ISBN-10:
007222696X
ISBN-13:
9780072226966
Pub. Date:
07/17/2003
Publisher:
McGraw-Hill Professional Publishing
Incident Response & Computer Forensics, 2nd Ed. / Edition 2

Incident Response & Computer Forensics, 2nd Ed. / Edition 2

Paperback

Current price is , Original price is $59.0. You
Select a Purchase Option (Second Edition)
  • purchase options

Product Details

ISBN-13: 9780072226966
Publisher: McGraw-Hill Professional Publishing
Publication date: 07/17/2003
Series: Security Series
Edition description: Second Edition
Pages: 544
Product dimensions: 7.50(w) x 9.20(h) x 1.10(d)

About the Author

Chris Prosise, VP of Consulting at Foundstone, is a recognized network security expert with extensive experience in attack and penetration testing and incident response. Chris has led government and commercial security teams on missions worldwide, from sensitive incident response missions on Top Secret government networks to comprehensive security assessments on some of the world's largest corporations. Chris is a featured speaker at multiple security conferences such as Forum of Incident Response and Security Teams (FIRST). Chris is an adjunct professor at Carnegie Mellon University where he teaches a class on Incident Response.

Kevin Mandia, Director of Computer Forensics at Foundstone, is a well-recognized forensics and incident response expert. Kevin leads Foundstone’s premiere incident response and forensics services, delivering consulting and training services to Foundstone's clients. Prior to joining Foundstone, Kevin was a Special Agent with AFOSI specializing in computer intrusion cases. Upon leaving the AFOSI, Kevin developed a computer intrusion response course specifically designed at the request of the FBI. Kevin trained over 400 FBI agents as well as personnel from the State Department, the CIA, NASA, the U.S. Postal Service, the Air Force, and other Government Agencies.

Table of Contents

Forewordxxi
Acknowledgmentsxxiii
Introductionxxv
Part IIntroduction
1Real-World Incidents3
Factors Affecting Response4
International Crime5
Traditional Hacks7
So What?9
2Introduction to the Incident Response Process11
What Is a Computer Security Incident?12
What Are the Goals of Incident Response?13
Who Is Involved in the Incident Response Process?13
Incident Response Methodology14
So What?32
Questions32
3Preparing for Incident Response33
Overview of Pre-incident Preparation34
Identifying Risk35
Preparing Individual Hosts36
Preparing a Network49
Establishing Appropriate Policies and Procedures53
Creating a Response Toolkit66
Establishing an Incident Response Team69
So What?73
Questions73
4After Detection of an Incident75
Overview of the Initial Response Phase76
Establishing an Incident Notification Procedure77
Recording the Details after Initial Detection78
Incident Declaration80
Assembling the CSIRT81
Performing Traditional Investigative Steps86
Conducting Interviews87
Formulating a Response Strategy90
So What?92
Questions92
Part IIData Collection
5Live Data Collection from Windows Systems95
Creating a Response Toolkit96
Storing Information Obtained during the Initial Response100
Obtaining Volatile Data103
Performing an In-Depth Live Response115
Is Forensic Duplication Necessary?123
So What?123
Questions124
6Live Data Collection from Unix Systems125
Creating a Response Toolkit126
Storing Information Obtained During the Initial Response127
Obtaining Volatile Data Prior to Forensic Duplication128
Performing an In-Depth, Live Response138
So What?148
Questions149
7Forensic Duplication151
Forensic Duplicates As Admissible Evidence152
Forensic Duplication Tool Requirements155
Creating a Forensic Duplicate of a Hard Drive157
Creating a Qualified Forensic Duplicate of a Hard Drive163
So What?172
Questions172
8Collecting Network-based Evidence173
What Is Network-based Evidence?174
What Are the Goals of Network Monitoring?174
Types of Network Monitoring175
Setting Up a Network Monitoring System177
Performing a Trap-and-Trace186
Using tcpdump for Full-Content Monitoring190
Collecting Network-based Log Files193
So What?194
Questions194
9Evidence Handling197
What Is Evidence?198
The Challenges of Evidence Handling199
Overview of Evidence-Handling Procedures202
So What?213
Questions213
Part IIIData Analysis
10Computer System Storage Fundamentals217
Hard Drives and Interfaces218
Preparation of Hard Drive Media227
Introduction to File Systems and Storage Layers231
So What?236
Questions237
11Data Analysis Techniques239
Preparation for Forensic Analysis240
Restoring a Forensic Duplicate241
Preparing a Forensic Duplication for Analysis In Linux248
Reviewing Image Files with Forensic Suites253
Converting a Qualified Forensic Duplicate to a Forensic Duplicate257
Recovering Deleted Files on Windows Systems260
Recovering Unallocated Space, Free Space, and Slack Space275
Generating File Lists278
Preparing a Drive for String Searches282
So What?288
Questions289
12Investigating Windows Systems291
Where Evidence Resides on Windows Systems292
Conducting a Windows Investigation293
File Auditing and Theft of Information328
Handling the Departing Employee331
So What?333
Questions333
13Investigating Unix Systems335
An Overview of the Steps in a Unix Investigation336
Reviewing Pertinent Logs337
Performing Keyword Searches342
Reviewing Relevant Files344
Identifying Unauthorized User Accounts or Groups350
Identifying Rogue Processes351
Checking for Unauthorized Access Points352
Analyzing Trust Relationships352
Detecting Trojan Loadable Kernel Modules353
So What?358
Questions358
14Analyzing Network Traffic359
Finding Network-Based Evidence360
Generating Session Data with tcptrace362
Reassembling Sessions Using tcpflow369
Reassembling Sessions Using Ethereal376
Refining tcpdump Filters378
So What?379
Questions380
15Investigating Hacker Tools385
What Are the Goals of Tool Analysis?386
How Files Are Compiled386
Static Analysis of a Hacker Tool394
Dynamic Analysis of a Hacker Tool399
So What?413
Questions413
16Investigating Routers415
Obtaining Volatile Data Prior to Powering Down416
Finding the Proof423
Using Routers as Response Tools428
So What?433
Questions433
17Writing Computer Forensic Reports435
What Is a Computer Forensics Report?436
Report Writing Guidelines439
A Template for Computer Forensic Reports444
So What?452
Questions453
Part IVAppendixes
AAnswers to Questions457
Chapter 2458
Chapter 3460
Chapter 4461
Chapter 5462
Chapter 6463
Chapter 7463
Chapter 8465
Chapter 9468
Chapter 10470
Chapter 11473
Chapter 12474
Chapter 13474
Chapter 14475
Chapter 15477
Chapter 16477
Chapter 17478
BIncident Response Forms481
Index491

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews