I appreciate the feedback. Keep it coming.
Or how about a book just on email forensics? That is something we all deal with all the time.
Larry,
You have about 200 topics. To cover each topic well, you will need at least 3 - 4 pages per topic. You are looking at 600 - 800 pages book covering almost everything about computer forensics. Why don't you write just about the areas of forensic that you have intimate knowledge and the most extensive experience, the areas you really have something to say to your potential readers?
Regards
That would be the criminal defense side of computer forensics, which hardly anyone is interested in besides me I think. -)
That is a good point. I am thinking hard on it.
Larry,
A few comments on the book idea.
1) It's way too broad.
2) Ditch section II completely. There are plenty of "getting started" books for small business owners. You also have bled over in to section III, so that makes "running a forensics business" very long, and probably very dry for most people that aren't interested in running a business. I can appreciate that you are sharing a lot of experience in that arena, but you'll probably want to do it in a more concise manner that's more meaningful rather than a few hundred pages of every gotcha and concern. You'd probably be better off making that information a series of articles in a trade magazine, or blog posts. Heck, make that step one, to get exposure and then focus on your book.
3) Section III should be renamed. You aren't discussing consulting at all in that section. You're really discussing what it's like to be a forensic technician or expert that is called upon to perform a duty, and based on headings you are focusing on court preparation and the legal process.
Thoughts
What is missing in the field right now are books on being a computer forensics expert, or more generally how to take the collected information and make sense of it. These books exist in the real forensics field, books by Henry Lee for instance. There are two books (how to become a dangerous expert witness, and guide to forensic testimony) I refer to for general expert stuff but neither is specific to our industry. A good book would in my opinion include how to explain the difficult subjects, the problems you may run in to and providing the general depth of knowledge that people are actually seeking.
Read these boards and you'll see there's a CBK that's just missing from the industry. There are a lot of books that provide good technical information. There are many that don't do a good job at all.
Look at the pop-lit books and show me a single one that discusses in any detail the issues and differences in image acquisition - a fundamental process for anyone in the industry. For instance, why larger block sizes aren't always better, especially with the issues not too long ago regarding FTK imager. Show me a book that details imaging from a SAN of any kind. Show me a book that details in great depth the issues of memory acquisition using various tools. This knowledge is assumed, but it obviously isn't there.
In addition, there is not one single book on the market that discusses the "science" of using these techniques and presenting the findings clearly and concisely. For instance, why can we not provide a strong enough case in many CP cases regarding the "knowledge of CP" in the browser cache? Sure, laws are poorly written, but we must deal with that.
Look at the pop-lit books and show me a single one that discusses in any detail the issues and differences in image acquisition - a fundamental process for anyone in the industry. For instance, why larger block sizes aren't always better, especially with the issues not too long ago regarding FTK imager. Show me a book that details imaging from a SAN of any kind. Show me a book that details in great depth the issues of memory acquisition using various tools. This knowledge is assumed, but it obviously isn't there.
You mention "issues" in a general sense, without really specifying what those issues are. I think that these are all a matter of perspective. For example, I haven't had any issues with block sizes, or with imaging from a SAN, or acquiring an image from a boot-from-SAN device.
As I'm currently doing my final rewrites on the memory analysis chapter for WFA 2/e, what are the "issues of memory acquisition using various tools"? I really haven't had any, nor have you or anyone else mentioned any such issues…at least, not that I'm aware of.
I don't really see this as a matter of knowledge being assumed…from my perspective, who's asking the questions? I'm simply not seeing the questions being asked. Therefore, since there's really no public discussion of these "issues", how does one write a book on any of them, addressing those "issues". I would suggest that it can't be done…I could easily write a book on, say, various methods of image acquisition, and its likely that it would not address any of your "issues".
In addition, there is not one single book on the market that discusses the "science" of using these techniques and presenting the findings clearly and concisely. For instance, why can we not provide a strong enough case in many CP cases regarding the "knowledge of CP" in the browser cache? Sure, laws are poorly written, but we must deal with that.
Laws aside, I've assisted LEOs with this very issue - short story, you can't rely on browser cache alone.
I'd suggest that rather than saying "there needs to be a book that covers this…", let's first start by discussing the issues…you may get your answer that way.
Harlan and hogfly Both are excellent points. Heck if I was going by number of questions posted, probably the most discussed issues here and at Computer Forensics World are
How do I get into computer forensics?
What certs should I get?
How do I get into law enforcement, get a job, prepare a resume, etc. etc.
Is computer forensics right for me?
What school should I go to?
What's it like to work in computer foreniscs.
Will I have to testify in court?
What kind of jobs are there in computer forensics?
How can I start learning on my own?
Are there free tools I can use to get some hands on time on my own computers?
Other than that, what are the "issues" that are encountered that are not addressed somewhere that need to becovered in a book.
Although, I am starting to like the "So you want a career in digital forensics", book idea.
Harlan,
First let's not make this about me. Larry asked for feedback and I'm giving it.
Second, I said that I have not seen mention of SAN acquisitions, not that I need pointers on how to do it. Why did Wiebetech create a read only FCAL card? Because someone saw a need for it, it doesn't mean you or I need it. At one point in my career, sure I needed to answer that question, and I had to learn that in field. Saving that pain would be a boon to a reader in my humble opinion.
Third, You and I are not representative samples of the industry. Just because you don't have an issue, doesn't mean others don't. Just because I have issues, doesn't mean others do. Just because I would like to see something, doesn't mean you want to see it. We are on many of the same lists and forums, but there are plenty that we are not both on. Like you said..it's a matter of perspective and Larry asked for that. I'd be happy to have a discussion with you about the points you raised, but not in this thread, because given our history of banter, it will likely hijack the thread.
First let's not make this about me. Larry asked for feedback and I'm giving it.
I'm not. However, I am sincerely interested in the issues you've mentioned.
Third, You and I are not representative samples of the industry. Just because you don't have an issue, doesn't mean others don't. Just because I have issues, doesn't mean others do.
Agreed, 100%. Which is why I'm so interested in the issues you mention. I'm sincerely interested, b/c it's likely that I - or someone else - may run across those issues in the near future, and it's good to be prepared.
Just because I would like to see something, doesn't mean you want to see it. We are on many of the same lists and forums, but there are plenty that we are not both on. Like you said..it's a matter of perspective and Larry asked for that. I'd be happy to have a discussion with you about the points you raised, but not in this thread, because given our history of banter, it will likely hijack the thread.
All I'd like to know is more about the issues you mentioned. If you'd feel comfortable starting another thread, please do. I do think that others would benefit from an exchange, just as much as I would benefit from others input into the thread.
Thanks.
No hijacking allowed! 😉
Hi Larry
There are a lot of technical books in the digital forensics field (well at lot more than there were 10 years ago), but what we do not really have is books dealing the "professional" side of digital forensics, for example
Testifying
Report Writing
Ethics
Consulting
Lab Management (although the recent book by Jones and Valli is a start)
Quality Assurance
etc.
While I agree that there are general management and business type books out there that would cover similar topics, one thing that is a reality is that every industry has its own nuances and idiosyncracies, and it would not necessarily be bad thing to discuss these topics in a book, provided that they dealt with that issue in the context of a digital forensic environment.
In general the initial proposed outline is good, and I feel could appeal to a broad audience, including digital forensic examiners considering moving into the private sector, or digital forensic examiners considering staring their own business, or even people considering entering the field.
Jason Jordaan