Analysis and interpretation are probably better terms and more truly represent what should occur in this phase of the process. This term does not appear to be used in any other model and, indeed, has a lot of negative connotations from a legal perspective. But the use of the term filtering as a phase of the computer forensic process is non-standard and a bit surprising. The first chapter's mention of Locard's principle and Henry Lee's crime scene analysis is a nice way to tie computer forensics in to criminalistics. The treatment on law is somewhat U.S.-centric yet still sets the stage well for the practitioner. Most books in this genre only give lip service to the legal aspects but Brown has provided nice coverage for the practitioner, particularly when it comes to giving testimony as an expert witness.
In addition, the book's CD-ROM provides the reader with samples of the software discussed in the book.Īn early chapter on Rules of Evidence, Case Law, and Regulation is particularly noteworthy.
The book also contains reference and additional reading lists at the end of each chapter, plus eight appendices that provide very useful information (although the list of agencies and contacts will be the first part of the book to become out-of-date). The first three parts of the book nicely prepare the reader for the fourth part - preparing a methodology and tool set for acquiring digital evidence, collecting volatile data, imaging, and gathering data from large systems the hardest aspects of bringing together everything you need to analyze computers in a structured way based upon some orderly engineering principles. It is clear where the meat of the book lies. Chris Brown's book joins the short list of books in this latter category.īrown, founder of Technology Pathways (the vendor of ProDiscover), has written the first book to focus almost entirely on evidence dynamics, defined as "any force that affects evidence in some way." Given the enormous pool of digital storage devices, myriad ways in which computers and networks might be configured, and the variety of ways in which computers might be found in the field, the actual investigation is often much more straight-forward than the acquisition of the data in a forensically sound fashion.Īnd this is the raison d'être for the book "Because these four phases cover such a broad area, books and courses that try to address each area usually relegate evidence collection to its simplest form, disk imaging, leaving all but the most basic questions unanswered" (from the Introduction).īrown's book is divided into five parts: computer forensics and evidence dynamics (58 pg.), information systems (66 pg.), data storage systems and media (58 pg.), artifact collection (90 pg.), and maintaining evidence (56 pg.). A refreshing trend in the last year or so, however, has been the publication of books that focus more on the information technology aspects of computer forensics. Most books on computer forensics in the past have presented the process of digital investigation from the perspective of law enforcement, which makes sense given the historic evolution of the field. Kessler, 1 and Marcus RogersĪn editted version of this book review was published in the March 2006 issue of the Journal of Digital Forensic Practice. Computer Evidence: Collection & Preservation