From its step-by-step detail of the forensic process to its copious and helpful illustrations and screen shots to its unvarnished discussion of the tools in the marketplace, the second edition of Incident Response and Computer Forensics is, for my money, the most valuable resource any computer forensic examiner could have on their shelf. Many of the techniques and shortcuts detailed are "trade secrets" in that I've never seen them described in print. Unlike other forensic guides that assume the reader owns a costly forensic software suite, this book fairly splits its emphasis between Linux tools, shareware and the best software packages. That means the reader can begin the learning process at once, without investing anything more than their time and interest.
Another strength is that the book neither presupposes a too-high level of knowledge or experience nor dumbs down its content such that an expert wouldn't derive any value. There's something here for everyone who cares about computer forensics, from the neophyte to the grizzled veteran. When I paid $50.00 for this tome at a big box bookstore, I worried I was paying too much. Now, I'd think it cheap at twice the price.
As another reviewer pointed out, it doesn't devote a chapter to the law, but that is not to say that legal considerations are ignored. To the contrary, I think the authors do an excellent job of giving a useful "heads-up" where needed and not moving out of their depth.
I don't know these guys, but I'd sure like to shake their hands for a job well done! Thanks.
Craig Ball is an attorney and certified computer forensic examiner based in Montgomery, Texas, who teaches and consults with attorneys and the courts on matters of computer forensics and electronic discovery.