Full text

Handbook of Computer Crime Investigation - Forensic Tools and Technology

Reference: Handbook of Computer Crime Investigation Forensic Tools and Technology, edited by Eoghan Casey, Academic Press: San Diego, CA, 2002, 448 pages, ISBN: 0121631036. $39.95.

This book is organized into a compendium of chapters written by qualified authors with some of the best experience in the field of computer crime investigations. The Introduction starts off with two examples of the importance of computerized evidence - one of an alleged serial killer, the other of convicted FBI mole Robert Hanssen. Forensic premises and basic categories of computer evidence are established: live versus dead systems; logical versus physical analysis; the dispersal of evidence over networks; the complications from encryption, data fragmentation, steganography1, anonymity; the importance of procedures and protocols. Unlike some other pontificators about computer investigations, this book recognizes that the term "forensic" puts us in the legal arena, and that there are too many aspects of this technology for one person to master them all.

Editor Eoghan Casey and other authors discuss crime reconstruction practices and explain the importance of terms familiar to those involved with forensics: comparison, source identity, and significant differences. Evidence dynamics and how evidence can be affected by the elements and various exposures are laid out for the reader.

An early chapter gives an excellent review of discovery law, concepts, and procedures. It breaks down into key phases: identification, preservation, filtering, and production. The author gives a sample list of key questions and wisely points out the importance of "casting the net widely" during the identification phase. Too often, the computers are not adequately taken into account in an investigation. Even if an investigator is not that "tech savvy", a good set of questions should help to define the universe of computer data relevant to the issue at hand. He points out that it can be useful to think of user-created computer files, and then system-created user files, which may or may not be known to the user.

The author anchors his analysis in the Federal Rules of Procedure and Evidence, which I believe is exactly right for many reasons. As part of that framework, he is able to explain how the risk of spoliation comes about with respect to electronic...