Computer Evidence: Collection & Preservation (Networking & Security) [Paperback]

Christopher LT Brown (Author)

Book Description

ISBN-10: 1584504056 | ISBN-13: 978-1584504054 | Publication Date: October 3, 2005 | Edition: 1

Computer Evidence: Collection and Preservation teaches law enforcement and computer forensics investigators how to identify, collect, and maintain digital artifacts to preserve their reliability for admission as evidence. The book focuses on collection and preservation because these two phases of computer forensics are the most critical to evidence acceptance, but are not thoroughly covered in text or courses. Throughout the book, a constant eye is kept on evidence dynamics and the impact investigators can have on data integrity while collecting evidence. The simple act of a computer forensics investigator shutting down a suspect's computer changes the state of the computer as well as many of its files, so a good understanding of evidence dynamics is essential when doing computer forensics work. Broken up into five parts, Computer Forensics & Evidence Dynamics, Information Systems, Data Storage Systems & Media, Artifact Collection, and Archiving & Maintaining Evidence, the book places specific focus on how investigators and their tools are interacting with digital evidence. By reading and using this task-oriented guide, computer forensics investigators will be able to ensure case integrity during the most crucial phases of the computer forensics process.

Editorial Reviews

About the Author

Christopher L.T. Brown (Coronado, CA) is the founder and CTO of Technology Pathways LLC, a provider of computer security tools and services for the corporate IT, government, and legal communities. He has over 20 years of experience in computer security and holds numerous career certifications from UCSD, (ISC)2, Microsoft, CISCO, CompTIA, and CITRIX including a CISSP certification. He is an author of Building an Intranet with Windows NT 4 and Web Site Construction Kit for Windows NT and has spoken at numerous conferences around the globe on the subject of computer forensics.

Product Details

• Paperback: 394 pages
• Publisher: Charles River Media; 1 edition (October 3, 2005)
• Language: English
• ISBN-10: 1584504056
• ISBN-13: 978-1584504054
• Product Dimensions: 9.1 x 7.2 x 1.1 inches
• Shipping Weight: 1.8 pounds (View shipping rates and policies)
• Average Customer Review: 4.5 out of 5 stars  See all reviews (4 customer reviews)
• Amazon Best Sellers Rank: #1,453,082 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

9 of 9 people found the following review helpful:

4.0 out of 5 stars Great resource, November 23, 2005

By 

Harold McFarland (Florida) - See all my reviews
(HALL OF FAME REVIEWER)    (VINE VOICE)    (REAL NAME)   

This review is from: Computer Evidence: Collection & Preservation (Networking & Security) (Paperback)

It seems that a lot of books on forensics concentrate on making a disk image of the hard drive being examined, filtering the information on the disk, and presenting it in proper format for court use. However, collecting and preserving the evidence is much more than imaging the hard disk. If the computer is still on then evidence may be in memory, potential evidence may be on routers, proxy servers, etc. This book details this part of forensic evidence gathering, an area often just skimmed over in other computer forensics texts. This is a critical aspect of investigation because it does not matter how well your filtering works and how much evidence you obtain if your data preservation was not done correctly and the evidence is inadmissible in court.

Evidence dynamics is covered in detail and the author does a better job of this than any other forensics book I have read. Evidence dynamics is how to keep the evidence from disappearing or changing. Just the act of shutting down a computer changes temporary files, open processes, swap file information, and many other items that may be necessary for a thorough investigation. Even the appendixes are valuable and contain several excellent sample forms including chain of custody, evidence collection, and evidence access worksheets. If you are involved in either the collection or the maintenance of data for a potential court case then you will be interested in this book. Alternatively, if you are trying to discredit an expert witness then the information presented here may also provide areas of attack. Either way Computer Evidence Collection and Preservation is highly recommended.

5 of 5 people found the following review helpful:

5.0 out of 5 stars THE CSI OF COMPUTER EVIDENCE!!, June 11, 2006

By 

John R. Vacca "Tech Write Independent Reviewer" (Pomeroy, Ohio) - See all my reviews
(REAL NAME)   

This review is from: Computer Evidence: Collection & Preservation (Networking & Security) (Paperback)

Are you a law enforcement officer, system administrator, IT professional, legal professional or a computer forensics student? If you are, this book is for you! Author Christopher LT Brown, has done an outstanding job of writing a great book by focusing on the first two phases of the computer forensics process: computer evidence collection and preservation.

Brown, begins by introducing the reader to the essential elements of computer forensics.
Next, the author discusses the rules of evidence, existing computer-related case law, and regulation as a basis of understanding the nature of computer evidence in court. Then, he provides information about evidence dynamics, which is defined as anything that effects evidence in any way. The author continues by presenting the key components to knowing where data can be found within an organization's infrastructure. In addition, the author shows you how an organization's information architecture can be as diverse as a city's street's. He also examines the volatility of digital data in physical memory and storage. Next, the author explains the key components of the IDE,SIDE, and SCSI standards as they pertain to evidence collection. Then, he describes advanced physical storage methods in use today. The author also examines some of the many types and formats of removable media including flash cards and optical media. In addition, the author next describes one of the most important components of any computer forensics investigation: tools preparation and documentation. He also shows you how volatile data can be difficult to capture in a forensically sound fashion. Next, the author describes how methodologies used in computer forensics can be as varied as the systems being imaged. Then, he shows you how the collection of evidence from large computer systems can be challenging to any investigator. The author continues by walking the reader through different design options to get the most out of their hardware configuration in the field and back in the lab. In addition, he shows you how today's computer evidence investigators rarely work from a single forensics workstation. Finally, he discusses areas for further study in computer forensics such as analysis and presentation of evidence in court.

This most excellent book uses evidence dynamics at the center of its approach to show the reader what forces act on data during evidence identification, collection and storage. What's most important though, is that this book will help guide the computer forensics investigator in ensuring case integrity during the most crucial phases of the computer forensics process.

5 of 6 people found the following review helpful:

5.0 out of 5 stars The Most Comprehensive Book on the Subject, November 27, 2005

By 

John Matlock "Gunny" (Winnemucca, NV) - See all my reviews
(REAL NAME)   

This review is from: Computer Evidence: Collection & Preservation (Networking & Security) (Paperback)

This is a timely book as we are hearing more and more about the U.S. military and intelligence agencies collecting the computers used by terrorists. This same trend is appearing in conventional law enforcement. The amount of information that can be stored on a computer is, of course huge, also important is the transient: What web site is the computer viewing? What e-mail system is on-line? What can be gotten from the router being used?

This book goes into every aspect of getting forensics information off of a computer. It starts with examining the computer, if it is on, then extracting the information from places like temporary internet storage. Of course there's a lot that needs to be done with the hard drive, and if you can find back up disks, tapes or memory devices.

In addition, there are hardware and software tools that can be used to extract information from the system. A general coverage of these is given, along with sources. Some of these are included on the CD-ROM included with the book.

This book is intended for use in a legal environment, so there is discussion on maintaining the chain of evidence to ensure that it doesn't get thrown out of court. Should you be on the other side in a trial, this gives you something to ask of the investigators to be sure that they have followed the rules.

Basically this is the most complete, most thorough book on the subject written by one of the experts in the business.