Computer Evidence: Collection & Preservation [With CDROM]

At this time I am about halfway through the book and finding it very informative and very interesting. It covers a lot of technical information which is normally pretty boring but I am having a hard time putting it down. Highly recommend this as require reading for the ameture forensic computer examiner. CR Flowers CCE

Are you a law enforcement officer, system administrator, IT professional, legal professional or a computer forensics student? If you are, this book is for you! Author Christopher LT Brown, has done an outstanding job of writing a great book by focusing on the first two phases of the computer forensics process: computer evidence collection and preservation. Brown, begins by introducing the reader to the essential elements of computer forensics. Next, the author discusses the rules of evidence, existing computer-related case law, and regulation as a basis of understanding the nature of computer evidence in court. Then, he provides information about evidence dynamics, which is defined as anything that effects evidence in any way. The author continues by presenting the key components to knowing where data can be found within an organization's infrastructure. In addition, the author shows you how an organization's information architecture can be as diverse as a city's street's. He also examines the volatility of digital data in physical memory and storage. Next, the author explains the key components of the IDE,SIDE, and SCSI standards as they pertain to evidence collection. Then, he describes advanced physical storage methods in use today. The author also examines some of the many types and formats of removable media including flash cards and optical media. In addition, the author next describes one of the most important components of any computer forensics investigation: tools preparation and documentation. He also shows you how volatile data can be difficult to capture in a forensically sound fashion. Next, the author describes how methodologies used in computer forensics can be as varied as the systems being imaged. Then, he shows you how the collection of evidence from large computer systems can be challenging to any investigator. The author continues by walking the reader through different design options to get the most out of their hardware configuration in the field and back in the lab. In addition, he shows you how today's computer evidence investigators rarely work from a single forensics workstation. Finally, he discusses areas for further study in computer forensics such as analysis and presentation of evidence in court. This most excellent book uses evidence dynamics at the center of its approach to show the reader what forces act on data during evidence identification, collection and storage. What's most important though, is that this book will help guide the computer forensics investigator in ensuring case integrity during the most crucial phases of the computer forensics process.

This is a timely book as we are hearing more and more about the U.S. military and intelligence agencies collecting the computers used by terrorists. This same trend is appearing in conventional law enforcement. The amount of information that can be stored on a computer is, of course huge, also important is the transient: What web site is the computer viewing? What e-mail system is on-line? What can be gotten from the router being used? This book goes into every aspect of getting forensics information off of a computer. It starts with examining the computer, if it is on, then extracting the information from places like temporary internet storage. Of course there's a lot that needs to be done with the hard drive, and if you can find back up disks, tapes or memory devices. In addition, there are hardware and software tools that can be used to extract information from the system. A general coverage of these is given, along with sources. Some of these are included on the CD-ROM included with the book. This book is intended for use in a legal environment, so there is discussion on maintaining the chain of evidence to ensure that it doesn't get thrown out of court. Should you be on the other side in a trial, this gives you something to ask of the investigators to be sure that they have followed the rules. Basically this is the most complete, most thorough book on the subject written by one of the experts in the business.

It seems that a lot of books on forensics concentrate on making a disk image of the hard drive being examined, filtering the information on the disk, and presenting it in proper format for court use. However, collecting and preserving the evidence is much more than imaging the hard disk. If the computer is still on then evidence may be in memory, potential evidence may be on routers, proxy servers, etc. This book details this part of forensic evidence gathering, an area often just skimmed over in other computer forensics texts. This is a critical aspect of investigation because it does not matter how well your filtering works and how much evidence you obtain if your data preservation was not done correctly and the evidence is inadmissible in court. Evidence dynamics is covered in detail and the author does a better job of this than any other forensics book I have read. Evidence dynamics is how to keep the evidence from disappearing or changing. Just the act of shutting down a computer changes temporary files, open processes, swap file information, and many other items that may be necessary for a thorough investigation. Even the appendixes are valuable and contain several excellent sample forms including chain of custody, evidence collection, and evidence access worksheets. If you are involved in either the collection or the maintenance of data for a potential court case then you will be interested in this book. Alternatively, if you are trying to discredit an expert witness then the information presented here may also provide areas of attack. Either way Computer Evidence Collection and Preservation is highly recommended.