±Forensic Focus Partners
±Your Account

![]() |
![]() |
![]() |
![]() |
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Watson & Jones: Digital Forensics Processing and Procedures
-
athulin - Senior Member
Watson & Jones: Digital Forensics Processing and Procedures
I just got my hands on this volume ... and I find that it's not a particular quick or easy read, nor do I find the information I would like to find present in the index ... but then I suspect it's more targeted towards management.
Has anyone any reasoned opinions on it?
What prompted me to get it was the 'Meeting the Requirements if ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements' subtitle ... but I'm beginning to regret it: all those appendixes, and the detailed description of possible evidence ("Printer: A method for printing hard copy images" ... and 'order of volatility' including CPU registers, which is true, but not useful)
Has anyone any reasoned opinions on it?
What prompted me to get it was the 'Meeting the Requirements if ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements' subtitle ... but I'm beginning to regret it: all those appendixes, and the detailed description of possible evidence ("Printer: A method for printing hard copy images" ... and 'order of volatility' including CPU registers, which is true, but not useful)
-
trewmte - Senior Member
Re: Watson & Jones: Digital Forensics Processing and Procedu
Yes I have this book and referred to it on a number of occasions. The description of the book on page XXI is fairly stated. Anyone can learn from the book (not only management), but it doesn't set out how specifically to perform a particular task. It is worth having a copy, but you will still need to develop your own specific written procedures.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
-
thefuf - Senior Member
Re: Watson & Jones: Digital Forensics Processing and Procedu
Page 392:
What type of write blockers? Hardware write blockers can write to an evidence drive even without a command from a host. Also, hardware write blockers can block access to some sectors.
Page 393:
Wrong.
The "dd" command cannot prevent writing to a drive. It does not have such functionality.
This is wrong. Again. In order to mount a file system read-only, you need to patch the kernel. Also, the mount process is not the only dangerous action performed by a Linux-based operating system (be sure to activate Linux LVM & Linux RAID volumes in the read-only mode too).
---
When talking about validation, be sure to mention the following topics: extracting firmware from a hardware device, extracting firmware from an update package, unpacking firmware, IDA Pro.
Page 280:
Section 7.5.5.6 describes a typical black-box testing approach. Do not rely on black-box tests only! Why? Read this short paper: github.com/msuhanov/Li...ockers.pdf
All forensic acquisition of media from exhibits must be carried out using approved write blockers wherever possible...
What type of write blockers? Hardware write blockers can write to an evidence drive even without a command from a host. Also, hardware write blockers can block access to some sectors.
Page 393:
Consideration should be given, if a write blocker is not available to using the Linux Dynamic Dump "dd" command as this can prevent writing to the device by default.
Wrong.
The "dd" command cannot prevent writing to a drive. It does not have such functionality.
Linux tools do not need a write blocker, as the disk can be mounted read only...
This is wrong. Again. In order to mount a file system read-only, you need to patch the kernel. Also, the mount process is not the only dangerous action performed by a Linux-based operating system (be sure to activate Linux LVM & Linux RAID volumes in the read-only mode too).
---
When talking about validation, be sure to mention the following topics: extracting firmware from a hardware device, extracting firmware from an update package, unpacking firmware, IDA Pro.
Page 280:
Section 7.5.5.6 describes a typical black-box testing approach. Do not rely on black-box tests only! Why? Read this short paper: github.com/msuhanov/Li...ockers.pdf
-
benfindlay - Senior Member
Re: Watson & Jones: Digital Forensics Processing and Procedu
I just wanted to draw attention to the following, from the Glossary, on page e4:
_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MCIIS
Course Leader BSc Computer and Digital Forensics
Teesside University
Browser Short for Web Browser.
A software application used to locate and display Web pages.
The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer.

_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MCIIS
Course Leader BSc Computer and Digital Forensics
Teesside University