Computer Evidence Collection and Preservation
It seems that a lot of books on forensics concentrate on making a disk image of the hard drive being examined, filtering the information on the disk, and presenting it in proper format for court use. However, collecting and preserving the evidence is much more than imaging the hard disk. If the computer is still on then evidence may be in memory, potential evidence may be on routers, proxy servers, etc. This book details this part of forensic evidence gathering, an area often just skimmed over in other computer forensics texts. This is a critical aspect of investigation because it does not matter how well your filtering works and how much evidence you obtain if your data preservation was not done correctly and the evidence is inadmissible in court.
Evidence dynamics is covered in detail and the author does a better job of this than any other forensics book I have read. Evidence dynamics is how to keep the evidence from disappearing or changing. Just the act of shutting down a computer changes temporary files, open processes, swap file information, and many other items that may be necessary for a thorough investigation. Even the appendixes are valuable and contain several excellent sample forms including chain of custody, evidence collection, and evidence access worksheets. If you are involved in either the collection or the maintenance of data for a potential court case then you will be interested in this book. Alternatively, if you are trying to discredit an expert witness then the information presented here may also provide areas of attack. Either way Computer Evidence Collection and Preservation is highly recommended.
Author: Christopher L. T. Brown
Publisher: Charles River Media, Inc.
10 Downer Avenue
Hingham, MA 02043
Copyright: 2006
ISBN: 1584504056
Pages: 330 plus appendixes and index