"Computer and Intrusion Forensics", George Mohay et al, 2003,
%A George Mohay
%A Alison Anderson
%A Byron Collie
%A Olivier de Vel
%A Rodney McKemmish
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O U$79.00 800-225-9977 fax: +1-617-769-6334 artech@...
%P 395 p.
%T "Computer and Intrusion Forensics"
The traditional data recovery aspect of computer forensics has been
covered by Kruse and Heiser in "Computer Forensics" (cf.
BKCMPFRN.RVW), and by Caloyannides in "Computer Forensics and Privacy"
(cf. BKCMFRPR.RVW) (and somewhat less ably by Casey [cf.
BKCMCRIN.RVW], Kovavish and Boni [cf. BKHTCRIH.RVW], Icove, Seger, and
VonStorch [cf. BKCMPCRM.RVW], Marcella and Greenfield [cf.
BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW], and Mandia and
Procise [cf. BKINCDRS.RVW]).
So far network forensics has only been specifically dealt with in the
not-terribly-useful "Hacker's Challenge," by Schiffman (cf.
"Computer and Intrusion Forensics" is the first attempt to bring both
topics into a single book. (It is intriguing to note that Eugene
Spafford, who wrote the foreword, is a pioneer of the "third leg":
software forensics, which the book does not cover.)
Chapter one is an introduction to computer and network (intrusion)
forensics, pointing out the ways that computers can be involved in the
commission of crimes and the requirements for obtaining and preserving
evidence in such cases. While the material provides a good
foundation, the text is inflated in many places, and could benefit
from stricter adherence to the topic and more focused writing. (One
illustration shows a pattern of concentric rings indicating that the
set of productive activities encompasses all legal endeavors which, in
turn, encompasses all approved actions. I suspect that a great many
legal and even approved activities are unproductive--while no doubt a
number of illegal activities would be approved, at times.) "Current
Practice," in chapter two, is a broad overview of the concerns,
technologies, applications, procedures, and legislation bearing on
digital evidence recovery from computers. In fact, this single
chapter is the equivalent of, and sometimes superior to, a number of
the computer forensics books mentioned above. However, the breadth of
the discussion does come at the expense of depth. This content is
quite suitable for the information security, or even legal,
professional who needs to understand the field of computer forensics,
but it does not have the detail that a practitioner may require.
Although chapter three is supposed to deal with computer forensics in
law enforcement (and there is a brief section on the rules of
evidence), it is primarily a reiteration (and some expansion) of the
procedures for data recovery and the software tools available for this
task. Forensic accounting, and the algorithms that can be used to
detect fraud, are outlined in chapter four, but very little is
directly relevant to computer forensics as such. Case studies,
demonstrating the techniques discussed earlier and some that are not,
are described in chapter five. Intrusion forensics concentrates on
intrusion detection systems (IDS), although it does not provide a very
clear or complete explanation of the distinctions in data collection
(host- or network-based) or analysis engines (rule, signature,
anomaly, or statistical). Chapter seven finishes off the book with a
list of computer forensic research which is being, or should be,
While the computer forensic content is sound, and it is heartening to
see other fields being included, the very limited work on network
forensics is disappointing. This text is a useful reference for those
needing background material on forensic technologies, but breaks no
copyright Robert M. Slade, 2003 BKCMINFO.RVW 20030605
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
People demand freedom of speech as a compensation for the freedom
of thought which they seldom use. - Soren Kierkegaard