Real Digital Forensics. Computer Security and Incident Response
by Jones, Keith, Richard Bejtlich and Curtis Rose

Addison-Wesley 2006.
ISBN 0-321-24069-3. $49.99. 650 pages; Index; Appendix; DVD.

Reviewed by  Bob Bruen   11/14/05 

In just a few short years, computer forensics has gone from a few headline grabbing cases to a standard operating procedure for almost every criminal investigation. For just about every arrest, no matter what the crime, a computer is seized. In addition to law enforcement, the private sector has jumped into the game, some offering services and some using forensics within their own organizations. The amount of recorded information in our world today is staggering: from blogs to emails, things we wanted public and things we wanted private. The digital world is treasure trove for discovery.

A number of goods books have been published during those few short years, but there is still room for books with new and better approaches. Real Digital Forensics offers cases with real depth and supporting work on a DVD. There are five cases plus several scenarios with binaries which need to be examined. Guardian Software gives away marketing CDs with its forensics product EnCase on it along with a few static data cases. This is clearly helpful when learning about their product because you practice using EnCase with case data. You can not use it to analyze your data, but it is, after all, a free working version of the most court-accepted commercial forensics tool

The chapters detailing the cases and the accompanying DVD are even more valuable for practice. The reader is able to follow the thinking of the investigator, discovering why a step was taken or what step should follow that step. The tools cover a wide spectrum, although some are limited in functionality. There is limited version of IDAPro, Red Cliff's Web Historian and several others. If you believe that Windows actually deletes your history of web surfing when you tell it to do so, try the Web Historian for a unpleasant surprise. The chosen tools are a good set.

Another good choice by the authors was to include a good balance throughout the book between Unix (*BSD and Linux) and Windows. Several of the later chapters cover reverse engineering in excellent detail. They do not call it reverse engineering, instead it is static analysis or dynamic analysis of a binary. They use the built-in Unix commands and several tools to do the work on both Unix and Windows. In addition, they cover network-based forensics.

Given that this a new forensics text it is up to date with several chapters on duplicating and analyzing PDAs and USB drives. EnCase is used in one the chapters. Lastly, there is chapter devoted to choosing a set of tools which will go on your personal Knoppix CD which you can create using their instructions.

Whatever good forensics books you may have, this one needs to be read and added to your collection. It is a highly recommended book for the content, as well as the presentation, which one of the best I have seen.