Most Helpful Customer Reviews
41 of 43 people found the following review helpful:
3.0 out of 5 stars
For help with EnCase in book form, start here, October 9, 2006
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
In terms of overall book value, ECF is the weakest of the three previously mentioned -- but it is the only book on EnCase. As such it is the one independent book which will help you understand the king of the commercial forensics world. I was particularly interested in using the accompanying DVD, which offered a demo version of EnCase. I did encounter the same limitations as mentioned in previous reviews, but I was able to at least perform most of the numbered exercises in the text. I thought the fairly crippled version of EnCase packaged with the book was a drawback, but I know Guidance Software is paranoid about even discussing their product outside of their training environment.
As far as covering EnCase goes, ECF is a pretty good book. I am an EnCase newbie, but I was able to follow most of the book's discussion of the product's interface. Since the lead author is a police officer, I also thought that perspective was valuable. His mindset appeared in the chapter where securing the crime scene was discussed. The inclusion of short case studies also kept the tone lively and relevant.
I had two major problems with ECF, hence the three star review. First, a book that includes a demo copy of EnCase and sample evidence files should use them throughout the text. When introducing EnCase's interface, use a sample evidence file from the DVD so the reader can follow along. While the book's exercises use the DVD evidence files, the textual explanation of the interface seldom do. That was frustrating. The authors should have either said "You need a fully license copy of EnCase to follow along" or they should have run all their examples as if they were a reader using the sample DVD. They would have learned you can't "Add Devices" using the DVD version and you can't save bookmarks -- argh.
The second major problem I found with ECF involved indications of technical misunderstandings and questionable vernacular. Examples follow. "BSD" is not "a Linux variant" (p 91). There is no such thing as "BSD Linux" (p 231). The authors' faith in MD5 should be positioned against research from the last few years. The "approved solution" for shutting down a Unix server ("synch; synch; halt") plus lack of non-Windows material made me question the relevance of the book to non-Windows platforms. On the language side, I didn't like reading about "NIC cards" (p 381) and "RAM memory" (p 381). These are the sorts of issues that make me wonder if I'm reading another book about "the Windows," thereby undermining my faith in ECF's recommendations.
On the operational forensics side, the book is strongly in the traditional "pull the plug, image the hard drive, grep for strings" camp. This model dominated host-centric forensics for decades, but it has been largely inadequate for the past 10 years. For example, there's nothing really useful on live analysis or memory forensics. NTFS is barely addressed, unlike FAT -- another sign of being somewhat backward. I think a second edition of this book would be a lot stronger -- and it would catch the error of using the word "Sudy" on the cover in place of "Study".
Still, because this is the only book on EnCase, it does share plenty of helpful suggestions on using that software. One possible use case for the book would be using it to apply EnCase to data provided on the DVD we ship with "Real Digital Forensics," looking for Windows artifacts described in WF, based on your understanding of hard drives from Brian Carrier's FSFA.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
9 of 9 people found the following review helpful:
5.0 out of 5 stars
Highly recommended, June 29, 2006
Steve Bunting is the head of the police computer forensics unit in Delaware and, together with co-author William Wei, a computer crime detective in New Jersey, has written an outstanding book which should find a place on every computer forensic examiner's bookshelf - even the bookshelves of those who rarely, if ever, use EnCase as a forensic tool.
This is a fairly thick book at 500 plus pages and a quick flick through reveals that the text is satisfyingly dense and interspersed with a generous number of screenshots. This is certainly not one of those technology books which tries to impress by its sheer physical size but disappoints once opened to reveal a large font and too much white space!
Although the title bills this book as "The Official EnCE EnCase Certified Examiner Study Guide" there is a huge amount of information contained within which will be of use to both the experienced investigator and keen student regardless of their forensic tool of choice. Bunting starts with a concise yet remarkably clear and in depth discussion of computer hardware in chapter 1. After covering a wide range of components he moves on to the boot process, then partitions and filesystems (in general). Even at this early stage it is clear that Bunting can write, and write well. In addition to the depth of knowledge he displays his tone is engaging and he possesses a remarkable ability to describe somewhat complicated technical subject matter with great clarity. Each chapter ends with a summary and an overview of those aspects of the EnCE exam covered, together with a set of review questions (provided, along with many of the "real world scenario" sections, by co-author William Wei). The suggested answers for these questions are included directly afterwards - much better than having to find them at the back of the book!
A more in depth discussion of filesystems takes up chapter 2 with the first real discussion of forensic procedures coming in the third chapter, "First Response". This reviewer was pleased to see "planning and preparation" given first priority in this section, an area sometimes overlooked by authors too keen to start with evidence handling procedures. In depth coverage of EnCase proper begins in the fourth chapter with coverage of the different acquisition tools and methods (boot disks, DOS acquisitions, network acquisitions, FastBloc etc.) Bunting's real-world experience shows, as it does throughout the book, and the coverage is comprehensive with discussion of the pros and cons of each method being given. The next chapter looks closely at the EnCase evidence file format and covers essential concepts such as verification and hashing.
Chapter 6 marks the start of the section of the book which will be of most use not only to those looking to pass the EnCE exam but to anyone using EnCase in a real world setting. This chapter looks at the EnCase environment and explains the form and function of the various EnCase window panes. Those coming to EnCase for the first time, or indeed those upgrading from an earlier version, will find this essential reading. Chapter 7 concentrates on understanding and searching for data, namely binary, hex, ASCII and Unicode. The next chapter covers file signature and hash analysis with a discussion of how EnCase utilises hash sets and hash libraries.
Chapter 9, "Windows Operating System Artifacts", covers a lot of ground and is one of the best explorations of Windows artifacts I have read. Starting with dates and times (and the need to adjust for time zone differences during an investigation) it goes on to cover the Recycle Bin, link files, cookies, temporary and history folders, the swap file, print spooling and more. Common ground for experienced investigators to be sure but covered in sufficient detail to warrant a read through for those practical tips which Bunting supplies in abundance. Those new to computer forensics will find a huge amount of very useful information here.
The final chapter - although not the last useful section of the book, see below for details of the appendix - covers "Advanced EnCase". Here we find information on locating and mounting partitions, registry analysis, use of EnScripts, email, the EnCase Decryption Suite and more. The appendix which follows this chapter contains details of a template created by Bunting - based on an earlier template from Roy Rector - which aims to help with the creation of presentation-quality web page reports. The methodology looks sound but as of the date of writing I have not followed the procedure in practice.
Does the book have any areas which could be improved upon? Overall the book achieves exactly what it sets out to do but if I have one criticism it would be the number of examples included on the companion DVD. The DVD includes an EnCase demo with a number of evidence files which can be used when reading later chapters to give some practical hands on experience but further examples to accompany earlier chapters would be welcome. There are instances in those early chapters where practical exercises require use of EnCase but a fully working version with accompanying dongle is required. No doubt the majority of readers will have access to licensed versions of EnCase in the workplace but it is not always possible to maintain that access at home or while travelling where I suspect many will use the book. Beyond that there are a very small number of typos but they are far fewer than those often encountered in similar works. No doubt these will be picked up in future editions and they certainly do not detract from the book as a whole (in fact even mentioning them feels like nitpicking).
Overall, this is a book with a great deal of practical information which is also a genuine pleasure to read. Highly recommended.
www.forensicfocus.com
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
11 of 12 people found the following review helpful:
2.0 out of 5 stars
The DVD software is full of errors..., June 20, 2006
Bought the book some 3 weeks ago and had gone through the entire book.
The contents are good and beneficial, but the provided evaluation Encase version 5 is not working properly.
Many of the exercises stated in the book cannot be carried out because those necessary features needed are not activated in the provided software. But the book said the provided software is constructed for us to go through all the exercises in preparation for the Phase II practical test.
Wrote a complaint to the publisher and they acknowledged the errors in the software but then they do nothing to resolve it...I sort of feeling being cheated and it seems like it is a strategy they are using to force us to spend the huge sum of money to buy the commercial Encase software.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
|
