of Computer Crime Investigation:
Forensic Tools and Technology
Academic Press, San Diego, California, 2002
Information Technology Specialist Forensic Examiner
Information Technology Division
Federal Bureau of Investigation
criminals are using more sophisticated technology, there is a need
for investigators in law enforcement, forensic science, and corporate
computer security to be more knowledgeable in the forensic analysis
of seized digital evidence. There are several books on the market
outlining the important components of using computers in the field
of forensics, but one book is a compilation of some of the necessities.
Eoghan Casey's Handbook of Computer Crime Investigation: Forensic
Tools and Technology contains chapters written by different
authors knowledgeable in the chapter's subject. The book outlines
some of the important aspects of computer forensics that are grouped
under three major headings: Tools, Technology, and Case Examples.
Some of the early chapters have short examples of cases. Casey offers
the last three chapters to examine how the law addresses the technology.
Chapter 1 is
an introduction to valuable fundamental information about computers,
digital systems, and electronic evidence. Chapter 2 is an introduction
to the production of electronic data discovery material.
on Tools (Chapters 3 - 6) is sparse. Although there is an abundance
of tools on the market, Chapter 3 is dedicated to EnCase® (Guidance
Software, Pasadena, California). The author of this chapter is employed
by Guidance Software, so the material is extensive. He addresses
issues relating to tool testing and examiner qualifications and
portrays a glimpse at what the future may hold for the field of
digital forensics. Chapter 4 addresses incident response tools.
The author, from Ohio State University's network security, describes
two sets of tools collectively known as the flow-tools and the review
set. He offers a case example for clarification.
The author of
Chapter 5 focuses on how network intrusion detection applications
that analyze network traffic and secure log repository applications
can benefit forensic investigation. The authors of Chapter 6, Tool
Testing and Analytical Methodology, state that soon computers may
be running on completely different operating and file systems; "therefore,
examiners should not become overly reliant on tools and must develop
a solid understanding of the underlying technology and related forensic
examination techniques." (p. 115) They offer several case examples
in which the tools and methodology were applied.
Chapters 7 -
11 effectively cover the topics on Windows® (Microsoft Corporation,
Redmond, Washington), UNIX® (The Open Group, http://www.opengroup.org),
networks, wireless, and embedded systems. Chapter 7 concentrates
on Microsoft® Windows NT® and Microsoft® Windows
2000®. The author assumes a minimum level of a systems analyst's
proficiency. The material is thorough, but the author subtly endorses
EnCase® through screen captures. The UNIX® material goes
immediately into the restoration and analysis of tape media with
specific procedures that also cover hard disks and UNIX® systems.
The illustrated examples are well-defined, but brief. If UNIX®
is not a strength of the reader, additional sources of information
will be required.
Chapter 9 on
network analysis is very detailed, addressing the increasing number
of Internet attacks and intrusions. The areas covered include TCP/IP
protocols, some utilities, communication equipment, and a brief
explanation of logs. Chapter 10 is devoted to wireless network analysis
and what information can be developed from this environment. The
author includes a good reference for wireless terms and acronyms.
Chapter 11 outlines embedded systemscomputers that are embedded
within equipment and programmed for a specific task. The author
includes telephones, microwave ovens, cameras, and medical instruments
in his discussion of the systems.
cover an important issue of computer forensics that involves laws
governing this discipline. Although Casey's book provides real cases
in homicide, child pornography, Internet gambling, and computer
intrusions to exemplify the applicability of certain statutes, this
book is not a good reference for understanding the legal aspects
of the computer forensics field, considering the current laws and
how quickly they must adjust to the varying sophistication of today's
book provides a detailed explanation of forensic facets within network
technologies and the Windows® operating system. While giving
a good evaluation of wireless and embedded systems, it gives limited
coverage of UNIX® and forensic tools. Although Eoghan Casey's
Handbook of Computer Crime Investigation: Forensic Tools and
Technology could not be considered a comprehensive desk reference,
it is valuable to a novice in understanding the fundamentals in
the field of digital forensics.
of the page