Digital Archaeology: The Art and Science of Digital Forensics

Posted on by Ben Rothke

The book Digital Archaeology: The Art and Science of Digital Forensics starts as yet another text on the topic of digital forensics.  But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts.

Archaeology is defined as the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes.


The author uses archeology and its associated metaphors as a pervasive theme throughout the book.  While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies.  The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media.

In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos. 

The book shows you precisely how to extract those artifacts effectively.  And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics.  The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.

Rather than provide dry overview of the topics and associated hardware and software tools.  The books take a real-world approach and provides a detailed narrative of real-world scenarios. 

An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage.  Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.

The need to a proficiency in digital forensics is manifest in the recent attack against Target stores.  After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.

The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation.  While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.

The author notes that notes that forensic experts Warren Kruse and Jay Heiser wrote in their definitive tome on the topic Computer Forensics: Incident Response Essentials that the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report.  Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.

Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.

As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations.  Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn’t apply.

The only chapter that was deficient was chapter 13 – Excavating a Cloud.  Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator.  The chapter does a good job of detailing the basic implications of cloud forensics.  But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters. 

Each chapter closes with a review of the topic and various exercises.  Those wanting to see a sample chapter can do so here.

For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensics is an excellent read.  Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.

Ben Rothke

Senior Information Security Manager, Tapad

forensics & e-discovery hackers & threats security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs