Handbook of Digital Forensics and Investigation [Paperback]

This book has become one of my three "go to" books when it comes to digital forensics along with Brian Carrier's File System Forensic Analysis and Harlan Carvey's Windows Forensic Analysis DVD Toolkit, Second Edition.

Don't skip Rob Lee's excellent forward to this book. Lee crafts a very concise explanation of how the digital forensics field is growing and evolving.

Eoghan Casey's introduction further expands on the theme with a very thoughtful analysis of the current state of digital forensics and how the scientific method can and should be applied to our field. In this section, Casey begins to bring out one of the primary themes of the first portion of the book which is that there are different aspects to digital forensics that can be summarized in the three main disciplines of traditional forensic analysis, electronic discovery and intrusion investigation.

The first part of the book (chapters two through four) is devoted to exploring the three disciplines by devoting a chapter to each one. These individual chapters are exemplary overviews of each of the disciplines.

Chapter two is one of the finest overviews that I've seen regarding digital forensics. Casey and Curtis Rose provide set what will be a persistent theme in the book which imparting technical information in a very approachable manner, but also in a relatively short amount of space. This chapter builds and expands on Casey's invocation of the scientific method and it's role in forensic analysis via a thorough explanation of forensic analysis that is well illustrated by a sample case scenario created by the authors to help explain their methodology.

Chapter three is a fantastic overview of e-discovery and coupled with chapter two provides an effective answer to the question of what the difference is between electronic discovery and forensic analysis. Chapter three shouldn't be dismissed as an overview, however. The authors put forth quite a bit of effort in explaining some tactical level issues such as how to properly interview an evidence custodian to determine the universe of data that might be relevant to a particular matter and how to use various tools to capture data.

Chapter four provides a detailed overview of intrusion investigations using the incident response life cycle. Similar to chapter three, this chapter not only provides an expert overview of the life cycle, but also provides the reader with tactical level advice such as the use of timeline analysis to assist a responder with an incident handling scenario. Like chapter two, the authors use investigative scenarios to illustrate their points.

The second half of the book is more tactical in nature and will have great appeal to both the experience practitioner and those who are merely curious about digital forensics. As in the first half of this book, the authors and their editor Casey, take great pains to make sometimes very technical information approachable to all audiences.

Chapter five is the section on Windows forensic analysis. Authors Ryan Pittman and David Shaver provide probably the most concise, yet effective overview of Windows forensic analysis that I've read recently especially given the fact that they have just a chapter in which to do their work. At the time the chapter was written, the authors had access to early versions of Windows 7 so the chapter spends a certain amount of time comparing and contrasting the differences between Windows XP compared to Vista\Windows 7. The authors also provide a very effective overview of traditional forensic artifacts such as $MFT artifacts and registry artifacts. While this chapter doesn't serve as a replacement for the Carrier and Carvey books, it's an examplary primer for those just starting in Windows forensic analysis and an excellent "cheat sheet" for more experienced practitioners. This is not to say that the authors are merely rehashing existing data. Far from it. Even an experienced examiner is likely to learn new information by reading their work. They, for example, put a lot of effort into explaining data destruction, file deletion and defragmentation. It's amazing how much content they managed to include in this chapter.

Chapter six continues on the theme of packing a lot of information into a short amount of space, but doing so in an approachable manner. This chapter on UNIX Forensic Analysis includes at it's beginning a very helpful explanation of the Unix and Linux worlds. Like chapter five the authors provide valuable information on the inner workings of file system forensic analysis as well as well as more application level artifacts such as Firefox browser analysis and chat analysis. A nice bonus is that this chapter also covers removable media analysis. Most work that I have seen in this area has been relative to Windows operating systems so it was good to see this content for a non-Windows operating system. The authors also spend quite a few pages on the examination of email artifacts which is also a welcome addition.

Anthony Kokocinski's Macintosh Forensic Analysis makes up Chapter seven. Given that this is a weakness in my individual skill set, I learned an incredible amount from this chapter. Kokocinski continues the overall theme of the book in that he presents his knowledge on the subject in a very approachable manner. Kokocinski also includes a detailed section on popular Mac applications such as Safari, iCal, Mail, etc.

Chapter eight is Ronald van der Knijff's amazing chapter on embedded system analysis. In a book this good, it's hard to pick a chapter that can be considered a highlight, but this chapter would be a top contender. It covers a wide area of devices from traditional technological tools such as cellphones and GPS systems to devices such as parking meters and pacemakers. The chapter provides a solid overview of the various technologies that comprise this wide range of devices, but also delves into tactical matters such as how to preserve and even repair damaged devices that might contain useful data.

Chapter nine is the excellent and extensive network investigation chapter. Like the previous chapters, this is a more tactical treatment of a subject that is introduce earlier in the book and is an excellent overview how to practically apply the themes introduced in chapter four. The chapter includes an overview of TCP/IP networking down that includes an explanation of the structure of an Ethernet frame and TCP/IP packet headers. The authors make extensive use of the Wireshark tool which makes it easy for a student of network investigations to emulate the work being done as part of their overall learning experience. The later portions of the chapter delve into the work of investigating networking technologies such as Cisco routers. The Cisco section includes an overview of how to use Cisco IOS to help facilitate a network investigation.

Chapter ten is an amazing chapter on mobile network investigations put together by Dario Forte and Andrea de Donno. As it's title suggestion, this isn't a chapter on the examination of digital communication devices such as cell phones, but how to understand and investigate the network environments in which they operate. The authors deal with such issues as determining the location of particular devices, what networking data might be available and the interception of data. As one would expect with a chapter such as this, the authors also cover legal issues with an emphasis on relevant EU legislation.

Full Disclosure: While I haven't had the privilege of meeting most of the authors of this excellent book, I'm honored to have connections with some of the authors including, but not limited to, being on a board with Rob Lee and Eoghan Casey.

I've probably read and reviewed a dozen or so good digital forensics books over the last decade, and I've written a few books on that topic or related ones. The Handbook of Digital Forensics and Investigation (HODFAI) is a solid technical overview of multiple digital forensics disciplines. This book will introduce the reader to a variety of topics and techniques that a modern investigator is likely to apply in the enterprise. Because the book is a collection of sections by multiple authors, some of the coverage is uneven. Nevertheless, I recommend HODFAI as a single volume introduction to modern digital forensics.

Eric Huber's review nicely summarized the book's contents. Rather than write another summary, I'd like to describe how I see readers using this book. There's not quite enough information here (due to the broad coverage) to give readers a detailed idea of how to apply each of the forensic disciplines in practice. I don't see any problem with this, because each subject gets enough attention to ground the reader. For the most part, readers can get a sense of what can be done, say with embedded system analysis (ch 8), and then look for specialized coverage elsewhere. I consider this approach to be HODFAI's strength, because a reader strong in one area (like Windows forensics) will read enough about other disciplines to better understand how to approach those problems.

I offered four stars instead of five to account for a general accumulation of minor issues as I read the text. For example, ch 5 on Windows forensics seem to be a string of "and another thing... and another thing..." material. It didn't seem very coherent to me. In ch 6, I didn't see the need to print 6 1/2 pages of fls output. Also, I felt that a book that addressed multiple related disciplines (Windows, Unix, Mac) forensics might have offered a single framework for all of the platforms. This would have made applying knowledge from one field easier to a related field. For example, those chapters might have used a framework for startup, key files, authentication and authorization, file system, network protocols, and so on. A compare-and-contrast approach is a really powerful way to communicate technical data, especially to newer readers.

Overall, I recommend reading HODFAI as an introduction to digital forensics. Readers could easily begin with this book, then progress to specialized volumes by authors like Harlan Carvey, Brian Carrier, or others by Eoghan Casey and colleagues. Readers who want to apply their knowledge to simulated evidence could read books like Real Digital Forensics by myself, Keith Jones, and Curtis Rose. Kudos to Eoghan Casey for producing another great resource for analysts!

This is not another "me too book" ! Each and every chapter will expose you to valuable tips and information from the 16 digital forensic experts who author this handbook. This handbook is clearly written, well edited, to the point and full of practical information based on real world situations. I increased my basic knowledge and awareness of Mac, mobile, linux and embedded systems that I never encounter in my day job. Highly recommended !