Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Robert Michael Slade
December 16, 2005, 4:20 pm
rate this thread
"Guide to Computer Forensics and Investigations", Bill Nelson et al,
%A Bill Nelson
%A Amelia Phillips
%A Frank Enfinger
%A Chris Steuart
%C 25 Thomson Place, Boston, MA 02210
%I Thomson Learning Inc.
%O (Amazon.com product link shortened)
(Amazon.com product link shortened)
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 689 p. + CD-ROM
%T "Guide to Computer Forensics and Investigations"
The preface states that the book is intended for newcomers to computer
forensics that have a basic background in computers and networking.
There is mention of instructor material on the CD-ROM, but no other
direction in regard to use as a course text.
Chapter one purports to provide an overview of the computer forensics
profession. It jumps, seemingly without structure, from topic to
topic, never providing solid information about much of anything. The
progress and process of computer investigations is the topic of
chapter two, but the material ranges between the uselessly vague
(brief mentions of important concepts such as chain of
evidence/custody, with no discussion of why they are vital) and the
uselessly specific (six pages of instruction on how to make a Windows
98 system boot to DOS). The content also relies heavily upon the
assumption that the reader will have a certain suite of commercial
forensics tools from a particular company. (It also seems to feel
that the reader will never need to examine systems other than DOS,
Windows 98, FAT12, and floppy disks.) DOS and Windows file systems
(including NTFS) are reviewed in chapter four, although the level of
detail provided is very inconsistent (eight pages of information on
DOS batch files, and only four pages to describe the entire NTFS disk
structure). Illustrations are less than helpful, particularly in
regard to labelling, and the use of terminology in non-standard ways
can lead to confusion. (In this book, "file slack" refers to what is
otherwise simply known as unused or unallocated space.) Basically,
the material is simplistic and unlikely to be needed by most people
with an intermediate level of computer knowledge, while at the same
time being incomplete, and probably not of any assistance to someone
actually looking at disk sectors. The material on Macintosh and Linux
systems, in chapter four, is similar.
Most of the material in chapter five, on a forensics lab and office,
is generic advice on either computer requirements or forensics (but
non-computer) labs. Chapter six lists an apparently random collection
of forensics tools. Rules of evidence (American) and a brief
description of one program for hash calculation are in chapter seven.
Chapter eight talks about processing the crime scene: the text ranges
from the vague (identifying the computer) to the bizarre (HAZMAT
suits). Some of the aforementioned commercial programs used in data
acquisition are outlined in chapter nine while the analytical tools
are depicted in chapter ten.
Chapter eleven, on email, does show how to read headers in more than
one mail user agent program, and mentions the log files on a couple of
mail servers. Some random notes on graphics files, and, as in the
rest of the book, lots of verbiage for not much information, is in
chapter twelve. The advice on preparing reports, in chapter thirteen,
is banal and has little bearing on forensics. Chapter fourteen, on
expert witness, does not deal with the requirements for establishing
that status, nor the restrictions on opinion in some cases.
As far as computer forensics goes, the foundation provided in this
work is far from solid. It mentions the basic topics, but fails to
provide much in the way of resources for proceeding with the
profession. The material provided is excessively wordy, and the
structure is often jumpy and unhelpful. Extensive sections have been
added that will be of little use to anyone other than a computer
novice, seemingly only in an attempt to pad the length of the book. I
would have trouble recommending this text to any audience.
copyright Robert M. Slade, 2005 BKGTCFAI.RVW 20050801
firstname.lastname@example.org email@example.com firstname.lastname@example.org
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
Review mailing list: send mail to email@example.com
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
- » Re: Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability
- — Previous thread in » Computer Software Security