• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Book Review - Computer Forensics : Incident Response

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
Forum Fanatic
Forum Fanatic

Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia


PostPosted: Tue Jan 06, 2004 1:26 am    Post subject: Book Review - Computer Forensics : Incident Response Reply with quote

Computer Forensics: Incident Response Essentials

Author: Warren G. Kruse & Jay G. Heiser.
Publisher: Addison-Wesley
Book Specifications: Soft-Cover, 398 Pages
Category: Computer Forensics and Incident Response
User Level: Good all around knowledge of computer security
Suggested Publisher Price: $44.99 USA/ $69.99 CAN/ £30.99 Net UK (inc of VAT)
ISBN: 0-20170-719-5
Amazon.co.uk: Computer Forensics: Incident Response Essentials UK
Amazon.com: Computer Forensics: Incident Response Essentials US

Info from Back: "Computer forensics, the newest branch of computer security, focuses on the aftermath of a computer security incident. The goal of computer forensics is to conduct a structured investigation to determine exactly what happened, who was responsible, and to perform the investigation in such a way that the results are useful in a criminal proceeding.

Written by two experts in digital investigation, Computer Forensics provides extensive information on how to handle the computer as evidence. Kruse and Heiser walk the reader through the complete forensics process—from the initial collection of evidence through the final report. Topics include an overview of the forensic relevance of encryption, the examination of digital evidence for clues, and the most effective way to present your evidence and conclusions in court. Unique forensic issues associated with both the Unix and the Windows NT/2000 operating systems are thoroughly covered."


As I have mentioned in another review computer forensics is a very interesting and highly technical area that I have long dabbled in, but had no firm baseline knowledge. After reviewing another computer forensics book my interest was piqued. Computer Forensics itself is a fairly pervasive area and covers all facets of computer security in some manner. In studying forensics you gain a great understanding of lower level technicalities such as the construction of file systems and the various places in which information can be hidden.

After reading a fair amount about forensics and having a little play with some freeware utilities such as F.I.R.E I feel a little more comfortable with the area, but well I'm still far from being an expert. I have also seen this book recommended in a few circles and I know that the authors are very well respected so even though it may be a little out of date the information should still be solid.

The book covers a good area within and around the area of digital forensics; it goes a little outside the focus of the book to give you a good understanding of the subject matter. It covers both Windows and Linux equally well referencing both commercial and open source forensics tools and resources. You don't really need a huge amount of expertise to get a lot out of this book, but you do need to be familiar with Linux, Windows, Networking and computer security in general. For the majority of regulars on the forum, you will be able to read the whole book without any further research.


The book is split into 13 chapters with no larger sections and no apparent organisation or flow, the chapters do have informal subsections which makes it easy to pick out relevant info. These are some of the more important/interesting chapters
  • Introduction to Computer Forensics.
  • Encryption and Forensics.
  • Your Electronic Toolkit.
  • Introduction to Unix for Forensic Examiners.
  • Introduction to the Criminal Justice System.
A full list of contents can be found HERE.

There is the normal preface with some good points for management if you want to sell the need for an Incident Response Team or at least some kind of training for your security staff. This leads on to a section outlining each of the chapters and a tidbit on how the book is intended to be read. The book then moves onto the introduction, which is a basic lead into computer forensics, data acquisition, chain of custody and analysis.

The book goes on to cover a lot of basics for anyone already familiar with computer security starting with network information such as Internet fundamentals, DNS, E-mail headers, Dial-up sessions, Usenet posts and a small section about IDS. This is followed by a chapter on hard drives and storage media, which outlines file systems, partition tables, operating systems, unallocated space and laptop drives.

The cryptography section covers a bit of everything and is a fair introduction to cryptography in computer security and it's relevance to forensics including steganography and NT Alternate Date Streams. Hostile code is covered in a non-technical manner with explanations of the various types and their purpose. The electronic toolkit section covers mostly commercial software unfortunately for the Windows platform. Some free tools are covered such as The Coroners Toolkit and ForensiX a powerful investigation system. The following chapter on Windows is beginner friendly using standard Windows tools such as find and regedit with some examples from Encase as well. The UNIX section is slightly more technical but still starts with a basic introduction to UNIX, users, permissions and so on. This section combined with a later chapter on investigating a UNIX host contains some great examples of how to use the standard UNIX tools to search for files, examine binaries and make forensically sound images. I would say chapter 11, the chapter on Investigating a UNIX host is by far the most useful and in-depth chapter in the book.

The book finishes with a good introduction to the criminal justice system and some great appendixes including a valuable section on Internet Data Incident Response Guidelines and a sample Incident Response Form.

Style and Detail

The layout and style of the book is fairly standard and easy to read if not at a little times rather dull. There are plenty of diagrams where needed and the odd few pictures of various bits of hardware along with the necessary screengrabs where software is being explained. I didn't find the book particularly easy to read, it seems to jump around a lot and the chapters in general don't seem to follow on from each other.

I would say the book could have done with being split into more chapters and perhaps following a more logical flow from chapter to chapter as the information contained in the book is good quality and useful.


This is a good book for beginners to computer forensics and incident response and gives some superb advice on handling evidence, which accentuates the experience of the authors in dealing with real cases and legal issues. There are some great tips on how to get the most out of UNIX tools during forensics examinations and how to make legally safe images.

If you are already fairly advanced in forensics or have some real world experience I don't think you would get much out of this book as it covers a lot of basics and doesn't really go into any deep technical detail.

I give it a good for starters SFDC 6/10

This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Last edited by ShaolinTiger on Sun Jan 18, 2004 11:39 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
Trusted SF Member
Trusted SF Member

Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con


PostPosted: Tue Jan 06, 2004 7:54 pm    Post subject: Reply with quote

Co-incidentally I thumbed thru this in Watersones the other day and whilst initially looking good it took 30 secs to realise that it was all really basic and it was back on the shelf pronto.

Generous 6/10 imo.
Back to top
View user's profile Send private message Send e-mail

PostPosted: Wed Jan 07, 2004 12:57 pm    Post subject: Reply with quote

I have this book and I was a bit dissappointed by the amount of technical information. It is good read, but it doesn't really dig into the actual technical investigation.

I however learned something from it, so I'd rate it 7/10, but I'm not as seasoned as ST Wink Should do more of the honeypot forensics challenges..
Back to top
Just Arrived
Just Arrived

Joined: 02 Aug 2004
Posts: 2
Location: London, UK


PostPosted: Wed Aug 04, 2004 1:31 pm    Post subject: Reply with quote

I have this and would rate it 8/10 as it gives you a nice and basic look into it.

There is also an online bookshop that i use that sells this book for £12 if interested. Smile
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register