Incident Response & Computer Forensics 2nd Ed.

Kevin Mandia, Chris Prosise, Matt Pepe

Publisher: McGraw-Hill, 2003, 507 pages

ISBN: 0-07-222696-X

Keywords: IT Security, Information Security

Last modified: July 28, 2021, 2:05 p.m.

Completely Updated with the Latest Techniques

New and Updated Material:

  • New real-world scenarios throughout
  • The latest methods for collecting live data and investigating Windows and UNIX systems
  • Updated information on forensic duplication
  • New chapter on emergency network security monitoring
  • New chapter on corporate evidence handling procedures
  • New chapter on data preparation with details on hard drive interfaces and data storage principles
  • New chapter in data extraction and analysis
  • The latest techniques for analyzing network traffic
  • Up-to-date methods for investigating and accessing hacker tools
  1. Introduction
    1. Real-World Incidents
      • Factors Affecting response
      • International Crime
        • Welcome to Invita
        • The PathStar Conspiracy
      • Traditional Hacks
      • So What?
    2. Introduction to the Incident Response Process
      • What Is a Computer Security Incident?
      • What Are the Goals of Incident Response?
      • Who Is Involved in the Incident Response Process?
      • Incident Response Methodology
        • Pre-Incident Preparations
        • Detection of Incidents
        • Initial Response
        • Formulate a Response Strategy
        • Investigate the Incident
        • Reporting
        • Resolution
      • So What?
      • Questions
    3. Preparing for Incident Response
      • Overview of Pre-Incident Preparation
      • Identifying Risk
      • Preparing Individual Hosts
        • Recording Cryptographic Checksums of Critical Files
        • Increasing or Enabling Secure Audit Logging
        • Building Up Your Host's Defenses
        • Backing Up Critical Data
        • Educating Your Users about Host-Based Security
      • Preparing a Network
        • Installing Firewalls and Intrusion Detection Systems
        • Using Access Control Lists on Your Routers
        • Creating a Network Topology Conducive to Monitoring
        • Encrypting Network Traffic
        • Requiring Authentication
      • Establishing Appropriate Policies and Procedures
        • Determining Your Response Stance
        • Understanding How Policies Can Aid Investigative Steps
        • Developing Acceptable Use Policies
        • Designing AUP's
        • Developing Incident Response Procedures
      • Creating a Response Toolkit
        • The Response Hardware
        • The Response Software
        • The Networking Monitoring Platform
        • Documentation
      • Establishing an Incident Response Team
        • Deciding on the Team's Mission
        • Training the Team
      • So What?
      • Questions
    4. After Detection of an Incident
      • Overview of the Initial Response Phase
        • Obtaining Preliminary Information
        • Documenting Steps to Take
      • Establishing an Incident Notification Procedure
      • Recording the Details after Initial Detection
        • Initial Response Checklists
        • Case Notes
      • Incident Declaration
      • Assembling the CSIRT
        • Determining Escalation Procedures
        • Implementing Notification Procedures
        • Scooping an Incident and Assembling the Appropriate Resources
      • Performing Traditional Investigative Steps
      • Conducting Interviews
        • Getting Contact Information
        • Interviewing System Administrators
        • Interviewing Managers
        • Interviewing End Users
      • Formulating a Response Strategy
        • Response Strategy Considerations
        • Policy Verification
      • So What?
      • Questions
  2. Data Collection
    1. Live Data Collection from Windows Systems
      • Creating a Response Toolkit
        • Gathering the Tools
        • Preparing the Toolkit
      • Storing Information Obtained during the Initial Response
        • Transferring Data with netcat
        • Encrypting Data with cryptcat
      • Obtaining Volatile Data
        • Organizing and Documenting Your Investigation
        • Collecting Volatile Data
        • Scripting Your Initial Response
      • Performing a In-Depth Live Response
        • Collecting the Most Volatile Data
        • Creating an In-Depth Response Toolkit
        • Collecting Live Response Data
      • Is Forensic Duplication Necessary?
      • So What?
      • Questions
    2. Live Data Collection from Unix Systems
      • Creating a Response Toolkit
      • Storing Information Obtained During the Initial Response
      • Obtaining Volatile Data Prior to Forensic Duplication
        • Collecting the Data
        • Scripting Your Initial Response
      • Performing an In-Depth, Live Response
        • Detecting Loadable Kernel Module Rootkits
        • Obtaining the System Logs During Live Response
        • Obtaining Important Configuration Files
        • Discovering Illicit Sniffers on Unix Systems
        • Reviewing the /Proc File System
        • Dumping System RAM
      • So What?
      • Questions
    3. Forensic Duplication
      • Forensic Duplicates As Admissible Evidence
        • What Is a Forensic Duplicate?
        • What Is a Qualified Forensic Duplicate?
        • What Is a Restored Image?
        • What Is a Mirror Image?
      • Forensic Duplication Tool Requirements
      • Creating a Forensic Duplicate of a Hard Drive
        • Duplicating with dd and dcdldd
        • Duplicating with the Open Data Duplicator (ODD)
      • Creating a Qualified Forensic Duplicate of a Hard Drive
        • Creating a Boot Disk
        • Creating a Qualified Forensic Duplicate with SafeBack
        • Creating a Qualified Forensic Duplicate with EnCase
      • So What?
      • Questions
    4. Collecting Network-based Evidence
      • What Is Network-based Evidence?
      • What Are the Goals of Network Monitoring?
      • Types of Network Monitoring
        • Event Monitoring
        • Trap-and-Trace Monitoring
        • Full-Content Monitoring
      • Setting Up a Network Monitoring System
        • Determining Your Goals
        • Choosing Appropriate Hardware
        • Choosing Appropriate Software
        • Deploying the Network Monitor
        • Evaluating Your Network Monitor
      • Performing a Trap-and-Trace
        • Initiating a Trap-and-Trace with tcpdump
        • Performing a Trap-and-Trace WinDump
        • Creating a Trap-and-Trace Output File
      • Using tcpdump for Full-Content Monitoring
        • Filtering Full-Content Data
        • Maintaining Your Full-Content Data Files
      • Collecting Network-based Log Files
      • So What?
      • Questions
    5. Evidence Handling
      • What Is Evidence?
        • The Best Evidence Rule
        • Original Evidence
      • The Challenges of Evidence Handling
        • Authentication of Evidence
        • Chain of Custody
        • Evidence Validation
      • Overview of Evidence-Handling Procedures
        • Evidence System Description
        • Digital Photos
        • Evidence Tags
        • Evidence Labels
        • Evidence Storage
        • The Evidence Log
        • Working Copies
        • Evidence Backups
        • Evidence Disposition
        • Evidence Custodian Audits
      • So What?
      • Questions
  3. Data Analysis
    1. Computer System Storage Fundamentals
      • Hard Drives and Interfaces
        • The Swiftly Moving ATA Standard
        • SCSI (Not Just a Bad-Sounding Word)
      • Preparation of Hard Drive Media
        • Wiping Storage Media
        • Partitioning and Formatting Storage Drives
      • Introduction to File Systems and Storage Layers
        • The Physical Layer
        • The Data Classification Layer
        • The Allocation Units Layer
        • The Storage Space Management Layer
        • The Information Classification and Application-level Storage Layers
      • So What?
      • Questions
    2. Data Analysis Techniques
      • Preparation for Forensic Analysis
      • Restoring a Forensic Duplicate
        • Restoring a Forensic Duplication of a Hard Disk
        • Restoring a Qualified Forensic Duplication of a Hard Disk
      • Preparing a Forensic Duplication for Analysis in Linux
        • Examining the Forensic Duplicate File
        • Associating the Forensic Duplicate File with the Linux Loopback Device
      • Reviewing Image Files with Forensic Suites
        • Reviewing Forensic Duplicates in EnCase
        • Reviewing Forensic Duplicates in the Forensic Toolkit
      • Converting a Qualified Forensic Duplicate to a Forensic Duplicate
      • Recovering Deleted Files on Windows Systems
        • Using Windows-Based Tools To Recover Files on FAT File Systems
        • Using Linux Tools To Recover Files on FAT File Systems
        • Running Autopsy as a GUI for File Recovery
        • Using Foremost to Recover Lost Files
        • Recovering Deleted Files on Unix Systems
      • Recovering Unallocated Space, Free Space, and Slack Space
      • Generating File Lists
        • Listing File Metadata
        • Identifying Known System Files
      • Preparing a Drive for String Searches
        • Performing String Searches
      • So What?
      • Questions
    3. Investigating Windows Systems
      • Where Evidence Resides on Windows Systems
      • Conducting a Windows Investigation
        • Reviewing all Pertinent Logs
        • Performing Keyword Searches
        • Reviewing Relevant Files
        • Identifying Unauthorized User Accounts or Groups
        • Identifying Rogue Processes
        • Looking for Unusual or Hidden Files
        • Checking for Unauthorized Access Points
        • Examining Hobs Run by the Scheduler Service
        • Analyzing Trust Relationships
        • Reviewing Security Identifiers
      • File Auditing and Theft of Information
      • Handling the Departing Employee
        • Reviewing Searches and Files Used
        • Conducting String Searches on Hard Drives
      • So What?
      • Questions
    4. Investigating Unix Systems
      • An Overview of the Steps in a Unix Investigation
      • Reviewing Pertinent Logs
        • Network Logging
        • Host logging
        • User Activity Logging
      • Performing Keyword Searches
        • String Searches with grep
        • File Searches with find
      • Reviewing Relevant Files
        • Incident Time and Time/Date Stamps
        • Special Files
      • Identifying Unauthorized User Accounts or Groups
        • User Account Investigation
        • Group Account Investigation
      • Identifying Rogue Processes
      • Checking for Unauthorized Access Points
      • Analyzing Trust Relationships
      • Detecting Trojan Loadable Kernel Modules
        • LKMs on Live Systems
        • LKM Elements
        • LKM Detection Utilities
      • So What?
      • Questions
    5. Analyzing Network Traffic
      • Finding Network-Based Evidence
        • Tools for Network Traffic Analysis
        • Reviewing Network Traffic Collected with tcpdum
      • Generating Session Data with tcptrace
        • Parsing a Capture File
        • Interpreting the tcptrace Output
        • Using Snort to Extract Event Data
        • Checking for SYN Packets
        • Interpreting the Snort Output
      • Reassembling Sessions Using tcpflow
        • Focusing on FTP Sessions
        • Interpreting the tcpflow Output
        • Reviewing SSH Sessions
      • Reassembling Sessions Using Ethereal
      • Refining tcpdump Filters
      • So What?
      • Questions
    6. Investigating Hacker Tools
      • What Are the Goals of Tool Analysis?
      • How Files Are Compiled
        • Statically Linked Programs
        • Dynamically Linked Programs
        • Programs Compiled with Debug Options
        • Stripped Programs
        • Programs Packed with UPX
        • Compilation Techniques and File Analysis
      • Static Analysis of a Hacker Tool
        • Determining the Type of File
        • Reviewing the ASCII and Unicode Strings
        • Performing Online Research
        • Performing Source Code Review
      • Dynamic Analysis of a Hacker Tool
        • Creating the Sandbox Environment
        • Dynamic Analysis on a Unix System
        • Dynamic Analysis on a Windows System
      • So What?
      • Questions
    7. Investigating Routers
      • Obtaining Volatile Data Prior to Powering Down
        • Establishing a Router Connection
        • Recording System Time
        • Determining Who Is Logged On
        • Determining the Router's Uptime
        • Determining Listening Sockets
        • Saving the Router Configuration
        • Reviewing the Routing Table
        • Checking Interface Configurations
        • Viewing the ARP Cache
      • Finding the Proof
        • Handling Direct-Compromise Incidents
        • Handling Routing Table Manipulation Incidents
        • Handling Theft of Information Incidents
        • Handling Denial-of-Service (DoS) Attacks
      • Using Routers as Response Tools
        • Understanding Access Control Lists (ACLs)
        • Monitoring with Routers
        • Responding to DoS Attacks
      • So What?
      • Questions
    8. Writing Computer Forensic Reports
      • What Is a Computer Forensic Report?
        • What Is an Expert Report?
        • Report Goals
      • Report Writing Guidelines
        • Document Investigative Steps Immediately and Clearly
        • Know the Goals of Your Analysis
        • Organize Your Report
        • Follow a Template
        • Use Consistent Identifiers
        • Use Attachments and Appendixes
        • Have Co-workers Read Your Reports
        • Use MD5 Hashes
        • Include Metadata
      • A Template for Computer Forensic Reports
        • Executive Summary
        • Objectives
        • Computer Evidence Analyzed
        • Relevant Findings
        • Supporting Details
        • Investigative Leads
        • Additional Report Subsections
      • So What?
      • Questions
  4. Appendixes
    1. Answers to Questions
      • Chapter 2
      • Chapter 3
      • Chapter 4
      • Chapter 5
      • Chapter 6
      • Chapter 7
      • Chapter 8
      • Chapter 9
      • Chapter 10
      • Chapter 11
      • Chapter 12
      • Chapter 13
      • Chapter 14
      • Chapter 15
      • Chapter 16
      • Chapter 17
    2. Incident Response Forms

Reviews

Incident Response & Computer Forensics

Reviewed by Roland Buresund

Disappointing *** (3 out of 10)

Last modified: May 21, 2007, 3:06 a.m.

Do they really know what they're talking about?

A very basic primer about computer forensics and not incident response. But the authors seems to have a lot of the technical background and the technical details wrong, so I must question if this is worth reading?

Don't trust anything written in this book (on a detailed level), but see it as introduction to what areas the forensic field may require you to learn.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required