I have to preface this review by saying my criticism of this book should not be taken as criticism of the brave men and women who put their lives on the line fighting for our freedom in Southwest Asia (SWA). I'm reviewing the book "Digital Triage Forensics" (DTF), not the people who wrote it or the people who rely on the concepts therein.
DTF is a misleading, disappointing book. The subtitle is "processing the digital crime scene." The back cover says "the expert's model for investigating cyber crimes," and it claims "now corporations, law enforcement, and consultants can benefit from the unique perspectives of the experts who pioneered DTF." That sounds promising, right? It turns out that DTF is essentially a handbook for Weapon Intelligence Teams (WITs) who deploy to Iraq and Afghanistan to collect battlefield intelligence before and after Improvised Explosive Devices (IEDs) detonate! I cannot fathom why Syngress published this book, when the intended audience probably numbers in the dozens. Unless you need to learn the basics of how to collect cell phones and hard drive images to provide "actionable intelligence" to warfighters, you can avoid reading DTF.
I don't buy the argument that a book written for WIT members is going to apply to the civilian world. The authors make no apology for their claims that civilian operators have it easy, compared to the 5-10 minutes a WIT member has on the ground, perhaps under enemy fire or under the threat of enemy fire. If the authors wrote the book to say "here are lessons to use in your environment, based on what we learned in our environment," I could understand the argument. Instead, DTF says "here is the WIT environment, and here's how to operate within it -- WIT newbie."
If you're wondering how the DTF model compares to the Computer Forensic Field Triage Process Model (CFFTPM), I'll spare you the cost of buying the book: CFFTPM is Planning -> Triage -> Identification -> Collection -> Preservation -> Examination -> Analysis -> Report, whereas DTF is Planning -> Identification -> Collection -> Preservation -> Triage -> Examination -> Analysis -> Report. In DTF Triage is moved to a later phase because WIT members are physically at risk on the battlefield and don't have time for triage. As a book DTF also argues that it's important to extract actionable intelligence from evidence to support military actions within 12-72 hours, so sending everything to a central lab is likely to result in bottlenecks and missed opportunities.
From a quality point of view, DTF unfortunately exhibits some of the qualities found in older Syngress titles. Figure 1 on p x includes memorable phrases like "forebasics prevending lab backlog" [sic] and "expbiatation attempts" [sic]. Oddly enough "cleaned up" versions of figure 1 appear later as figures 2-1 and 2-2, and again as figure 6-1.
There's no reason to read this book unless you are "volunteered" (the authors' term) to Fort Huachuca to join a WIT.
