Authors: Steve Bunting, ENCE, CCFT & William Wei, EnCE, CISSP
Publisher: Sybex
ISBN: 0-7821-4435-7
Reviewer: Jamie Morris
Order from: Amazon UK / Amazon US

Steve Bunting is the head of the police computer forensics unit in Delaware and, together with co-author William Wei, a computer crime detective in New Jersey, has written an outstanding book which should find a place on every computer forensic examiner's bookshelf - even the bookshelves of those who rarely, if ever, use EnCase as a forensic tool. This is a fairly thick book at 500 plus pages and a quick flick through reveals that the text is satisfyingly dense and interspersed with a generous number of screenshots. This is certainly not one of those technology books which tries to impress by its sheer physical size but disappoints once opened to reveal a large font and too much white space!

Although the title bills this book as "The Official EnCE EnCase Certified Examiner Study Guide" there is a huge amount of information contained within which will be of use to both the experienced investigator and keen student regardless of their forensic tool of choice. Bunting starts with a concise yet remarkably clear and in depth discussion of computer hardware in chapter 1. After covering a wide range of components he moves on to the boot process, then partitions and filesystems (in general). Even at this early stage it is clear that Bunting can write, and write well. In addition to the depth of knowledge he displays his tone is engaging and he possesses a remarkable ability to describe somewhat complicated technical subject matter with great clarity. Each chapter ends with a summary and an overview of those aspects of the EnCE exam covered, together with a set of review questions (provided, along with many of the "real world scenario" sections, by co-author William Wei). The suggested answers for these questions are included directly afterwards - much better than having to find them at the back of the book!

A more in depth discussion of filesystems takes up chapter 2 with the first real discussion of forensic procedures coming in the third chapter, "First Response". This reviewer was pleased to see "planning and preparation" given first priority in this section, an area sometimes overlooked by authors too keen to start with evidence handling procedures. In depth coverage of EnCase proper begins in the fourth chapter with coverage of the different acquisition tools and methods (boot disks, DOS acquisitions, network acquisitions, FastBloc etc.) Bunting's real-world experience shows, as it does throughout the book, and the coverage is comprehensive with discussion of the pros and cons of each method being given. The next chapter looks closely at the EnCase evidence file format and covers essential concepts such as verification and hashing.

Chapter 6 marks the start of the section of the book which will be of most use not only to those looking to pass the EnCE exam but to anyone using EnCase in a real world setting. This chapter looks at the EnCase environment and explains the form and function of the various EnCase window panes. Those coming to EnCase for the first time, or indeed those upgrading from an earlier version, will find this essential reading. Chapter 7 concentrates on understanding and searching for data, namely binary, hex, ASCII and Unicode. The next chapter covers file signature and hash analysis with a discussion of how EnCase utilises hash sets and hash libraries.

Chapter 9, "Windows Operating System Artifacts", covers a lot of ground and is one of the best explorations of Windows artifacts I have read. Starting with dates and times (and the need to adjust for time zone differences during an investigation) it goes on to cover the Recycle Bin, link files, cookies, temporary and history folders, the swap file, print spooling and more. Common ground for experienced investigators to be sure but covered in sufficient detail to warrant a read through for those practical tips which Bunting supplies in abundance. Those new to computer forensics will find a huge amount of very useful information here.

The final chapter - although not the last useful section of the book, see below for details of the appendix - covers "Advanced EnCase". Here we find information on locating and mounting partitions, registry analysis, use of EnScripts, email, the EnCase Decryption Suite and more. The appendix which follows this chapter contains details of a template created by Bunting - based on an earlier template from Roy Rector - which aims to help with the creation of presentation-quality web page reports. The methodology looks sound but as of the date of writing I have not followed the procedure in practice.

Does the book have any areas which could be improved upon? Overall the book achieves exactly what it sets out to do but if I have one criticism it would be the number of examples included on the companion DVD. The DVD includes an EnCase demo with a number of evidence files which can be used when reading later chapters to give some practical hands on experience but further examples to accompany earlier chapters would be welcome. There are instances in those early chapters where practical exercises require use of EnCase but a fully working version with accompanying dongle is required. No doubt the majority of readers will have access to licensed versions of EnCase in the workplace but it is not always possible to maintain that access at home or while travelling where I suspect many will use the book. Beyond that there are a very small number of typos but they are far fewer than those often encountered in similar works. No doubt these will be picked up in future editions and they certainly do not detract from the book as a whole (in fact even mentioning them feels like nitpicking).

Overall, this is a book with a great deal of practical information which is also a genuine pleasure to read. Highly recommended.

For those interested in hearing Steve Bunting talk about this book he was recently interviewed for a Cyberspeak podcast which can be found here (and is well worth a listen):

http://cyberspeak.libsyn.com/index.php?post_id=90491#

Bunting also maintains his own website here which readers may be interested in:

http://128.175.24.251/forensics/