BKCMINFO.RVW 20030605 "Computer and Intrusion Forensics", George Mohay et al, 2003, 1-58053-369-8, U$79.00 %A George Mohay %A Alison Anderson %A Byron Collie %A Olivier de Vel %A Rodney McKemmish %C 685 Canton St., Norwood, MA 02062 %D 2003 %G 1-58053-369-8 %I Artech House/Horizon %O U$79.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580533698/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580533698/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580533698/robsladesin03-20 %P 395 p. %T "Computer and Intrusion Forensics" The traditional data recovery aspect of computer forensics has been covered by Kruse and Heiser in "Computer Forensics" (cf. BKCMPFRN.RVW), and by Caloyannides in "Computer Forensics and Privacy" (cf. BKCMFRPR.RVW) (and somewhat less ably by Casey [cf. BKCMCRIN.RVW], Kovavish and Boni [cf. BKHTCRIH.RVW], Icove, Seger, and VonStorch [cf. BKCMPCRM.RVW], Marcella and Greenfield [cf. BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW], and Mandia and Procise [cf. BKINCDRS.RVW]). So far network forensics has only been specifically dealt with in the not-terribly-useful "Hacker's Challenge," by Schiffman (cf. BKHKRCHL.RVW). "Computer and Intrusion Forensics" is the first attempt to bring both topics into a single book. (It is intriguing to note that Eugene Spafford, who wrote the foreword, is a pioneer of the "third leg": software forensics, which the book does not cover.) Chapter one is an introduction to computer and network (intrusion) forensics, pointing out the ways that computers can be involved in the commission of crimes and the requirements for obtaining and preserving evidence in such cases. While the material provides a good foundation, the text is inflated in many places, and could benefit from stricter adherence to the topic and more focused writing. (One illustration shows a pattern of concentric rings indicating that the set of productive activities encompasses all legal endeavors which, in turn, encompasses all approved actions. I suspect that a great many legal and even approved activities are unproductive--while no doubt a number of illegal activities would be approved, at times.) "Current Practice," in chapter two, is a broad overview of the concerns, technologies, applications, procedures, and legislation bearing on digital evidence recovery from computers. In fact, this single chapter is the equivalent of, and sometimes superior to, a number of the computer forensics books mentioned above. However, the breadth of the discussion does come at the expense of depth. This content is quite suitable for the information security, or even legal, professional who needs to understand the field of computer forensics, but it does not have the detail that a practitioner may require. Although chapter three is supposed to deal with computer forensics in law enforcement (and there is a brief section on the rules of evidence), it is primarily a reiteration (and some expansion) of the procedures for data recovery and the software tools available for this task. Forensic accounting, and the algorithms that can be used to detect fraud, are outlined in chapter four, but very little is directly relevant to computer forensics as such. Case studies, demonstrating the techniques discussed earlier and some that are not, are described in chapter five. Intrusion forensics concentrates on intrusion detection systems (IDS), although it does not provide a very clear or complete explanation of the distinctions in data collection (host- or network-based) or analysis engines (rule, signature, anomaly, or statistical). Chapter seven finishes off the book with a list of computer forensic research which is being, or should be, undertaken. While the computer forensic content is sound, and it is heartening to see other fields being included, the very limited work on network forensics is disappointing. This text is a useful reference for those needing background material on forensic technologies, but breaks no new ground. copyright Robert M. Slade, 2003 BKCMINFO.RVW 20030605