A few months ago I reviewed CD and DVD Forensics by Paul Crowley recommending it as a reference guide for those working in the forensic accounting field. This article reviews Windows Forensics: The Field Guide for Corporate Computer Investigations by Chad Steel.
While this book approaches the topic from the standpoint of using computer forensics to protect a company's interests it gives valuable information regarding Windows forensic techinques that are applicable to the field of forensic accounting. Some examples of these company interests are hacking into company records for which there is no authority, inappropriate use of the internet or email and substantiation of an employees claim of working overtime. While these are not 'forensic accounting' type topics the general application can be used in forensic accounting examinations.
The book begins by explaining that most of the reference guides written to date have been for computers existing in a UNIX/LINUS based environment. However, as of press time, the author states that referencing various sources he has found use of computers with Windows as being estimated as great as 97%. Therefore, a real needs exists for a guide to forensic techiniques in the Windows environment.
A brief history of the transition from MS-DOS to Windows (does anyone remember using Windows.1 in 1987? - I don't) is given making the point that as new Windows versions evolve the investigative techniques of the forensic expert must also evolve to stay current with new features of this software.
The book gives a very detailed explanation as to how Windows works explaining the difference between the two main file systems: FAT and NTFS. This section of the book did make sense to me as it was tied into defraging your hard drive and how just because you delete a file it is not totally gone from your hard drive until it is overwritten. These two concepts should be familiar to anyone that has owned a computer for a number of years.
However, please be advised that this book is fairly technical and many parts of the books will make sense only if you have a background in computer science. The forensic accountant will find this book worthwhile reading due to the fact that it is a valuable resource as to what can be done by those trained in computer forensics to retrieve data for the forensic examination.
My two favorite chapters were on the topics of internet policy and email usage. The author gave a thumbnail sketch as to what should be covered in a company's policy on employee use of the internet and how to track that use. The first tracking suggestion was rather simplistic - that of checking the employee's 'Favorites' folder - then proceeding to the History folder, Cache and Cookies. No idea what some of these terms mean? The book gives a detailed explanation.
The chapter about email usage gave a pretty thorough explanation of the contact management capabilities of Outlook and Outlook Express and how these features could be used in a forensic examination.
This 13 chapter book has complete and detailed screen shots to augment the written text. The appendix was very helpful containing among other items a Sample Chain of Custody Form and a Master Boot Record Layout.
This is a very interesting book that will complement any forensic accountant's library of reference material.
Link to Amazon for more info about Windows Forensics: The Field Guide for Corporate Computer Investigations
.
