***** Computer Evidence: Collection & Preservation. By Christopher L.T. Brown; published by Charles River Media, www.charlesriver.com (Web); 416 pages; $49.95.
Unfortunately, no one book makes a security generalist into a computer forensics specialist. Reading about the subject is just one step in the process. Considerable lab time and hands-on experience are necessary for the transformation to be complete. A security manager desiring an excellent overview of the computer forensics field, however, will find this book enlightening. The text covers the legal, social, and technical aspects of computer evidence with clarity and superb teaching ability.
Shunning any attempt at crafting an encyclopedia, the author is wisely brief, limiting himself to fewer than 400 pages. The book is rich in content without creating information overload. Each chapter has a readable style with sensible, logical subdivisions to allow the reader to absorb information in manageable units. The inclusion of well-organized, clear graphs and tables builds on the text’s lucidity. The author’s summaries and lists of references at the end of each chapter reinforce the content and serve as a useful reviewing tool. Appendices offer the reader forms, worksheets, and technical “cheat sheets” on topics like “Hexadecimal Flags for Partition Types” and Cisco router commands. In addition, recognizing that professionals need quick-access aids while in the field, the author summarizes all the forensic tools discussed in the main text in a concise appendix.
Another strong point for Computer Evidence is the organization of the CD-ROM. The disk groups tools by topic, which makes finding the appropriate tool much easier. In addition, the author uses CD icons throughout the text to identify signposts to the disk’s other resources.
Deftly, the author ties established forensics principles, developed for physical crimes like murder, to the new field of computer forensics. He explains Locard’s exchange principle, which states that any criminal activity involves an exchange between the criminal and the victim or the crime scene. Fingerprints, hair, fibers, or DNA get left behind, as do digital clues lurking in slack space or swap files.
The author’s coverage of the law pertaining to computer evidence is far from exhaustive, but it is appropriate to the book’s mission and intent. He avoids “legalese” when covering topics like the reliability of expert testimony. As an indicator of his clear style, he uses a table to explain which states have adopted which of the two competing legal standards for expert-testimony reliability.
Computer Evidence would make for an excellent main text in an introductory graduate-level class on computer forensics. Anyone interested in getting into the field should consider the book as a prime starting point.
Reviewer: Ronald L. Mendell, M.S., CISSP (Certified Information Systems Security Professional), is an independent writer on security and investigative issues. He holds a master’s degree in network security and is a member of ASIS International.