This book was the product of an "arms race" between organised crime and the forces of law and order. The first edition was produced to be a course book for use by the forensic computing law enforcement community - a Forensic Computing Foundation Course to cover the fundamentals of evidence recovery from mainly PC-based computers and their successful presentation before a court of law. Dr Tony Sammes is a distinguished academic at Cranfield University working in the emerging field of computer forensics. Brian Jenkinson is a retired detective inspector with close ties to Cranfield University.

For many years Cranfield has been training police officers and forensic examiners for the police and the security services. The first edition of this course book, published in 2000, used contemporary materials and sources. This latest revised edition is meant to have been updated. It is now listed as the standard text around which all the Forensic Computing courses at Cranfield and some other universities are based. Unfortunately the revised book has some serious flaws.

Computing and computer security are very difficult subjects to write lucidly about. Partly this is because of jargon which is frequently ill-defined. But a great deal of the technology changes very rapidly and a problem which has concerned scientists in one decade is no long a problem in the next. Take, for example, the issue of magnetic radiation. It used to be the case that though the use of a suitable antenna and radio receiving equipment it was possible to tune into a work station and read the data being typed on it by picking up the electromagnetic radiation being generated by the chips and sent to the CRT screen. In security circles during the 1990s this was a genuine concern and military computer workstations were frequently housed within Faraday Cages to protect against this kind of data broadcast. But by the late 1990s improved European Union electronic standards for building PCs and a change in technology (LCD screens) meant that today this is no longer a serious computer security concern. But, in its place, has come concerns about unencrypted WiFi and Bluetooth - which can be far more serious.

This is the problem with this book. By trying to introduce the student to the topic of forensic computing through computers and similar devices which are from a different age it serves only to confuse the keen student. It is like explaining the operation of a modern motor car using vehicles from 1900 (by which date almost all of the modern inventions, - automatic transmission, automatic choke, power brakes and power steering - had been invented but not yet refined) rather than using a modern vehicle.

After a short introductory chapter (6 pages) the next two chapters, on "Understanding Information" and "IT Systems Concepts" have hardly changed from the first edition. This might not be a serious problem save for the fact that they attempt to cover in 42 and 25 pages respectively some of the most complicated topics for non-mathematical readers. I pity the poor police officer, keen to arrest paedophiles, who is thrown into trying to do hexadecimal maths. Yet close study of the material actually shows its age. The first table in Chapter Two does not talk about bits and bytes but also includes terms such as "nibble (half a byte), word (two bytes) and double word "four bytes". This material dates back to the early 1980s into the days of punched cards and paper tape when we were struggling to understand and define the technology and created jargon to mesmerise outsiders. Terms such as "nibble" are never used today; there inclusion in a foundation textbook only serves to confuse the reader, in the same way that a statement that radio waves are transmitted via the "ether" would confuse a modern science student. The chapter then loses itself in a very complicated debate on the topic of "little endian and big endian formats" which, although relevant in respect binary chip design, is of little relevance or importance to a modern forensic computing analyst. This section dates back to a time when a forensic computing analyst would have to trawl through huge printouts of hexadecimal code from things like the consol log of a computer system. It was necessary knowledge to know how to read such a log since Intel used "little endian" and Motorola users "big endian" formats and theoretically you needed to know that the code meant something different. In practice it never mattered because such analysis always was done with software tools which were pre-programmed to know that Intel used "little endian" and Motorola users "big endian" formats and made the necessary conversions. No expert ever needed to descend to this level of understanding. So today, with computer systems which have been manufactured in their millions, with huge amounts of operating systems software and applications running this kind of issue is little more than a distraction and something which will never concern a forensic computing scientist.

Similarly getting the student into the depths of understanding the different types of floating point formats, binary coded decimal, packed binary coded decimal in the first part of an introductory chapter on "Understanding Information" is, in my view, a serious mistake. Instead the reader should be directed towards real examples of how information is stored and managed in a standard computer system with the different types of formats addressed by references to standard computer science textbooks which perform the task of explaining concepts like the "two's complement" to secondary school children.

The analysis of word processing formats shows its' age - there is no mention of XML or the standards wars. What adds to the difficulty for the student is the fact that none of the material is put in a historic context. Dead ends, such as the Magic Numbers Group where there has been no action since 1998, are still treated as live projects. And the issue of graphic formats has not been revisited since the lapse of the GIF patent in 2006. This is a pity since the chapter contains some useful student questions at the end - whose answers can be found by careful analysis of the text.

Chapter 3 takes the student through the elements of conventional computer architecture and shows how low level programs and data are handed within a computer system. Unfortunately the description relates to only the most primitive computing systems - just the operation of extraordinarily low level code in the simplest of microprocessors. Without examples, this kind of text is very difficult for non-technical students to relate to. And all of it can be better expressed today by reference video lectures ( e.g Richard Buckland UNSW on YouTube - twenty minutes in )

Chapter 4 finally gets inside the box of a personal computer. But unfortunately the box is from the 1990s. While a useful overview, and an outline of principle components the modern forensic computing analyst will rarely need to concern himself with the matters set out in this chapter. Only at Chapter 5 does the book begin to deal with serious issues, namely the disk drives of a modern computer.

And here is where the real problems start. The task of a forensic analyst will be, in almost all cases, to examine and draw conclusions from the data held on computer disks. So the modern computer forensic analyst will need to:

1. Identify what parts of a computer hold data in a permanent form
2. Know how to "image copy" a computer system in such a way as to be able to create perfect cloned copies of the computer as it was seized
3. Know how to dismantle a computer so that no part of the data is lost or altered
4. Know how to, if possible, preserve the temporary data on a computer system prior to powering down the system
5. Know how to read and analyse the data on any media taken from a computer (disk drive, floppy disk, USB stick etc)
6. Fully understand how this computer interacts with the internet.

Chapter 5 explains how computer systems store data on computer disks. The explanations and the detail are directed at explaining how these systems work - not at the tools which are used to forensically examine a computer disk. This chapter contains useful information on how the disk partitioning process operates, the bootstrap sequence and the importance of the disk ID serial number. But its lack of mention of the special software tools renders it less useful then it might be since modern hard disk systems contain such volumes of data that the only way in which they can be examined by forensic scientists is by using special software tools which will automatically perform many of the operations eluded to - e.g. recovering deleted files by following a chain of undeleted clusters in the FAT.

Chapter 6 deals with the modern NTFS file system used by Microsoft since the mid-1990s and now found in all modern Windows PCs. This chapter is likely to become the core reading for any forensic analyst. It is well structured but difficult reading. The problem is that the authors have, extraordinarily, had to discover the operation of the NTFS not by reference to comprehensive formal Microsoft documentation but by a series of experiments. Since the development of NTFS is continuing and facilities were built into it to enable Microsoft developers to change the way that it worked in future, all we have is a snapshot of a series of experiments on how an implementation of NTFS worked on a Windows XP system. The assumption is that NTFS works in the same way in a Windows Vista system and will work in the same way in an Windows 7 system when this is released. But this may not necessarily be true.

Chapter 7 is an intelligent chapter on how digital evidence should be seized, secured, preserved and interpreted. It is filled with good practical advice and is especially good on interpreting partition tables.

Chapter 8 deals with the treatment of electronic organisers or PDAs. This category of device, in practice, has been replaced by the smart phone (e.g. the Apple iPhone) and it is a pity that there is no information on how information held on mobile phones should be forensically examined. Inferences can be drawn on how a mobile phone should be forensically examined but this is a clear and serious omission.

Chapter 9 points to the problems which forensic computing experts are encountering as computer technology develops. The authors are frankly nervous and do not offer a solution to the problem which are arising owing to the huge increase in storage capacity. It is no longer practical or sensible to attempt to study digital media without the use of specialist tools since the volume of data is just too large and cannot be successfully interpreted without such help. But there is no register or accreditation of such tools and the fact that the authors have had to divine the operation of NTFS by experiments rather than by reference to definitive materials strongly suggests that this is a problem which is not going to go away. A further problem arises because of the legal and ethical issues arising from imaging very large disks. The situation has leapt into the news recently with the attempt by forensic expert Jim Bates to get 87 hard disks containing legally privileged material back from Avon and Somerset police (see here )

There is a ten page bibliography, 80 pages of appendices and a 19 page glossary.

All in all this is a useful but dated guide to the discipline. But it needs to be dematerialised into an eBook and then developed as a Wiki for use by registered (and security cleared) forensic computing practitioners. Only then will it be possible for the text to be updated with contemporary materials, with active links to definitive documentation. I find it shocking that the authors have not been given access to definitive documents from Microsoft regarding the exact operation of the NTFS and are having to write their text on the basis of experiments rather than specifications. I find it of great concern that there is no testing and certification procedure for forensic tools which are now used on a daily basis in presenting evidence in the courtroom in child pornography cases.

The new challenge for forensic computing experts are coming from "cloud computing" and the integration of location services into mobile systems and daemons. Cloud computing means that vast data storage is moving out of the beige boxes and into offshore data centres connected over the internet. Location services mean that mobile phone cell site analysis is an important part of many cases since everyone has a mobile phone and this provides tracking data. Modern shop tills today contain accurate digital clocks so even the simplest paper receipt can provide location evidence to convict or acquit an accused. Daemons, automated programs running on zombie computers, are responsible for the tsunami of spam and malware plaguing internet users worldwide as well as the automated call services we all know and hate. At current growth rates, they will be the majority users of the internet by next year. Truly the forensic computing expert is living in interesting times.