Brett's Blog

Just some ramblings.

Reviewing a tech book technically makes you a peer reviewer…

    If you have been in the digital forensics world for more than a day, then you know about peer reviews of analysis reports.  If you have ‘only’ been doing IR work where forensics isn't the main point (as in taking evidence collection all the way to court), then you may not be reading reports of opposing experts.  Anyway, the opposing expert peer review is one of the scariest reviews of all since the reader, which is again, the opposing expert, tries to find holes in your work.  The peer review is so effective to push toward doing a good job that I think it prevents errors by the examiner more than it does help opposing experts find errors of the examiner.  Peer reviews take different shapes depending on where it is being done (review of a book draft, review of a report, etc...) but in general, a peer review is checking the accuracy of the written words.

    Academia has always been under the constant worry of peer reviews.  One professor's journal may be peer reviewed by dozens of other professors in the same field, with the end result being seen by the public, whether good or bad. Peer reviews are scary, not for the sake that you made a mistake, but that maybe you could have missed something important that someone else points out to you.

    If you read a tech book and write a review of it (formally in an essay/journal, or informally on social media), consider yourself a peer reviewer of tech writings.  That which you say, based on what you read, is a peer review of that material.  Think about that for a second.  If you are in the field of the book you are reviewing, you practically are tech reviewing that book for accuracy (so make sure you are correct!).  That is a good thing for you as it boosts your experience in the field.  Always be the expert on the stand who can say, “I’ve read x number of forensic books and have given x number peer reviews on social media, Amazon, essays, etc….”.  If for nothing else, this shows more than that you just read books.  You read for accuracy and give public review of your findings. Nice.

    There is some stress in writing a peer review because you have to be correct in your claims.  Sure, maybe some things in the book could have been done a different way, but was it the wrong way?  The manner in which you come across in a peer review is important too.  Crass and rude really doesn't make you look great on the stand if you slam a book or paper.  You can get the point across just as well by being professional.

    Writing books takes no back seat to peer review stress, especially when it comes to technical books.  Not only does the grammar get combed by reviewers, but the actual technical details get sliced and diced.  Was the information correct? Was it current and up-to-date?  Is there any other information that negates what was written in the book?

Continue reading
564 Hits

Dude, just write the book.

Dude, just write the book.

I had a discussion with a peer of mine about writing a book, in that my peer has been thinking of writing a book but never gets around to doing it.  After about two years of listening to how he should write his book, my response was “Dude, stop talking about it and write the darn book.”

His book idea is a nonfiction technical book and is about **secret topic** (of course I’m not leaking the topic or title!).  He is an expert, or at least knows a heckuv a lot more about the topic than I do.  I would buy the book tomorrow.  I even said that if he had written this book when he first told me about it, we’d be talking about the next edition and I would have already bought the first edition.  "Dude, you’re two years and two editions behind now!”

Which brings me to my point. Years ago, I said the same thing.  “Hey, I think I could write a book.” I said it a few people and one of the guys told me, “Dude, just write the darn book.” And so I did.  Three times already. Started a fourth. Plans for a fifth.  All from one person telling me to stop talking about it and write the book.  I took the suggestion to heart because he had already published several books himself. Thanks HC.

Fair warning: It’s not easy.

If you can get a contract, you’ll have deadlines to meet, standards to keep up, and demands placed on you by the publisher. Worse yet, if you don’t have a contract and want to self-publish, you have to place those same demands on yourself.

Continue reading
740 Hits

Books written by practitioners are many times better than those written by those who 'never done it'

Books written by practitioners are many times better than those written by those who 'never done it'

Many of Syngress published books I’ve read are those written by people simply writing about how they do their job…while they are doing their job.   They are probably not writing while they are physically doing their work, but you know what I mean.

With my first book, Placing the Suspect Behind the Keyboard, I was consulting on a criminal cyber harassment case, two arson cases, and several civil litigation projects. In three of the cases during writing the book, the main goal was identifying users behind the keyboard (in one case, behind a mobile device).  In addition to doing what I knew from my law enforcement detective days, I conferred with experts for tips and tricks on tracking Internet users.  I was writing the book while doing the work.

My current book, Hiding the Behind the Keyboard, was virtually the same, however, this time with a co-author (John Bair). While writing the book, there were multiple interruptions of having to do work in the real-world outside of typing and testing theories. While John was working homicides and examining mobile devices in those cases, I was consulting on employee matters where unidentified employees were creating havoc with their company by being anonymous online. It is one thing to create a perfect scenario to test a theory and quite another to have actual evidence on an active case.  Again, this was another book of authors writing what they do on a daily basis.

I write about this only because I remind myself regularly of college courses I have taken in digital forensics where the required books not only cost an arm and a leg, but were written by academia, not active practitioners.  I’ve even taken a computer forensics course from a community college where the professor had not done one forensic exam…not a single one.  The professor did not even know how to connect a hardware write-blocker to a hard drive. I kid you not.  

I’m not a Syngress employee, but I do like their books. The cost may seem high for some of the books, but it is still about half the price of a college text in the same subject matter.  But the biggest difference is how the books read. I so much prefer reading a book that simply says, “This is how you do it in the real world”. I do not prefer books that speak in terms of an idealized theory.  Reminds me of my Field Training Officers in patrol telling me to forget what I learned at the academy because they were going to teach me what works on the street, in real life.  The best thing I like about the Syngress books is that I can read what the experts are using day-to-day in their own words.

Continue reading
733 Hits

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

Continue reading
1083 Hits

Book Review: Windows Forensic Analysis Toolkit, 4th Edition

WFAI’ve been waiting until I received the hard copy of this book to write the review. I had the fortune of being the tech editor for this book and enjoyed every minute of it. Although I do not have an ongoing financial interest in this book, I do have a vested personal interest based on the reasons Harlan Carvey lays out in many chapters. I’ll get to my personal interest later in this review.  Also, Harlan has a post on updated book contents here:

Without reading any reviews, those analysts who buy Harlan’s books will keep buying his books with the full expectation of having a well-written (as in easy-to-read) book on Windows OS forensics. There is no need to read any further in this review if you fit in this category. This is Harlan’s new book. That is all you really need to know. But if you just want my opinion, read on…

The topics in the 4th Edition of WFA are all eye-catching. Volume shadow copies, file analysis, registry, malware, timelines, tracking user activity, and more.   Every topic detailed in all the chapters, is relevant to everyone that touches a Windows system to examine. The difference between Harlan’s books and others is the guidance given. For example, rather than reading a discourse on some technology, Harlan gives practical advice, suggestions, and real-life stories that relate to the points in the book. Since we have all made mistake (or will make mistakes, or have made mistakes but just don’t know it yet), having guidance that reduces mistakes in the way of stories and plain talk is well worthwhile to read.

The book has too much information to be covered in a review. There is more information on accessing volume shadow copies using several different methods than I want to review. The same can be said for file analysis, registry analysis, timelines, and every other topic. Harlan gives several options to accomplish the same task, using different software.   Although I wrote a book on one software (X-Ways Practitioners Guide), I obviously use more than just one software. Any forensic book, other than a manual or software guide, that does not give options with various types of software does not give the reader options to solve problems.

Another facet of Harlan’s book is his never-ending harping of asking everyone to ‘share information’. That sentence may sound negative, but truthfully, I don’t know how Harlan has the energy to push the sharing of information for so long. The book is sprinkled with this tone and I echo the importance of sharing information. I did my best to keep up with Harlan’s book as I tech edited it, working his suggestions. Some of the methods he wrote were new to me, which I would not have found on my own without happening upon the method in a blog..maybe.

Continue reading
711 Hits

Vote for your favorite book

Don’t forget to vote for the XWF Guide at  But of course, only vote if you liked it :)

And if you didn’t like it (which means you don’t have XWF…), vote for my other book, Placing the Suspect Behind the Keyboard.  But again, only vote if you liked it :)

And if you didn’t like that book either…give me your phone number.  We need to talk…

525 Hits

Humbled and honored

[caption id="568" align="alignleft" width="150"]4cast Forensic 4cast Awards

I just saw that the book of the year nominees at the Forensic 4cast Awards include both the X-Ways Practitioner's Guide and Placing the Suspect Behind the Keyboard.  For those that made the nominations, that was very kind.  For those that vote for either book, I thank you in advance.

Both books are pretty good.  Each gives plenty of tips and information to save you hours of frustration, and more importantly, close some cases.  There is a sample chapter of Placing the Suspect Behind the Keyboard here:  There are reviews at Amazon for both books that may be helpful if you were thinking of getting either book.

If you use need the X-Ways Guide, no matter how long you have been using X-Ways.  When I asked Eric to help me write this book, he ran with it and did a super job of helping create an easy to read guide to using a very powerful forensic tool.  I have more than a ton of emails of how the book converted Encase/FTK primary users into XWF primary users.

As for the Placing the Suspect Behind the Keyboard, that has also helped more than a few examiners close a case with a simple (yet elusive) tip, trick, method, or process that saves hours, if not days, of work.  Again, even if you have been doing forensics for a long time, nothing says you can't learn or relearn something you may not know or have forgotten.

Thanks again to everyone.



392 Hits

Hey look! Now there is a book on FTK.


I previously posted that a book on FTK is sure to come along, since we have the best book of X-Ways and the other book on Encase.  Now comes a book on FTK.  Just like the XWF Guide or the upcoming Encase guide, I wouldn't see any reason for a FTK user to not have a book on FTK.

It makes sense to have "the" book on X-Ways, "the" book on Encase, and "the" book on FTK.  By having books on your major forensic suites, it is easier to compare what suite "A" does compared to tools "B" and "C" as well as how to get from point A to B using each tool. about that book on ProDiscover?  Anyone?  Grab the opportunity before someone else does.  I promise to buy it, as I have already ordered the FTK and Encase books.

I have brief reviews on my favorite DF books at



[caption id="attachment_547" align="aligncenter" width="170"]FTK

[caption id="attachment_549" align="aligncenter" width="169"]encase

[caption id="attachment_347" align="aligncenter" width="173"]Xways-Cover
336 Hits

Not X-Ways, but of interest to Encase users

Computer Forensics and Digital Investigation with EnCase Forensic



I know, this has nothing to do with X-Ways Forensics.  But hey, the X-Ways Practitioner's Guide was first...

Practically, this seems like a good book for Encase users to park on the shelf (while the X-Ways Practitioner's Guide sits on your desk next to your keyboard).

So, when is that book on "FTK" coming out....and who is going to write it?...And if you do want to write it, give Syngress a shout.

322 Hits

Cloud Storage Forensics


I have a detailed review of this book at  In short, it's a really good book and of all tools to choose for the research in the book, the authors picked X-Ways Forensics.  But then, that should not come as any surprise.

There's still time to ask Santa to put this in your stocking...

330 Hits

Cloud Storage Forensics and XWF

Cloud Storage Amazon link to order

I recently finished tech editing a book soon to be published on Cloud Storage Forensics.  One of the main tools used was....wait for it...X-Ways Forensics.   Without giving anything about the book away, I was really impressed by the level of detail documented on the amount of research conducted in cloud storage forensics.

The book goes to print in January, but available for preorder.  I'll be writing a review of the book once it is made available, but in short, I give it a high grade of technical accuracy and research on the most commonly used cloud storage services and the connected machines.  The authors documented testing of various cloud services as if it were scientific examinations (which by the way, digital forensics testing is...) and their methods can be used by anyone as can their results.  I'll give a small tidbit that there are many instances of "holy smokes!" on some of their findings that I have not seen anywhere else.

The authors could have chosen any major forensic tool, but they chose XWF.  This is just another example of how X-Ways Forensics is used to validate scientific theories and tests over all others.  The reason is simple:  XWF works.

This book, along with a few others that I know are coming out fairly soon, should be quick sellouts for the first printing.  For anyone that buys books from Amazon, preordering is a good way to go and Amazon price matches books, even after you have already ordered.  Just saying...

327 Hits

Last day for the 40% discount on the XWF Guide!

This is one of those times that procrastinating will cost you money....


What will you tell yourself when you have to spend twice as much for the XWF Guide after tomorrow?




Continue reading
361 Hits

Table of contents updated!

Chapter 4 is wrapping up! We each have one more chapter to go and then we start the case studies.

The table of contents page is updated to reflect the topics of each chapter and, for the completed chapters, the page and word count of each.
362 Hits

X-Ways Forensics Practitioner's Guide is coming!

Eric Zimmerman and Brett Shavers have started writing the "X-Ways Forensics Practitioner's Guide", due out toward the end of year 2013.

Check back as to when the guide will be available.   This guide intends to be the source of using X-Ways Forensics.

454 Hits