As digital forensic practitioners, the proper collection of digital evidence in a forensic manner is second nature. In many cases, each of us has collected hundreds or even thousands of pieces of media and managed to keep intact the integrity of the evidence. As we know, the work of performing investigations is not held solely in law enforcement. Companies worldwide experience internal criminal activity that requires the collection of assets, digital or otherwise, in a sound manner. Ensuring the integrity of the evidence is arguably the most important part of the investigation process, yet companies are not typically equipped to handle investigative activity with fluidity, and certainly not with digital assets.
That’s where this book shines. As you read Robert B. Fried’s newest addition to the digital forensic community, Forensic Data Collections 2.0, the first thing you are met with is a forward from a world-class forensic scientist, Dr. Henry C. Lee. That level of analysis on your text speaks volumes to the importance and dedication to the community the author here displays. In the book’s consumable length of 80 pages, the author packs in what you need to know, with little irrelevant information. That is difficult to do with a topic like this and the author pulls it off.
We are introduced to the idea of electronically stored information (ESI) which has a slightly less law enforcement connotation to it and likely more palatable to those in the corporate environment. The detailed walk through the differences in ESI and how it may come to be in your environment will give the reader a foundation to grasp the importance of identification, preservation, collection and eventually (perhaps), presentation of the evidence or assets for court. You will be led through specific use cases of data collection while identifying the potential pitfalls or missteps to avoid.
With a focus on the corporate environment, the first sections of the text provide the reader with additional key aspects of computing and communication. The individual sections covering the most common areas of data storage and information exchange also highlight the roles of those who would be of assistance when seeking to collect ESI. The author, for example, calls out these roles in capitalized titles indicating their importance and likelihood they exist in your organization.
One of the things the author does well in the early sections of the book is to introduce elements of digital forensic functions that should be understood by the reader. These elements consist of the preservation, collection, documentation, and integrity of the ESI. With an eye towards the potential for legal action, the information presented should allow the uninitiated a solid baseline of knowledge in this area to speak to law enforcement in the case of criminal activity.
No text on data collections would be complete without some inclusion of computers 101. We are exposed to several media types, file types including a categorical listing and common email terminology. How is this data identified? What should be documented when you have identified it? Where does the reader go to locate these types of data, and whom do they contact? All of this information is provided to the reader with clear and concise direction. Numerous questions are listed that will serve as an engagement conversation with those key individuals outlined in the text.
Up until this point, the author has given the reader a road map of sorts. We are brought up to a common body of knowledge that will serve the readers well when a data collection in their environment occurs.
In the remaining sections of the book, the author follows a pattern in how the information is shared. This pattern should offer the reader a comfortable pace and at the same time, allow some readers to move ahead to areas of interest while not missing information from a previous chapter. Again, a smart addition to this text is in its layout: build common knowledge, address critical areas of interest, then break down the larger containers of ESI.
If one has spent time reading other texts or reports on how to manage a corporate data collection, the focus is largely on e-Discovery and the uniqueness of how that is led by the Legal team. The author here intentionally draws similarities in the collection efforts from the EDRM model found in use with E-Discovery teams. As e-Discovery is a data collection effort, it does not necessarily meet the same levels of focus on forensic methods of collection as this text refers. By identifying the similarities, the author has created a text that can be broadly shared at any given corporate entity.
With eight areas of focus at your fingertips, the reader can easily jump to the section they need to address. Each has numerous questions to start a conversation or simply copy and use in internal communications. It does not get much easier than this to get the help you need. I certainly appreciated the questionnaire sections of the text. Each of the eight focus areas has a list of questions to consider. Again, the author understands his audience well enough to know not everyone has time to read a full text to get the answers they need.
The last sections of the text challenge the reader with quizzes on the material. While many readers will not see the usefulness of a quiz, it does serve as a quick reminder of your knowledge gaps. Use the answer key (also provided) to locate the correct response!
The author has packed in a large amount of relevant and timely information in this short text. With the baseline technology knowledge, specific use cases and updated references, there should be no reason to purchase texts of a much larger length; this one will answer your questions and give you the questions you need to ask.
In summary, I would recommend this book to all readers who need a quick, down and dirty education on data collections in a corporate environment.
Nelson Eby has spent over 20 years in the digital forensics space, currently working for OpenText in their Security business. He spent 13 years with the FBI in the Computer Analysis Response Team (CART) training unit and the Richmond Field office, held forensic and insider threat roles for a Fortune 100 company and has several semesters of educating at the University level. He holds a Master’s degree in computer fraud investigation from George Washington University, is a certified computer examiner and has several industry standard certifications related to forensics and cyber security. Nelson is an avid road cyclist and enjoys talking bikes (or cars).