I am going back and forth with a publisher on a potential book. The publisher is of the mind that a technical book would have broad computer forensics market appeal.
I am of the opinion that a book that covers what the technical books do not would have an even broader appeal.
So, the question for you good posters is this
What kind of computer forensic book are you looking for that is never to be found on amazon or in the book stores? If you could pick a book topic to be written just for you, what would it be?
I'd like to see a book on using high-interaction honeypots to practice intrusion analysis. It would appeal to not only the forensic crowd, but also people interested in hacking and security. Include a chapter or two on how to setup a honeynet, and then make the rest on the actual intrusion analysis. Probably focus on analyzing a Windows honeypot since most incidents involve Windows. You could also use only open source/freely available software so the readers wouldn't have to purchase Encase/FTK for it to be useful.
That is a good idea. However, I am looking to focus more on pure computer forensics rather than incident response or hacking issues.
I did have a list of book ideas, but after going through Amazon.com just now, I see that some of those I would like to see, have already been recently published (now I am looking forward to a delivery from Amazon). The books I ordered this morning were all technical forensic books on specific topics as there are just so many general 'computer forensics' books.
Personally, I like reading about a small as a sub-topic as possible to avoid buying a book for only one chapter worth of information that I am looking for. Diane Barrett is working on a book topic of Virtual Forensics (I will be buying that one too…).
If there was a book solely on Registry Forensics or Vista Forensics, I'd add them to my book order too. I don't see myself buying another generic computer forensic book.
Brett,
I brought up the idea of a book just on analyzing the Windows Registry prior to engaging in developing WFA 2/e, and my publisher shot it down. Looking back, I don't see where there would be enough material to justify an entire book.
As you like the small, focused topics, I will tell you that I am providing a number of small (10 page or less) PDF documents on the DVD that will ship with WFA 2/e, each addressing one topic in particular.
Finally, I'm like you…I'm kind of tired of books that take a broad brush to security or forensics and don't really answer any questions in particular. I'd rather books or some other media that goes through a fairly thorough treatment of a topic. To that end, once WFA 2/e is sent to publication, I'm considering pursuing something like that on my own, as I see the need for it.
I am in agreement on the broad brush problem. I recently bought the books on linux forensics and apple / ipod forensics as they focus on a specific area of forensics.
Hmm, now that makes me start thinking about some specfic areas.
Of course the temptation too is to simply write, "Encase - The missing manual" lol
Larry,
One of the things I find in short supply is information regarding things like the basic concepts of why we do certain tasks, be they preservation or analysis, and different ways of approaching them. One aspect of this in particular is the lack of available open-source toolkits for Windows…Linux has PyFlag and TSK/PTK, but the Windows variants of either is still immature. I have gotten around this by mounting the acquired image as a read-only file system, but there are limitations to this approach.
Of course the temptation too is to simply write, "Encase - The missing manual" lol
Why not treat us to a few of your ideas to see if we like the concept??
Why not?
Here is a rough outline of what I have been thinking about. It may be too broad. Take a look and post your feedback.
Of course the formatting won't be very good, so bear with it on that.
Introduction
Section I – What is Digital Forensics
An overview of digital forensics
Post-Mortem Forensics – What this book is about.
Is digital forensics the right field for me?
Jobs in Digital Forensics
Qualifications
Getting started
Breaking into the field
Public Sector
Private Sector
Challenges facing the consultant
Legal issues
Technical issues
Section II - Starting a Digital Forensics Business
Self Assessment
Am I an entrepreneur?
Marketing
Analyzing the market
Segmenting the market
Potential clients
Competition
Determining market size
The 4 P’s of marketing.
Product
What are you selling?
Some suggested services.
Price
Setting fees
Packaging
Establishing a brand identity
Making services marketable
Promotion
Advertising
Networking
Selling
Legal
Insurance
Liability
Errors and Omissions
Contracts
Scope of Work
Deliverables
Security
Lab security
Storage
Planning for storage
Setting reasonable expectations
When not to take a case
Getting paid
Section III - Digital Forensics Consulting
What is forensics?
What is an expert?
Roles
Ethics
Admissibility of scientific evidence
The Frye Test
The Daubert Test
Understanding the adversarial system of justice in the US
How cases are argued.
Criminal – Beyond a reasonable doubt
Civil – Preponderance of evidence
Types of cases
Civil
What you can and can’t do
Undue burden
Criminal
Search warrants
Review of case law
Consent to search (voluntary searches)
How they police the file sharing networks.
Domestic and family
Discovery
How evidence is obtained
Criminal
Prosecution
Warrants
Voluntary Searches
Subpoenas
Defense
Discovery motions
Contraband Cases
Protective Orders
Access to evidence
Civil
Motions
Subpoenas
Spoliation
Challenges to discovery in civil cases
Undue burden
Privileged documents
Attorney client communications
Medical records
Proprietary information
Working as a consultant
Going beyond the technical
Working as part of the team
The pre-engagement interview
Dealing with clients
What clients need to know
Dealing with attorneys
What attorneys need to know
Getting paid
Estimating Fees
Retained
Setting the retainer
Non-refundable portion
Getting paid
Indigent
Know your indigent defense policies
Limits on funding
Getting funds
Getting paid
The importance of having a case law library
Where to find case law resources
Section IV - The Case File
Forms
Court order for funds
Case information sheet
The contract
Scope of work
Consent to search
Court orders
Non-disclosure agreements
Evidence intake documents
Inventory and chain of custody
Photographs
Device information
Make / Model / RTC
Time Accounting
Activity Log
Case notes
Discovery documents
Section V – Analyzing the Case.
Which side are you on?
Working as the primary expert
Working as the opposing expert
Approaching the case holistically
Establishing a framework for analysis
Reading discovery documents
What claims are being made?
What statements were made?
What facts support the claims which do not?
What clues can lead to a more thorough digital analysis?
Timelines
Preparing your report
Attorney work product
When to write a report
What to put in a report
Include layman’s explanations of technical terms.
Interim or draft reports
Structuring your report
Report Summary
Statement of facts
Detail of findings
Appendices
Internet History
Bookmarks
Pictures
Metadata
Technical output
Acquisition information
Hardware Information
Registry Information
Section VI – Challenging Digital Evidence
Facts + Context = Truth
Games people play
Common mistakes that open evidence to challenges
Files from unallocated space
Understanding MAC times
Who was at the keyboard?
Keyword results
Search results
Internet History
How internet browser caching works
Metadata
The Trojan horse defense
Section VII - Analyzing the Evidence.
Anatomy of a case
Standard operating procedures
Setting up the case on the analysis computer
Folder structure
Recover Folders
Hash Sets
Hash Analysis
Signature Analysis
Virus Analysis
Keyword lists
Indexing
Search terms
Metadata
Step by step process for evidence analysis
Using databases for evidence analysis
Section VIII – Going to Court
Qualifying as an expert
Preparing for court
What happens in court?
Testifying as an expert witness
Facts versus opinions
You on the witness stand
Demeanor
Body language
Never let them see you sweat
Examination of the digital forensics expert
Scripting the examination
Engaging the jury
Using clear language
Use analogies to explain technical concepts
Section IX –Definitions
Appendix A – Sample Forms
The books I enjoy are those that focus on as narrow a topic without making me bang my head into the desk. As an example, Harlan's Windows Forensics, although has varied topics in the book, really focuses on Windows. That's a nice and easy read.
A CF book that is too broad doesn't focus on any one topic. Restating and re-explaining the ins and out of electronic evidence, the history of forensics and so forth is best left to college textbooks. I wouldn't expect to see many examiners working in the field to purchase additional basic forensic books unless some earth shattering new OS's appear that are completely different than what we have now.
It looks as you may have a better book of "How to get into this field and what to expect", not necessarily "How to do forensics". That may even be not only a bigger market, but you wouldn't be competing against the "how to do forensic" books.
And, point well taken made earlier, many topics that I would love to see more detailed work on in its own publication, may truly only have enough to fill a chapter or two, not an entire book in itself, or if in a single book, may not be a good seller.
And disclaimer My words can be taken with a grain of salt because I've not published a forensic book, I've only read one or two 😉