Issue No. 05 - September-October (2003 vol. 1)
Computer and Intrusion Forensics is an excellent introduction to the study of how people can use computers for nefarious purposes. I highly recommend this book for novices looking to start a career in an up-and-coming field, as well as for security experts wanting to expand their knowledge base.
This book is an eye opener for anyone who's fallen under the spell of popular crime scene investigation dramas on American television. These shows highlight the glamorous side of being a forensics specialist, but omit the minutiae involved in the profession. For example, the investigators on one popular show analyze the original contents of a laptop's hard drive, which, if this were a real case, would lead to the evidence's inadmissibility in court. This text, however, describes in detail the thorough measures a computer forensic investigator must take from the start of an investigation to the subsequent presentation of facts in court. The book clearly shows that a good computer forensic investigator must have a complex set of skills that include legal knowledge, evidence management, data storage and retrieval, and courtroom presentation.
To help the reader acquire these skills, the authors divide the book into two sections. The first explicates the history of computer crime, computer forensics, and computer security. During this introduction, the authors distinguish between computer forensics, which is the investigation of crimes committed by computers, and intrusion forensics, which is the investigation of crimes targeting computers.
From this distinction, the authors provide an exacting discussion about the computer forensics field. They focus on the procedures used to collect and store digital data streams as evidence, the tools used, and the emerging procedures and standards dictating how to collect, store, and present evidence in court. For example, to analyze a computer for evidence of criminal activity, a computer forensics investigator must first make a copy of the digital data suspected of containing incriminating evidence. If this data is stored on a hard drive, the investigator also must make an exact replica of the drive's contents without compromising the original data. When presenting this type of case in court, the investigator then must prove beyond reasonable doubt that the original was not contaminated; he or she also must prove that the techniques used to analyze the original copy were based on established peer-reviewed principles in the computer science field.
The first section concludes with a thorough explanation of the procedures used to investigate accounting fraud along with a set of case studies, which are illuminating because they tie together all previously discussed concepts.
The book's second section focuses on intrusion detection and forensics. The authors provide their history along with a discussion of how these two concepts fit under the rubric of computer forensics. The book makes a well-defined distinction between signature- and anomaly-based intrusion detection techniques, and describes the tools and methods used to identify a compromised computer or computer network. The book elegantly explains common practices used in conjunction with intrusion detection systems that can secure a computer network.
Overall, the book is excellent for introductory-level courses on computer forensics. The authors introduce and develop concepts with clear explanations and examples, and they provide a set of references that gives more in-depth explications of these notions. The book also includes an appendix that contains important acronyms used in the field. It's a wonderful resource for individuals seeking to learn more about the field of computer and intrusion informatics.
Robert J. Campbell is an assistant professor in the Department of Health Management Systems at Duquesne University, Pittsburgh. Contact him at firstname.lastname@example.org.