BKCYBFOR.RVW 20020319 "Cyber Forensics", Albert J. Marcella/Robert S. Greenfield, 2002, 0-8493-0955-7, U$49.95 %E Albert J. Marcella %E Robert S. Greenfield %C 823 Debra St, Livermore, CA 94550 %D 2002 %G 0-8493-0955-7 %I Auerbach Publications %O U$49.95 +1-800-950-1216 auerbach@wgl.com orders@crcpress.com %P 443 p. %T "Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes" The introduction to this book emphasizes the fact that this is a field manual, designed for quick reference, and not a textbook for study. Unfortunately, the authors seem to have taken this as licence to throw in all manner of random text and documents, without much structure or thought for the user. Section one outlines the various aspects of cyber forensics, according to the book's definition. Chapter one is entitled "The Goal of the Forensic Investigation," but the actual contents offer both more and less than that. The chapter starts with a few possible specific investigations, and provides directions on initial questions to ask. When the material moves to more general discussion of investigations, it becomes vague, and loses utility. Non-liturgical investigation (one that is not expected to end up in court) is examined in chapter three, even though the text admits that the procedure should be the same whether you expect to end in court or not: just collect everything you can. The content is limited to Windows, and specifically to the use of Internet Explorer. Much the same, with a little additional material on the Registry and event log, is done with liturgical investigations in chapter three. A repetition of the same information about Internet Explorer cache and cookies is found in chapter four. Chapter five describes nmap, and its author, in some detail, and then lists a number of other UNIX utilities. The broadest possible interpretation of intrusion investigation is discussed in chapter six, and, again, the advice boils down to the importance of careful collection of all possible information. Chapter seven outlines rules of and considerations for evidence in US courts of law. Section two expands on this last chapter, looking at US (and supposedly international) statutes. Chapter eight examines US law regarding the admissability of evidence intercepted from communications or recovered from seized computers. Changes to the US National Information Infrastructure Protection Act, and an editorial stating that cybercrime is bad, are given in chapter nine. The preamble to, and some questions about, a draft of the Council of Europe Convention on Cybercrime, are reproduced in chapter ten. Chapter eleven contains random comments on privacy. US Presidential Decision Directive 63, calling for a plan for protection of information infrastructure, and a speech justifying the use of Carnivore are reprinted in chapter twelve. Chapter thirteen replicates an overview of US Public Law 106-229 on electronic signatures (E-SIGN) as well as a number of other pieces relating to electronic commerce. Legal considerations in providing the electronic systems mandated by the US government paperwork reduction act are discussed in chapter fourteen. Speeches and comments on the US government's attitude towards encryption ore given in chapter fifteen. Chapter sixteen looks at various pieces of US legislation related to copyright. Section three concerns tools for forensic investigation. Chapter seventeen discusses such tools in a very generic way, and then briefly lists a number of specific programs. There is a two page list of FBI office phone numbers in chapter eighteen, which is supposed to guide you in reporting Internet-related crime. Chapter nineteen is a simplistic four page list of questions to ask when conducting a computer audit. This is definitely not a field manual. It offers almost no practical advice on collecting evidence from computers: if the material in this book is helpful to you, you have too little knowledge of the technology to have any business being engaged in computer forensics. The most valuable part of the book involves the collection of documents regarding US computer related legislation, but that would be of interest only to American lawyers. It would be difficult to recommend this work to anyone else. Even security personnel wanting a background on US federal legislation might be advised to look elsewhere, since the lack of structure and analysis in the book makes it very hard to read. copyright Robert M. Slade, 2002 BKCYBFOR.RVW 20020319