The Virtual Bookcase Reviews of 'Computer Evidence: Collection and Preservation':
Reviewer Koos van den Hout wrote:
In more and more cases, computers are involved in crimes or abuse as a means or a target. Investigating computer evidence is a brand new area of research with lots of different opinions and lots of ways in which things can go wrong. This book tries to help potential computer investigators to find their way in the enormous amount of information there is on the subject and to get started with proper tools. This book is a good start for anyone who needs a crash course on the subject, although it's better to read it when you don't need to research a case in one hour.
Chapter 1, the introduction gives the reader a good start and notes a few common pitfalls. Chapter 2, the legal part is in my opinion a bit early in the book and may fend off a technical reader but it is oh so important to be aware of the legal status of investigations. Here the book does show a very america-centric approach to the subject: appropiate US laws are explained but international law is barely mentioned. Chapter 3 on evidence dynamics handles a very important part of collecting computer evidence, dealing with the fact that computers change state constantly and that trying to collect evidence on a computer also changes its state. The big discussion whether to collect disk images from the running system or from a shutdown or frozen system is also described. Chapter 4, information gathering lists methods of cataloguing computer systems, network components and other devices which may be involved or linked. Chapter 5 on network architecture explains modern networks. Chapter 6 on volatile data explains how gathering computer evidence has specific problems with regard to data of a volatile nature and suggesting approaches in dealing with these problems. Chapter 7 on disk technologies explains the longterm storage found in modern computers. Chapter 8 on SAN, NAS and RAID explains how modern networked and remote storage offers new challenges to computer evidence gathering and at the same time can make it easier to image disks from a storage network. Chapter 9 on removable media explains everything from the tapedrive via the floppy drive to modern flash memory which can have really small form factors. Chapter 10 on tools, preparation and documentation of artifact collection helps the computer evidence gatherer in how to prepare and perform this task in the best possible way. Chapter 11 on volatile data collection delves into the tools and methods for gathering volatile data. Chapter 12 on imaging methodologies explains hardware and software for disk imaging. Chapter 13 on large system collection explains the specific problems when dealing with large (amounts of) computer systems involved. Chapter 14 on personal portable devices goes into the specific problems of evidence contained on modern cell-phones, personal digital assistant and other small form-factor devices which are by themselves also complete computers but require specific knowledge and procedures. Chapter 15 describes the forensic workstation, how to set it up, what to prepare and what to bring. Chapter 16 describes how to set up a complete computer forensics lab with special networks to separate 'investigating' and 'administrative' traffic. Chapter 17 describes the options for further study into this field.
Although the overviews of relevant laws and law enforcement related to computer crime are very US-centric, the rest of this book is a very good primer on the subject. And even with a very volatile subject like this the author has done a great job in being very up to date with developments, and notes where things change so rapidly the reader should just look up the latest information on the web. I can recommend this book to anyone active or interested in the field of modern computer security.
Add my review for Computer Evidence: Collection and Preservation