Jon Vogler reviews Forensic Computing: A Practitioner’s Guide by Tony Sammes and Brian Jenkinson, Springer, £29.50
Sherlock Holmes’s pride was to outline a stranger’s history and habits after passing him in the street.
Had he been able to examine the stranger’s computer, he would have boasted even more, for our PCs hold innumerable clues to our past and our lifestyle. Correspondence, finances, business affairs, hobbies, vices, secrets; they are all preserved, often in terrifying detail, on that tiny spinning disc. To the investigator, a suspect’s computer is a rich seam, from which potentially to extract most of the evidence needed – if he or she has the mining skills required. Yet a single thoughtless action, such as booting the computer under Windows just to “see what it may hold”, can in a few seconds convert the rich ore to dross that a judge will rule to be inadmissible.
Tony Sammes and Brian Jenkinson have set out to ‘provide the reader with a sufficient depth of technical understanding to search for, find and confidently present any form of digital document as admissible evidence in a court of law’. Forensic Computing: A Practitioner’s Guide is mainly concerned to explain the basic principles of the hardware and software used in personal computers. The first main chapter covers data, its different types, formats in which it can be displayed, and how it can be compressed and stored. The next explains how data is manipulated, by the partnership of processor and memory. The third describes, briefly, the parts of a typical PC, while the fourth delves, far more deeply (for some 80 pages), into the layout and operation of hard discs. Next come a mere 20 pages on seizing and forensically examining computers, followed by a similar discussion of what can be done with ‘electronic organisers’ which, because they have no hard disc and retain all data on some form of memory chip, pose special problems. The last chapter looks at future problems that forensic examiners may anticipate, such as huge hard discs, networked computers and encryption.
The book addresses a real and pressing need but fails to meet it for three reasons. First, because it skimps the most important topic, of examining a seized computer in a forensically acceptable manner. The most difficult task facing the investigator is to obtain a usable image of the computer’s hard disc; not just the file system but also the free space. The authors explain, in commendable detail, the principles of this, yet remain silent on the practice. The reason for this is, no doubt, because this is determined by which commercial imaging system is used, and because the vendors of such systems (for example DIBS or Vogon) provide detailed manuals with their products. However, before the time this book was published (2000) the whole market for imaging systems was turned upside down by the Cailfornian company Guidance Software, whose Encase product could be bought, separate from hardware, at a fraction of the price charged by the competition. Many UK police forces, attracted by the big cost savings, have switched to using Encase. The result is that their investigators receive far less hand-holding than formerly. Compensating for that is the task to which at least half this book should have been devoted; the detailed practicalities of which tool to use, what media to put the image on, how to set up an adequate computer (or rather network) for subsequent forensic analysis and how to understand data that may have originated from the Internet. Yet the book does not list any of the available systems in its index, let alone discuss the merits of whether to capture the image of a huge hard drive onto another stand-alone hard disc, a removable cartridge device or another computer.
The second problem is that, although most of the book is devoted to the principles of personal computers, too many commonly encountered issues are not addressed. This is a subject that needs not half a slim volume but two or three chunky tomes. These are available, from various authors and publishers, and their sales are so huge they can cover all the fringe topics and bring out an update every year or so. It would have been better if Forensic Computing had had that space reserved for its core subject, and pointed the reader to other, more substantial sources for their basic education about computers.
The third failure is a common one; of focusing too sharply on computers with Intel processors and Microsoft operating systems. While these may preponderate among home and small business users, most of the world’s big commerce, and most of the world’s Web pages, are hosted on machines from IBM and HP and Sun. Increasingly data originates from the Internet, not from local file systems, yet neither the Internet nor the Web is referred to in the index. The authors occasionally mention Linux, and even explain that servers should not be switched off abruptly, but as a minimum there should have been a chapter devoted to the non-Wintel world and another on how data is exchanged with the Internet. A recent survey of forensic imaging software, by the reputable magazine Secure Computing, found that dd was one of the most virtuous products available. dd is a standard utility program, that comes free with every UNIX or Linux operating system. Yet here it never even gets a mention.
Jon Vogler is a Chartered Engineer who has been an expert witness in 70 cases. He has frequently acted in criminal cases where the police have imaged a defendant’s computer. Tel 0113-2661885, Fax 0113-2370678, email jon@vogler.demon.co.uk, website www.vogler.co.uk.