I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei.All three books contain the word "forensics" in the title, but they are very different.If you want authoritative and deeply technical guidance on understanding file systems, read FSFA.If you want to focus on understanding Windows from an investigator's standpoint, read WA.If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10.I tried to not let those facts sway my reviews.
In terms of overall book value, ECF is the weakest of the three previously mentioned -- but it is the only book on EnCase.As such it is the one independent book which will help you understand the king of the commercial forensics world.I was particularly interested in using the accompanying DVD, which offered a demo version of EnCase.I did encounter the same limitations as mentioned in previous reviews, but I was able to at least perform most of the numbered exercises in the text.I thought the fairly crippled version of EnCase packaged with the book was a drawback, but I know Guidance Software is paranoid about even discussing their product outside of their training environment.
As far as covering EnCase goes, ECF is a pretty good book.I am an EnCase newbie, but I was able to follow most of the book's discussion of the product's interface.Since the lead author is a police officer, I also thought that perspective was valuable.His mindset appeared in the chapter where securing the crime scene was discussed.The inclusion of short case studies also kept the tone lively and relevant.
I had two major problems with ECF, hence the three star review.First, a book that includes a demo copy of EnCase and sample evidence files should use them throughout the text.When introducing EnCase's interface, use a sample evidence file from the DVD so the reader can follow along.While the book's exercises use the DVD evidence files, the textual explanation of the interface seldom do.That was frustrating.The authors should have either said "You need a fully license copy of EnCase to follow along" or they should have run all their examples as if they were a reader using the sample DVD.They would have learned you can't "Add Devices" using the DVD version and you can't save bookmarks -- argh.
The second major problem I found with ECF involved indications of technical misunderstandings and questionable vernacular.Examples follow."BSD" is not "a Linux variant" (p 91).There is no such thing as "BSD Linux" (p 231).The authors' faith in MD5 should be positioned against research from the last few years.The "approved solution" for shutting down a Unix server ("synch; synch; halt") plus lack of non-Windows material made me question the relevance of the book to non-Windows platforms.On the language side, I didn't like reading about "NIC cards" (p 381) and "RAM memory" (p 381).These are the sorts of issues that make me wonder if I'm reading another book about "the Windows," thereby undermining my faith in ECF's recommendations.
On the operational forensics side, the book is strongly in the traditional "pull the plug, image the hard drive, grep for strings" camp.This model dominated host-centric forensics for decades, but it has been largely inadequate for the past 10 years.For example, there's nothing really useful on live analysis or memory forensics.NTFS is barely addressed, unlike FAT -- another sign of being somewhat backward.I think a second edition of this book would be a lot stronger -- and it would catch the error of using the word "Sudy" on the cover in place of "Study".
Still, because this is the only book on EnCase, it does share plenty of helpful suggestions on using that software.One possible use case for the book would be using it to apply EnCase to data provided on the DVD we ship with "Real Digital Forensics," looking for Windows artifacts described in WF, based on your understanding of hard drives from Brian Carrier's FSFA.
Product Description
EnCE certification tells the world that you've not only mastered the use of EnCase Forensic Software, but also that you have acquired the in-depth forensics knowledge and techniques you need to conduct complex computer examinations. This official study guide, written by a law enforcement professional who is an expert in EnCE and computer forensics, provides the complete instruction, advanced testing software, and solid techniques you need to prepare for the exam.
From the Back Cover
Fully revised for the very latest EnCE exam and EnCase software
EnCE certification tells the world that you've not only mastered the use of EnCase Forensic Software, but also that you have acquired the in-depth forensics knowledge and techniques you need to conduct complex computer examinations. This official study guide, written by a law enforcement professional who is an expert in EnCE and computer forensics, provides the complete instruction, advanced testing software, and solid techniques you need to prepare for the exam.
Key topics include:
Understanding Computer Hardware. Understanding computer components, boot processes, partitions, and files systems, so you can explain them to a jury
First Response. What to do and how to follow procedures when first entering a scene
Acquisition of Digital Evidence. Creating EnCase boot disks; booting with EnCase boot disks; and drive-to-drive, network cable, FastBloc, Linen, and Enterprise acquisitions
EnCase Forensic Software Overview. Tour of EnCase environment including software, menus, and capabilities
Report Writing. Sample reports from real-life cases (names changed)
EnCase Legal Journal. Essential information on operating within the law and giving expert testimony
Look inside for complete coverage of all exam objectives.
Click Here to see more reviews about: EnCase Computer Forensics, includes DVD: The Official EnCE: EnCase Certified Examiner Study Guide (Paperback)
No comments:
Post a Comment