As its title states and its text frequently repeats, this book’s concern is to help an investigator link the suspect(s) in a computer crime or civil violation to the machine(s) believed to have been used in committing it well enough to make a case. The author readily acknowledges the difficulties in identifying each side of the link. Machine identities can be spoofed, their records of the offending acts buried in copious data or altered, and their systems and storage obliterated, encrypted, or virtualized out of reach. On the other side, without a suspect’s confession, a witness, or a video that places her behind the keyboard at the time of the offense, denials can be plausible; for example, perhaps a remote or unauthorized user did it. While each case may have its own set of challenges, the book reviews techniques and tools for meeting those likely to arise at each procedural step and guides the investigator in choosing among them.
It begins on the digital forensics side by discussing how to capture a suspected machine’s image, in its current state, with minimum risk of losing such evidence due to data volatility. The investigative side opens with a sample interview that addresses the suspect’s and others’ access to the machine, her technical capabilities, and her activities that might strengthen suspicions, for example, “Have you ever made ID cards?” It then includes capsule descriptions of procedures in technical and physical investigations, advice on combining evidence, and tips on managing cases and making effective presentations at hearings and trials. A later chapter discusses trends that will make implicating the suspect easier, for example, ubiquitous surveillance systems, and harder, for example, encryption, mobile computing, and hot spots. Another chapter praises the Internet as a search tool for many purposes: it might help, for example, to find the real name and address of an otherwise anonymous suspect by matching user names across sites. The final chapter presents short descriptions of investigations of different types of cybercrimes and the apprehensions of their perpetrators.
The knowledge of the technologies and investigative procedures is broad, solid, and current. The claims are realistic and modest: not every case will or can be solved, and the investigator would do well to focus on the more promising ones. Consequently, the book makes a useful text for an introductory or refresher course in the investigation of cyber crimes, particularly small to mid-scale ones, that is, those with a single victim or a few victims and a few suspects.
Even after the Snowden revelations, a more general reader leaves the book impressed by the array of tools it presents that can support the investigations, some available only to the forensic community. These include meta-crawlers able to simultaneously search scores of social networking sites for user names of suspects (with the aim of gaining more information on them) and Google’s “bedspread detector,” which can link a photo with a particular element, like a bedspread, to other photos with the same element, but with possibly additional content indicating location, time, and people. This detector was used to identify victims and offenders in a child pornography ring.
Nevertheless, there are some caveats regarding the book’s picture of digital forensics and investigations. While it does not claim that authorities can legally deploy all of the search and surveillance procedures it describes, it does not discuss the rights of suspects in the criminal justice system. Recent US court rulings, however, provide a more balanced approach: the Supreme Court unanimously ruled that a search of an arrestee’s cellphone required a warrant, and an appeals court ruled that the government could not indefinitely retain and use as evidence for another crime computer files not covered by the scope of the warrant [1]. Second, with its focus on small-scale cyber crime, the digital forensics discussion elides the very labor-consuming, team-dependent network tracings and machine monitoring, which are involved in efforts to find perpetrators of large-scale or long-term cyber crimes, for example, credit card thefts at Target and Home Depot, and industrial espionage. Such labors are apparent in a 2013 report on a team of hackers associated with China’s military (the People’s Liberation Army, PLA) [2], and are discussed in several textbooks [3], but the procedures described in the present text do not scale to them. Third, although it is noted that multiple authorities might have claims on an investigation, there are no suggestions of how investigators might approach an international cyber crime, particularly when victims and suspected perpetrators are in different countries that do not share a framework for the needed cooperation [4].
More reviews about this item: Amazon, B&N