Errors in Textbook

Introduction

I'm using this textbook for my Forensics course:

The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons; ISBN-10: 1597496618

Amazon link

There is a serious error in this book, unfortunately.

I will update this page as the semester proceeds with any further corrections, and any response I get from the author.

Chapter 2: False Statements About Drive Slack

The textbook contains an explanation of drive slack, ending with this figure:

The idea is that a 1024-byte file was saved on the drive and then deleted.

After that, a new 780-byte file was saved over it. The textbook claims that the leftover data between the 780-byte mark and the 1024-byte end of sector can be recovered.

This statement is completely false. What really happens is that every write operation always writes 512 bytes. So the area marked "slack space" in the figure is overwritten by zeroes in modern operating systems.

In very old operating systems, that space was overwritten with data from RAM, so this region is technically known as "RAM Slack".

In both cases, that data is overwritten and cannot be recovered.

My students should know this is true, because they did it in this hands-on project:

Project 2: Viewing Segments and Clusters with a Hex Editor

In this project, students saved a group of 10,002-byte files containing "SPAM" to a disk, deleted the files, and then re-filled the disk with 1002-byte files containing "EGGS".

Here's the result, seen in a hex editor:

As you can see, the leftover space at the end of the sector contains zeroes, not leftover "SPAM" data.

The latent "SPAM" appears only in later sectors, not in the sector to which the "EGGS" data were written.

Here's a diagram of the pattern of data produced by the overwritten file:

Chapter 8 Errors

Caching and HTTPS

At location 3146, the text states that Internet Explorer does not cache HTTPS Web pages:

This is incorrect. Items from HTTPS are cached, as explained by Microsoft here:

http://blogs.msdn.com/b/ieinternals/archive/2010/04/21/internet-explorer-may-bypass-cache-for-cross-domain-https-content.aspx

This is trivial to verify this by visiting some HTTPS pages in Internet Explorer and viewing the Temporary Internet Files.

The items from HTTPS pages are easy to see:

Windows Live Mail Files

At location 3242, the text says "Windows Live Mail and Outlook Express use .dbx":

This is incorrect. Outlook Express uses DBX files, but Windows Live Mail does not. In fact, this is a technical support issue, as Outlook Express DBX files must be run through an import process to convert them to the EML files used by Windows Live Mail:

http://windows.microsoft.com/en-us/windows-vista/import-messages-into-windows-mail-from-outlook-express

It stores emails as individual EML files, as explained on this page:

http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/where-are-the-windows-live-mail-files-saved/63217c8f-d773-4826-ab92-7f9189ef2870

I verified this by testing it on Windows 7:

Author Notification

I emailed the author about the error in chapter 1 on 1-27-13. I used the email address I found here:

http://www.marshall.edu/isat/directory.asp

I sent a Cc: to info (at) syngress.com

Author Response

On Jan. 28, the next day, I got this polite and helpful reply. Very classy!
Hi Sam,

Thanks so much for bringing this to my attention. I think your page is correct. My apologies for the error. I'll make sure that gets fixed in the second edition. Have you been using the power point slides for the book? I know some folks were having a tough time finding them. I'll get those slides fixed as well if they are indeed out there.

Best,

--john
We Are....Marshall

Posted 7:33 PM, Jan. 27, 2013 by Sam Bowne
Minor corrections 9:50 PM 1-27-2013
Author response added 1:25 PM 1-28-13
Chapter 8 errors added and author notified 11:36 am 4-5-13