Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Book Review: Digital Evidence and Computer Crime 49

brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review.
Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet
author Eoghan Casey
pages 840
publisher Academic Press
rating 10/10
reviewer Ben Rothke
ISBN 978-0123742681
summary Definitive reference on the subject of digital evidence and computer crime
For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.

Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.

In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.

Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.

Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.

In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.

Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.

Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.

The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.

Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.

Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.

Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.

Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.

Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.

A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.

The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.

The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.

This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.

With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.


This discussion has been archived. No new comments can be posted.

Book Review: Digital Evidence and Computer Crime

Comments Filter:
  • So, who would actually use this NOT to try and subvert law enforcement?

    I don't remember the name, but there was a book written about how to commit the perfect murder, and there was this huge thing about how a guy got off the hook because of the book and how liable the author was, etc...

    The argument was that by creating the book, the author was an accomplice, of course the only path to proving something like this is through pure ethics, (ethics != legal).

    I wonder if somebody used something like this book to

    • A long as arms manufacturers are not held liable for every killing done by their equipment I don't see why this guy should.

      • There's a very grey line here that may not be so obvious, I remember how the first was explained to me in school, it's ok to yell "f the government" in front of capital hill, but it's not ok to yell fire in a packed movie theater room. That's because the latter can cause harm onto others, thus imposing the consequences of your speech onto others and there are consequences for doing that.

        http://en.wikipedia.org/wiki/Schenck_v._United_States [wikipedia.org] and to make things worse...
        http://en.wikipedia.org/wiki/Brandenbur [wikipedia.org]

        • it's not ok to yell fire in a packed movie theater room

          The concept here is that yelling fire in a packed movie theater creates a "clear and present danger [wikipedia.org]". It is clear that yelling it will cause people to run for their lives, and it is present in that people will react before cooler heads can put things into perspective. With a book, the reader has plenty of time to consider the consequences of their actions. So no, I don't think it spills over into books.

          Also note the "clear and present danger" tes

        • Well, as you said, it is a very gray line. Making, or not, sense of it is more of an academic exercise than anything else. The legal system is a shit storm of badly depicted ideals and foul wishing. All you can reliably do is just acknowledge this ambiguity's existence and move on.

          On another note: crying "Fire" in a packed theater is probably the best way to get "/permanently?/" rid of the hysteric idiot that will start jelling at their spouse in the middle of the play. Just saying...

          Personal opinion: Knowl

      • by Meshach ( 578918 )

        A long as arms manufacturers are not held liable for every killing done by their equipment I don't see why this guy should.

        Maybe because the arms manufacture does not also show people novel ways to kill someone and escape any responsibility for their actions? Selling someone a gun is different from providing them a detailed plan to murder someone and get away with it.

    • and there was this huge thing about how a guy got off the hook because of the book and how liable the author was, etc...

      For false advertising? If it had been a perfect murder we wouldn't have heard about it...

    • by Ragun ( 1885816 )
      Culpable mental states play a large role in this kind of thing. This book is written with the obvious intent to educate, not to aid in crime. Intent matters in law.
      • Intent matters in law.

        did not know that. Please elaborate

        • Look up mens rea [wikipedia.org]. I'm not sure I could explain it much better then that.

          I do know a guy who shot his wife in the head and killed her, then called the EMS. Because the intent and state of mind (Mens Rea) is built into the murder/homicide statutes, he ended up getting convicted of voluntary manslaughter and was sentenced (actually, he got re-sentenced because of some lawsuit challenging the constitutionality of floating sentences like 5-15 years) 8 years total and is now back on the streets without parole or

        • by Ragun ( 1885816 )
          In my state there are several of what they call 'culpable mental states' These are 'with intent to' 'recklessly' 'knowingly' and 'with criminal negligence.' Different crimes require different levels. the difference between 2nd degree murder and manslaughter is that one requires intent, while the other only requires recklessness or criminal negligence. Some crimes punish you for doing X, while some charge you only for knowingly doing X.

          Of course, its impossible to be absolutely sure what someone was i
    • So by your way of thinking anything that could be used for evil should not be published and any methodology that could be used for evil should be obscured? Yawn. I've heard such a debate a million times about full disclosure. What it comes down to is that anything can be used for evil, but unless that is the intent ehre why mention that fact at all?
    • The question I have, which maybe someone who has read this book can answer, is this: Who is right, those that say you have to use Guttman and wipe a bazillion times, or the ones that say a simple zero out cleans a drive?

      While I'm not worried about the MiB kicking my door i'm more worried about all the drives that end up coming through the shop. I get used drives from all over the place and usually just run a quick zero wipe and stuff it in a drawer, is that enough?

      • by hoggoth ( 414195 )

        I'm in the field. Guttman hasn't been accurate for over a decade. Modern drives pack the bits much closer together. Nothing can be recovered after a single wipe with all zeros or better all pseudo-random. Even Guttman himself acknowledges this: "For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do."

        • Thanks. I usually use a tool called Easttec Eraser and use what is called a "quick two pass with verification" which I've found to be just about as fast as a single pass. it writes one set of zeroes followed by random numbers and then does a quick verification. So if what you are saying is true my method is overkill but should work no problem.

          Anyway if anyone needs a quick Windows based wiper with a ton of options Easttec Eraser is pretty nice. I've been using it for a couple of years now and it gives you

      • by blueg3 ( 192743 )

        Nobody in the field of computer forensics has ever claimed or had a reason to believe that any data is recoverable from modern hard drives that have been wiped with a single pass of zeroes (or any other pattern). The police and FBI certainly don't have the technology -- unless they've never used information gathered that way in court and managed not to tell anyone about it.

        There are a few exceptions. First, flash / SSD drives are weird. There's a good paper on it, but the short story is that almost all flas

        • So that mean hybrid drives are right out huh? With those the OS doesn't access the SSD part, its all controlled by firmware, so I doubt one could even zero out something that had been put in the SSD cache.

          Like I said my main worry was all the used drives I get coming through my door. I get drives from customers when they upgrade, i get drives from dead boxes and other shops, sometimes I buy a lot of drives from somewhere. So I have NO clue as to what has been on a good 80% of the drives before i got them, i

          • by blueg3 ( 192743 )

            Oh, man! I've totally got to look in to the hybrids. The big problem with weird drive areas (bad sectors, host protected area, overprovisioning on SSDs, and the cache on a hybrid) is that a lot of drives either don't implement or improperly implement the secure-erase ATA commands. But they return "oh yes, I totally did secure-erase". So you're basically guessing unless you do careful (often very difficult) analysis.

            Yeah, if you're getting conventional disks, a single pass of zeros is SOP. In the incredibly

            • Yeah the way I was told the hybrids work is the firmware watches what the OS does and uses the SSD as a big buffer cache, so that the drive can stay spun down longer and can just stream writes instead of start/stop on every little thing. But since it is all controlled by the firmware who the hell knows what it will report back if you try to zero it or even if you CAN zero it out, as to the OS the cache doesn't exist, its just the HDD. I don't think the cache is even counted in drive space so you can't just

              • by blueg3 ( 192743 )

                All I know is I tried a couple of tools like Recuva on one I ran Eraser on and it got a big fat nothing. I just wasn't sure how much better the tools the feds use are for such things.

                Yeah, no commercial-grade, simple tool will work at all even with a single pass of zeroes. SSDs often require two passes because of overprovisioning. But even that can only be detected by removing the flash chips from the SSD and using very unpleasant electronic techniques. (Legally, that means that your methods will be immediately called into question, and reconstructing any useful information will be very time-consuming.)

                The Feds mostly have access to more time and well-trained personnel, but honestly, tr

                • Well all I know is from a friend that works forensics at the state crime lab, but they don't take drives apart, they just image them and then use image based tools to scan for files, that way they preserve the chain of evidence. Adam tries to hire me every time we do lunch, but....fuck that. I don't think I could handle looking at pedo shit all damned day, that would mess my head up. i know he goes to a state paid for shrink twice a week to 'data dump" as he calls it, but I don't think I could handle lookin

    • Law enforcement tries to keep such knowledge out of the hands of defense attorneys. While books like this are written, the truly cutting edge stuff gets discussed at conferences like cacconference.org , a gathering where lots of great info is discussed that defense attorneys and the techs that work for them could use.

      If they did use that info, though, it would help create a level playing field when computer crime gets to court. LEOs at every level, of course, detest the notion of a level playing field or

      • A lot closer to the issue, why the author might have some social responsibility that translates into legal. I think it should be all or nothing though, disclose everything in the field and let the community sort it out (GPL), or keep a bunch of trade secrets and rely on those to do your job. Though one sounds a lot more ethical, both are working for people as I type this. Books that subvert law enforcement are considered grey on the scale of ethics, and though a book may not be the most direct applicati

    • Not sure what this has to do with the review or the book?
    • Still not sure of the point you are trying to make.
  • Is it like "Ewen"? "Yawn"? "Evan"? "Yohan"? "Eeeeeeee-yooooo, e-yo, eleven"?

  • Note that the 3rd edition is already out also (The Amazon link and picture is to the second edition): http://search.barnesandnoble.com/Digital-Evidence-and-Computer-Crime/Eoghan-Casey/e/9780123742681?itm=1&usri=Digital%2BEvidence%2Band%2BComputer%2BCrime [barnesandnoble.com]
  • When I was in forensics, one of the most important and fundamental concepts I had to learn right off the bat was the importance of carefully documenting the chain of custody of all evidence. This is especially important in computer forensics, as digital evidence is so easy to alter. You can do the best investigation in the world, but if you screw up your chain of custody, a good defense lawyer can eat you alive. "Oh, so you're saying that you don't even *know* who all had access to this hard drive for those

APL hackers do it in the quad.