Major Error in Computer Forensics Infosec Pro Guide

I'm trying to find a good computer forensics textbook, and I like the way this one is written:

"Computer Forensics Infosec Pro Guide" by David Cowen

Publisher: McGraw-Hill Osborne Media; 1 edition (March 13, 2013)
Sold by: Amazon Digital Services, Inc.

However, it contains a serious technical error, as shown below:

While it is of course true that data remains on a hard drive after a file is deleted, there are no residual bytes from the previous file in a 512-byte sector that is re-used.

The residual data the author is describing resides in unused sectors within a cluster that is partially filled with new data.

The data that remains in the same cluster is not from previous files at all, but from the RAM of the computer that saved the new file. This data is called RAM slack and it's always zeroes for modern operating systems, as far as I know.

This is the whole point of this hands-on project I give my forensic students:

In this project, students fill a hard drive partition with large files containing SPAM, reformat the drive, and fill it again with small files containing EGGS.

Here is the result, showing the three types of data on the disk.

I plan to use the book anyway, because I can add the technical accuracy to my class through the projects, and my previous textbook made the same error.

Anyway, the fundamental rule for all computer forensics is:


You cannot go to court and say "I know this because I read it in a book, or my illustrious teacher said so." You must be able to say "I know this is true, because I tested it myself."

Every book, every tool, and every teacher makes mistakes. You don't really know anything for sure until you test it yourself, hands-on.

Author's Response

I notified the author via Twitter to @HECFBlog and within a day, he agreed with me and added his own version of the correction to his page:

I appreciate the prompt and sensible response!

Minor Errors

Ch 4

Loc. 1504:
"National Center for Missing and Exploit Children" should be "National Center for Missing and Exploited Children"
Loc. 1537:
The book confuses TypedURLs and Index.dat, saying:
"...they were found in the Typed URLs section of the index.dat file..."
However, these are two separate artifacts.

Index.dat files contain Internet Explorer history, as explained here:

TypedURLs is a registry key that contains the last 25 addresses typed into Internet Explorer, as explained here:

So the text should say:

"...they were found in the Typed URLs registry key in addition to the index.dat file..."
Loc. 1648:
"Elcomsoft's IOS Toolkit" should be "Elcomsoft's iOS Toolkit"

Ch 5

Loc. 1740:
The text says: "Each of these methods will create the same forensic image..."

This is not true of "Forensic imaging of live systems" -- that makes a different image than the other methods, such as "Forensic image with hardware write blockers". Live captures are important and valuable, but different from the dead images the other methods produce.

Ch 7

"Hiberfile.sys" should be "Hiberfil.sys" at locations 2394 and 2406, as documented here:

Ch 8

"Win PE" at location 2587 should be "Win FE"

Ch 13

"JAD Software" changed its name to "Magnet Forensics" (location 4005), as shown here:

Ch 14

Location 4291: The UserAssist key is in HKCU, not HKLM.

Ch 15

Location 4488: The correct path to the ProfileList key is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
The path in the book is missing "SOFTWARE".

Location 4488: The Last Written Time of a user's SID-named registry key in ProfileList does not indicate the last time a user logged on, but the last time that user logged off. This is unclear in the book.

Location 4534: The UserAssist key location is incorrect. Here are the correct locations:

Posted 11-19-13 8:13 am by Sam Bowne
Author response added 11-21-13 4:29 pm
Ch 4 and 5 minor errors added 1-29-14 5:15 pm
Ch 7 error added 2-17-14 9:38 am
Ch 8 error added 3-4-14 8:46 am
Ch 13 added 12:24 pm 4-13-14
Ch 14 added 11:34 am 4-23-14
Ch 15 added 9:01 am 4-29-14