Handbook of Computer Crime Investigation. Forensic Tools and Technology
edited by Eoghan Casey
Academic Press 2002
448 pages. Subject index, author index, 5 appendices. ISBN 0-12-163103-6
Reviewed by Robert Bruen March 15, 2002
The Handbook is a collection of fourteen papers addressing three major areas, tools, technology and cases within computer forensics. Computer forensics is basically recovering information from a disk for evidence. It seems that, perhaps because of window interfaces, many users no longer understand the intricacies of disks and files. Of the few that do understand, some try to hide files by various means which others will try to uncover. Often times, the files are not encrypted or hidden, but there are a large number that need to be sifted through to find the key files of interest.
The need for computer forensics is growing all the time. In many criminal cases law enforcement personnel will take the computer and/or disk as standard operating procedure. The bad guys not only use their computers for criminal activities, but the need to keep records just like the rest of us. Simply pulling out the information, collecting, then providing the proper documentation is the task at hand. The biggest challenge is getting the evidence without disrupting dates, permission, etc that would destroy the integrity of the evidence making it worthless in court.
As the need grows, so does the business response. Some of the tools covered are commercial products, such as EnCase. There are several approaches to forensic evidence gathering from disks. Some companies operate on the principle that software is all that is necessary, some push hardware and some a combination. There are also those who think that the real money is to be made by selling expertise. This is normal evolution in the business world where several approaches are taken with the best one or combination surviving.
The software only proponents believe that the hardware piece will become routine such that anyone will be operate whatever the hardware ends up being. The hardware guys are trying to develop the best hardware. EnCase is hardware, software and expertise. The basic process is to get a copy of the disk and analyze the copy. EnCase takes an image of the disk that goes into its own file format for analysis. This leaves the original disk to be put in the evidence storage facility while the image is searched through by software. EnCase has a portable machine that takes the image on site and it even handles RAID. Although the principle of making a copy for analysis seems straight forward, there are number of twists and turns involved in getting it right.
The Handbook is geared towards crime, such as pornography, but we can all learn a lot from this great set of papers. I did and I am glad I did. This is an area worth exploring for security folks, especially if you believe that you might be involved with a computer that might end up as evidence.