REVIEW: "Guide to Computer Forensics and Investigations", Bill Nelson et al

Discussion in 'Computer Security' started by Robert Michael Slade, Dec 16, 2005.

  1. BKGTCFAI.RVW 20050801

    "Guide to Computer Forensics and Investigations", Bill Nelson et al,
    2004, 0-619-13120-9
    %A Bill Nelson
    %A Amelia Phillips
    %A Frank Enfinger
    %A Chris Steuart
    %C 25 Thomson Place, Boston, MA 02210
    %D 2004
    %G 0-619-13120-9
    %I Thomson Learning Inc.
    %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
    %P 689 p. + CD-ROM
    %T "Guide to Computer Forensics and Investigations"

    The preface states that the book is intended for newcomers to computer
    forensics that have a basic background in computers and networking.
    There is mention of instructor material on the CD-ROM, but no other
    direction in regard to use as a course text.

    Chapter one purports to provide an overview of the computer forensics
    profession. It jumps, seemingly without structure, from topic to
    topic, never providing solid information about much of anything. The
    progress and process of computer investigations is the topic of
    chapter two, but the material ranges between the uselessly vague
    (brief mentions of important concepts such as chain of
    evidence/custody, with no discussion of why they are vital) and the
    uselessly specific (six pages of instruction on how to make a Windows
    98 system boot to DOS). The content also relies heavily upon the
    assumption that the reader will have a certain suite of commercial
    forensics tools from a particular company. (It also seems to feel
    that the reader will never need to examine systems other than DOS,
    Windows 98, FAT12, and floppy disks.) DOS and Windows file systems
    (including NTFS) are reviewed in chapter four, although the level of
    detail provided is very inconsistent (eight pages of information on
    DOS batch files, and only four pages to describe the entire NTFS disk
    structure). Illustrations are less than helpful, particularly in
    regard to labelling, and the use of terminology in non-standard ways
    can lead to confusion. (In this book, "file slack" refers to what is
    otherwise simply known as unused or unallocated space.) Basically,
    the material is simplistic and unlikely to be needed by most people
    with an intermediate level of computer knowledge, while at the same
    time being incomplete, and probably not of any assistance to someone
    actually looking at disk sectors. The material on Macintosh and Linux
    systems, in chapter four, is similar.

    Most of the material in chapter five, on a forensics lab and office,
    is generic advice on either computer requirements or forensics (but
    non-computer) labs. Chapter six lists an apparently random collection
    of forensics tools. Rules of evidence (American) and a brief
    description of one program for hash calculation are in chapter seven.
    Chapter eight talks about processing the crime scene: the text ranges
    from the vague (identifying the computer) to the bizarre (HAZMAT
    suits). Some of the aforementioned commercial programs used in data
    acquisition are outlined in chapter nine while the analytical tools
    are depicted in chapter ten.

    Chapter eleven, on email, does show how to read headers in more than
    one mail user agent program, and mentions the log files on a couple of
    mail servers. Some random notes on graphics files, and, as in the
    rest of the book, lots of verbiage for not much information, is in
    chapter twelve. The advice on preparing reports, in chapter thirteen,
    is banal and has little bearing on forensics. Chapter fourteen, on
    expert witness, does not deal with the requirements for establishing
    that status, nor the restrictions on opinion in some cases.

    As far as computer forensics goes, the foundation provided in this
    work is far from solid. It mentions the basic topics, but fails to
    provide much in the way of resources for proceeding with the
    profession. The material provided is excessively wordy, and the
    structure is often jumpy and unhelpful. Extensive sections have been
    added that will be of little use to anyone other than a computer
    novice, seemingly only in an attempt to pad the length of the book. I
    would have trouble recommending this text to any audience.

    copyright Robert M. Slade, 2005 BKGTCFAI.RVW 20050801


    Find virus, book info
    Mirrored at
    Review mailing list: send mail to
    "Robert Slade's Guide to Computer Viruses" 0-387-94663-2
    "Viruses Revealed" 0-07-213090-3
    "Software Forensics" 0-07-142804-6
    Robert Michael Slade, Dec 16, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
  2. Writer R5
    Tad Bitt
    Apr 5, 2004
  3. Mike McGee
    Mike McGee
    Apr 5, 2004
  4. Mike McGee
    Mike McGee
    Aug 6, 2004
  5. John Doe

    Any Nelson IT programmers out there ?

    John Doe, Sep 10, 2003, in forum: NZ Computing

Share This Page