus should be. I prefer a book that focuses on the technology, providing procedures and guidelines that explain both how and why. Providing the appropriate elementary computer science and data communications background is essential if such a book is to provide a good educational foundation for the subject at hand. Legal aspects are also essential since the cyberforensics examiner must be well-versed in the laws that guide our work. However, not all computer forensics is the purview of law enforcement so, indeed, I come back to preferring the technical focus.
Given this bias, Guide to Computer Forensics and Investigations is the best book that I have found. Although a relatively new field, the number of books on cyberforensics has grown dramatically in just the last couple of years. Many things make this book stand out.
First, it is wholly practical. Although assuming that the reader has a firm grasp of computer and network basics (the preface states that the reader should have an "A+ and Network+ or equivalent"), the book provides a good basis of computers and networking as they apply to cyberforensics. As an example, the discussion of Microsoft operating systems doesn't talk much about Windows' multitasking and multithreading capabilities, but goes into significant detail on the Windows and DOS boot processes and file systems. The book is not Windows-centric, however, providing very good coverage of the Mac and Unix/Linux boot processes and file systems, as well as the structure of CDs and RAID file systems. There are also chapters offering very nice descriptions of e-mail investigations and examining image files.
Second, the book is oriented towards the computer forensics professional. There are chapters here providing an overview of the profession, how to set up a cyberforensics lab, processing a scene, maintaining the evidentiary chain, writing reports, and giving testimony. While oriented somewhat towards law enforcement, the information here is applicable to the free-lance cyberforensics analysts as well as the corporate information security officer who has responsibility for computer forensics. While not a legal treatise by any means, there is sufficient coverage of applicable laws to provide the examiner with appropriate safeguards. Because of this broad coverage, the book is an excellent student text because it provides an introduction to the broad spectrum of the professional, as well as technical, aspects of the field.
Finally, the book has many case studies and hands-on exercises that are very useful for personal educational use as well as the classroom setting. A wide variety of software and hardware computer forensics tools are introduced and trial versions of some software are provided with the book's accompanying CD.
If I have any complaint with the book, it is that it lacks some of the more advanced topics related to network forensics. Specifically, the coverage of TCP/IP, the Internet infrastructure, dealing with ISPs, chat rooms, anonymizers, cryptography, and steganography is pretty minimal. But this is a minor issue given the otherwise broad coverage.
In summary, this book provides an excellent overview of the computer forensics profession and process. I highly recommend it to professionals, teachers, and students.
ABOUT THE AUTHOR: Gary C. Kessler is an Associate Professor and program director of the Digital Forensics Technology major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is firstname.lastname@example.org.