Watson & Jones: Digital Forensics Processing and Procedures
I just got my hands on this volume … and I find that it's not a particular quick or easy read, nor do I find the information I would like to find present in the index … but then I suspect it's more targeted towards management.
Has anyone any reasoned opinions on it?
What prompted me to get it was the 'Meeting the Requirements if ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements' subtitle … but I'm beginning to regret it all those appendixes, and the detailed description of possible evidence ("Printer A method for printing hard copy images" … and 'order of volatility' including CPU registers, which is true, but not useful)
Yes I have this book and referred to it on a number of occasions. The description of the book on page XXI is fairly stated. Anyone can learn from the book (not only management), but it doesn't set out how specifically to perform a particular task. It is worth having a copy, but you will still need to develop your own specific written procedures.
All forensic acquisition of media from exhibits must be carried out using approved write blockers wherever possible…
What type of write blockers? Hardware write blockers can write to an evidence drive even without a command from a host. Also, hardware write blockers can block access to some sectors.
Consideration should be given, if a write blocker is not available to using the Linux Dynamic Dump "dd" command as this can prevent writing to the device by default.
The "dd" command cannot prevent writing to a drive. It does not have such functionality.
Linux tools do not need a write blocker, as the disk can be mounted read only…
This is wrong. Again. In order to mount a file system read-only, you need to patch the kernel. Also, the mount process is not the only dangerous action performed by a Linux-based operating system (be sure to activate Linux LVM & Linux RAID volumes in the read-only mode too).
When talking about validation, be sure to mention the following topics extracting firmware from a hardware device, extracting firmware from an update package, unpacking firmware, IDA Pro.
Section 184.108.40.206 describes a typical black-box testing approach. Do not rely on black-box tests only! Why? Read this short paper https://github.com/msuhanov/Linux-write-blocker/blob/master/research/2017-01_Write_blockers.pdf
I just wanted to draw attention to the following, from the Glossary, on page e4
Browser Short for Web Browser.
A software application used to locate and display Web pages.
The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer.