Bill Nelson, Amelia Phillips, Frank
Enfinger, and Chris Steuart
Thomson Course Technology, Boston, Massachusetts, 2004
Gary C. Kessler
Computer and Digital Forensics
In the realm of computer forensics professional books, it is difficult to define
the best book. Computer and network forensics is such a multidisciplinary
topic that the first hurdle is determining what the primary focus should
be. I prefer a book that focuses on technology, providing procedures and
guidelines that explain both how and why. Providing the appropriate elementary
computer science and data communications background is essential if a book
is to provide a good educational foundation for the subject. Legal aspects
are also essential because cyberforensics examiners must be well versed in
the laws that guide their work. However, not all computer forensics is the
purview of law enforcement, so I come back to preferring the technical focus.
Given this bias, the Guide to Computer Forensics and Investigations is the best book that I have found. Although a relatively new field, the number of books on cyberforensics has grown dramatically in the last few years. Many things make this book outstanding.
It is practical. Assuming that the reader has a firm grasp of computer and network basics (the preface states that the reader should have an "A+ and Network+ or equivalent,") the book provides a good basis of computers and networking as they apply to cyberforensics. As an example, the discussion of Microsoft operating systems does not discuss in detail Windows' multitasking and multithreading capabilities, but it does go into significant detail on the Windows and DOS boot process and file systems. The book is not Windows-centric; however, it provides very good coverage of the Mac and Unix/Linux boot processes and file systems as well as the structure of CDs and redundant array of independent disks (RAID) file systems. There are also chapters offering good descriptions of E-mail investigations and image file examinations.
The book is oriented towards the computer forensics professional. There are
chapters providing an overview of the profession, establishing a cyberforensics
laboratory, processing a scene, maintaining the evidentiary chain, writing
reports, and giving testimony. Whereas the information is oriented towards
law enforcement, the information is applicable to the free-lance cyberforensics
analyst as well as the corporate information security officer. Although the
book is not a legal treatise, there is sufficient coverage of applicable
laws to provide the examiner with appropriate safeguards. Because of this
broad coverage, the book is an excellent student text because it provides
an introduction to the broad spectrum of the professional and the technical
aspects of the field.
Finally, the book includes case studies and hands-on exercises that are useful for personal and classroom educational uses. A wide variety of software and hardware computer forensic tools are introduced, and trial versions of some software are provided in the book's accompanying CD.
If I have any complaint with the book, it is that it lacks some of the more advanced topics related to network forensics. Specifically, the coverage of transmission control protocol/Internet protocol (TCP/IP), Internet infrastructure, Internet service providers, chat rooms, anonymizers (a server or site on the Internet that allows users to mask their identify and location), cryptography, and steganography (hidden writing) is minimal. But this is a minor issue given the otherwise broad coverage.
In summary, this book provides an excellent overview of the computer forensic professional and process. I highly recommend it to professionals, teachers, and students.