Author: John Sammons
Audience: Potential professional forensic experts
Reviewer: Lucy Black
Digital forensics sounds both important and interesting - and so it is, but can this book teach you the basics in around 170 pages?
It all depends what you mean by basics. Some years ago I took a University course in forensics - mostly because CSI made it look super cool. It started with a long discussion of "chain of custody" and other matters of book keeping necessary to forensic procedure. Needless to say it wasn't CSI even though we did get on to more techie topics later. This book is a bit like that course but it doesn't really get onto any techie topics in any depth.
Chapter 1 is an introduction to forensics and more importantly an account of the professional aspects of the task including an introduction to US organizations concerned with the subject. It even mentions the CSI effect that I fell victim to.
Chapter 2 is called "Key Technical Concepts" - they may be key but there are very basic. If you are a programmer, and programmers would make good Digital Forensic investigators, then you should know all of this. What is a byte, hex, ASCII, Unicode, types of storage and so on. You might not know some of the stuff about file systems and how data isn't actually erased but you probably should. The book doesn't give any practical advice about how to recover data. It is more like an overview of what might be possible.
The next chapter is on labs and tools and this is more practical but again it is focused on matters like how can you trust a tool. Then on to collecting evidence which was a set of ideas familiar to me from my forensics course but with a lot of customization to the digital world. If you don't know forensic procedures this and much of the book up to this point will be useful to you.
Chapter 5 gets more technically specific in that it looks at Windows systems and the particular opportunities that these offer - recovering data, the registry. restore points, link files and so on. Chapter 6 looks at anti-forensics, i.e. how people might try to cover up what they are doing so that you can't find out. This more or less just lists the possible approaches with brief descriptions. As with much of the book the technical details are the bare minimum.
Chapter 6 is about legal aspects and it is 100% US oriented - the fourth amendment, criminal law, searching with a warrant. No consideration is given to the problems of worldwide legal systems or working in different jurisdictions - and this isn't unreasonable as it would have made the book difficult to write and huge.
Chapter 8 moves back to the technology again with Internet and email. Here the examples are Windows based once again. It covers non-technical issues such as the status of email as evidence and so on. The next chapter is on network protocols and of course being so short it hardly scratches the surface. Chapter 10 deals with mobile including GPS.
The final chapter is a bit of a round up and a look at the new technologies like solid state disks and cloud computing. Not really cutting edge but you might expect the forensic aspects of these technologies to advance slower than the technologies themselves.
Over all this is a reasonably good read if you want to know about what you might call the professional or book-keeping side of digital forensics. It does introduces some of the technological problems but more so that you have a general picture of the sorts of things you might have to deal with. It makes no attempt to make you an expert or even practically capable in these areas. The intention seems to be to just orient the complete beginner. As such the book works - but if you are a techie beware of its low information content. If you know anything about hacking you might be disappointed by the low level approach.