Book Review: Digital Evidence and Computer Crime 49
brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review.
For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court. | Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet | |
| author | Eoghan Casey |
| pages | 840 |
| publisher | Academic Press |
| rating | 10/10 |
| reviewer | Ben Rothke |
| ISBN | 978-0123742681 |
| summary | Definitive reference on the subject of digital evidence and computer crime |
Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.
In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.
Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.
Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.
In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.
Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.
Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.
The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.
Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.
Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.
Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.
Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.
Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.
A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.
The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.
The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.
This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.
With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Ethics (Score:1)
So, who would actually use this NOT to try and subvert law enforcement?
I don't remember the name, but there was a book written about how to commit the perfect murder, and there was this huge thing about how a guy got off the hook because of the book and how liable the author was, etc...
The argument was that by creating the book, the author was an accomplice, of course the only path to proving something like this is through pure ethics, (ethics != legal).
I wonder if somebody used something like this book to
Re: (Score:1)
A long as arms manufacturers are not held liable for every killing done by their equipment I don't see why this guy should.
Re: (Score:1)
There's a very grey line here that may not be so obvious, I remember how the first was explained to me in school, it's ok to yell "f the government" in front of capital hill, but it's not ok to yell fire in a packed movie theater room. That's because the latter can cause harm onto others, thus imposing the consequences of your speech onto others and there are consequences for doing that.
http://en.wikipedia.org/wiki/Schenck_v._United_States [wikipedia.org] and to make things worse...
http://en.wikipedia.org/wiki/Brandenbur [wikipedia.org]
Re: (Score:3)
The concept here is that yelling fire in a packed movie theater creates a "clear and present danger [wikipedia.org]". It is clear that yelling it will cause people to run for their lives, and it is present in that people will react before cooler heads can put things into perspective. With a book, the reader has plenty of time to consider the consequences of their actions. So no, I don't think it spills over into books.
Also note the "clear and present danger" tes
Re: (Score:1)
Well, as you said, it is a very gray line. Making, or not, sense of it is more of an academic exercise than anything else. The legal system is a shit storm of badly depicted ideals and foul wishing. All you can reliably do is just acknowledge this ambiguity's existence and move on.
On another note: crying "Fire" in a packed theater is probably the best way to get "/permanently?/" rid of the hysteric idiot that will start jelling at their spouse in the middle of the play. Just saying...
Personal opinion: Knowl
Re: (Score:2)
A long as arms manufacturers are not held liable for every killing done by their equipment I don't see why this guy should.
Maybe because the arms manufacture does not also show people novel ways to kill someone and escape any responsibility for their actions? Selling someone a gun is different from providing them a detailed plan to murder someone and get away with it.
Re: (Score:1)
If you have to plan for something the only certain thing is that everything will not go as planed.
me
Re: (Score:2)
and there was this huge thing about how a guy got off the hook because of the book and how liable the author was, etc...
For false advertising? If it had been a perfect murder we wouldn't have heard about it...
Re: (Score:1)
Re: (Score:1)
Intent matters in law.
did not know that. Please elaborate
Re: (Score:2)
Look up mens rea [wikipedia.org]. I'm not sure I could explain it much better then that.
I do know a guy who shot his wife in the head and killed her, then called the EMS. Because the intent and state of mind (Mens Rea) is built into the murder/homicide statutes, he ended up getting convicted of voluntary manslaughter and was sentenced (actually, he got re-sentenced because of some lawsuit challenging the constitutionality of floating sentences like 5-15 years) 8 years total and is now back on the streets without parole or
Re: (Score:1)
Of course, its impossible to be absolutely sure what someone was i
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I'm in the field. Guttman hasn't been accurate for over a decade. Modern drives pack the bits much closer together. Nothing can be recovered after a single wipe with all zeros or better all pseudo-random. Even Guttman himself acknowledges this: "For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do."
Re: (Score:2)
Re: (Score:2)
Nobody in the field of computer forensics has ever claimed or had a reason to believe that any data is recoverable from modern hard drives that have been wiped with a single pass of zeroes (or any other pattern). The police and FBI certainly don't have the technology -- unless they've never used information gathered that way in court and managed not to tell anyone about it.
There are a few exceptions. First, flash / SSD drives are weird. There's a good paper on it, but the short story is that almost all flas
Re: (Score:2)
Re: (Score:2)
Oh, man! I've totally got to look in to the hybrids. The big problem with weird drive areas (bad sectors, host protected area, overprovisioning on SSDs, and the cache on a hybrid) is that a lot of drives either don't implement or improperly implement the secure-erase ATA commands. But they return "oh yes, I totally did secure-erase". So you're basically guessing unless you do careful (often very difficult) analysis.
Yeah, if you're getting conventional disks, a single pass of zeros is SOP. In the incredibly
Re: (Score:2)
Re: (Score:2)
All I know is I tried a couple of tools like Recuva on one I ran Eraser on and it got a big fat nothing. I just wasn't sure how much better the tools the feds use are for such things.
Yeah, no commercial-grade, simple tool will work at all even with a single pass of zeroes. SSDs often require two passes because of overprovisioning. But even that can only be detected by removing the flash chips from the SSD and using very unpleasant electronic techniques. (Legally, that means that your methods will be immediately called into question, and reconstructing any useful information will be very time-consuming.)
The Feds mostly have access to more time and well-trained personnel, but honestly, tr
Re: (Score:2)
Re: (Score:2)
Law enforcement tries to keep such knowledge out of the hands of defense attorneys. While books like this are written, the truly cutting edge stuff gets discussed at conferences like cacconference.org , a gathering where lots of great info is discussed that defense attorneys and the techs that work for them could use.
If they did use that info, though, it would help create a level playing field when computer crime gets to court. LEOs at every level, of course, detest the notion of a level playing field or
Re: (Score:1)
A lot closer to the issue, why the author might have some social responsibility that translates into legal. I think it should be all or nothing though, disclose everything in the field and let the community sort it out (GPL), or keep a bunch of trade secrets and rely on those to do your job. Though one sounds a lot more ethical, both are working for people as I type this. Books that subvert law enforcement are considered grey on the scale of ethics, and though a book may not be the most direct applicati
Re: (Score:1)
Re: (Score:1)
How do you pronounce "Eoghan"? (Score:2)
Is it like "Ewen"? "Yawn"? "Evan"? "Yohan"? "Eeeeeeee-yooooo, e-yo, eleven"?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Is it like "Ewen"? "Yawn"? "Evan"? "Yohan"? "Eeeeeeee-yooooo, e-yo, eleven"?
It's Irish and is pronounced Owen (O-wen). Naturally, Mr. Casey may have a different view!
Other great Irish names - Niamh (Neve), Saedbh (Sive) and Maedbh (go on, guess - "bh" is like "v")
Re: (Score:2)
Naturally, Mr. Casey may have a different view!/quote.
He does not. He also pronounces it "Owen".
3rd Edition is out (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
No mention of chain of custody? (Score:2)
When I was in forensics, one of the most important and fundamental concepts I had to learn right off the bat was the importance of carefully documenting the chain of custody of all evidence. This is especially important in computer forensics, as digital evidence is so easy to alter. You can do the best investigation in the world, but if you screw up your chain of custody, a good defense lawyer can eat you alive. "Oh, so you're saying that you don't even *know* who all had access to this hard drive for those
Re: (Score:1)