Incident Response & Computer Forensics ^{2nd Ed.}

Completely Updated with the Latest Techniques

New and Updated Material:

• New real-world scenarios throughout
• The latest methods for collecting live data and investigating Windows and UNIX systems
• Updated information on forensic duplication
• New chapter on emergency network security monitoring
• New chapter on corporate evidence handling procedures
• New chapter on data preparation with details on hard drive interfaces and data storage principles
• New chapter in data extraction and analysis
• The latest techniques for analyzing network traffic
• Up-to-date methods for investigating and accessing hacker tools

1. Introduction
1. Real-World Incidents
• Factors Affecting response
• International Crime
• Welcome to Invita
• The PathStar Conspiracy
• Traditional Hacks
• So What?
2. Introduction to the Incident Response Process
• What Is a Computer Security Incident?
• What Are the Goals of Incident Response?
• Who Is Involved in the Incident Response Process?
• Incident Response Methodology
• Pre-Incident Preparations
• Detection of Incidents
• Initial Response
• Formulate a Response Strategy
• Investigate the Incident
• Reporting
• Resolution
• So What?
• Questions
3. Preparing for Incident Response
• Overview of Pre-Incident Preparation
• Identifying Risk
• Preparing Individual Hosts
• Recording Cryptographic Checksums of Critical Files
• Increasing or Enabling Secure Audit Logging
• Building Up Your Host's Defenses
• Backing Up Critical Data
• Educating Your Users about Host-Based Security
• Preparing a Network
• Installing Firewalls and Intrusion Detection Systems
• Using Access Control Lists on Your Routers
• Creating a Network Topology Conducive to Monitoring
• Encrypting Network Traffic
• Requiring Authentication
• Establishing Appropriate Policies and Procedures
• Determining Your Response Stance
• Understanding How Policies Can Aid Investigative Steps
• Developing Acceptable Use Policies
• Designing AUP's
• Developing Incident Response Procedures
• Creating a Response Toolkit
• The Response Hardware
• The Response Software
• The Networking Monitoring Platform
• Documentation
• Establishing an Incident Response Team
• Deciding on the Team's Mission
• Training the Team
• So What?
• Questions
4. After Detection of an Incident
• Overview of the Initial Response Phase
• Obtaining Preliminary Information
• Documenting Steps to Take
• Establishing an Incident Notification Procedure
• Recording the Details after Initial Detection
• Initial Response Checklists
• Case Notes
• Incident Declaration
• Assembling the CSIRT
• Determining Escalation Procedures
• Implementing Notification Procedures
• Scooping an Incident and Assembling the Appropriate Resources
• Performing Traditional Investigative Steps
• Conducting Interviews
• Getting Contact Information
• Interviewing System Administrators
• Interviewing Managers
• Interviewing End Users
• Formulating a Response Strategy
• Response Strategy Considerations
• Policy Verification
• So What?
• Questions
2. Data Collection
5. Live Data Collection from Windows Systems
• Creating a Response Toolkit
• Gathering the Tools
• Preparing the Toolkit
• Storing Information Obtained during the Initial Response
• Transferring Data with netcat
• Encrypting Data with cryptcat
• Obtaining Volatile Data
• Organizing and Documenting Your Investigation
• Collecting Volatile Data
• Scripting Your Initial Response
• Performing a In-Depth Live Response
• Collecting the Most Volatile Data
• Creating an In-Depth Response Toolkit
• Collecting Live Response Data
• Is Forensic Duplication Necessary?
• So What?
• Questions
6. Live Data Collection from Unix Systems
• Creating a Response Toolkit
• Storing Information Obtained During the Initial Response
• Obtaining Volatile Data Prior to Forensic Duplication
• Collecting the Data
• Scripting Your Initial Response
• Performing an In-Depth, Live Response
• Detecting Loadable Kernel Module Rootkits
• Obtaining the System Logs During Live Response
• Obtaining Important Configuration Files
• Discovering Illicit Sniffers on Unix Systems
• Reviewing the /Proc File System
• Dumping System RAM
• So What?
• Questions
7. Forensic Duplication
• Forensic Duplicates As Admissible Evidence
• What Is a Forensic Duplicate?
• What Is a Qualified Forensic Duplicate?
• What Is a Restored Image?
• What Is a Mirror Image?
• Forensic Duplication Tool Requirements
• Creating a Forensic Duplicate of a Hard Drive
• Duplicating with dd and dcdldd
• Duplicating with the Open Data Duplicator (ODD)
• Creating a Qualified Forensic Duplicate of a Hard Drive
• Creating a Boot Disk
• Creating a Qualified Forensic Duplicate with SafeBack
• Creating a Qualified Forensic Duplicate with EnCase
• So What?
• Questions
8. Collecting Network-based Evidence
• What Is Network-based Evidence?
• What Are the Goals of Network Monitoring?
• Types of Network Monitoring
• Event Monitoring
• Trap-and-Trace Monitoring
• Full-Content Monitoring
• Setting Up a Network Monitoring System
• Determining Your Goals
• Choosing Appropriate Hardware
• Choosing Appropriate Software
• Deploying the Network Monitor
• Evaluating Your Network Monitor
• Performing a Trap-and-Trace
• Initiating a Trap-and-Trace with tcpdump
• Performing a Trap-and-Trace WinDump
• Creating a Trap-and-Trace Output File
• Using tcpdump for Full-Content Monitoring
• Filtering Full-Content Data
• Maintaining Your Full-Content Data Files
• Collecting Network-based Log Files
• So What?
• Questions
9. Evidence Handling
• What Is Evidence?
• The Best Evidence Rule
• Original Evidence
• The Challenges of Evidence Handling
• Authentication of Evidence
• Chain of Custody
• Evidence Validation
• Overview of Evidence-Handling Procedures
• Evidence System Description
• Digital Photos
• Evidence Tags
• Evidence Labels
• Evidence Storage
• The Evidence Log
• Working Copies
• Evidence Backups
• Evidence Disposition
• Evidence Custodian Audits
• So What?
• Questions
3. Data Analysis
10. Computer System Storage Fundamentals
• Hard Drives and Interfaces
• The Swiftly Moving ATA Standard
• SCSI (Not Just a Bad-Sounding Word)
• Preparation of Hard Drive Media
• Wiping Storage Media
• Partitioning and Formatting Storage Drives
• Introduction to File Systems and Storage Layers
• The Physical Layer
• The Data Classification Layer
• The Allocation Units Layer
• The Storage Space Management Layer
• The Information Classification and Application-level Storage Layers
• So What?
• Questions
11. Data Analysis Techniques
• Preparation for Forensic Analysis
• Restoring a Forensic Duplicate
• Restoring a Forensic Duplication of a Hard Disk
• Restoring a Qualified Forensic Duplication of a Hard Disk
• Preparing a Forensic Duplication for Analysis in Linux
• Examining the Forensic Duplicate File
• Associating the Forensic Duplicate File with the Linux Loopback Device
• Reviewing Image Files with Forensic Suites
• Reviewing Forensic Duplicates in EnCase
• Reviewing Forensic Duplicates in the Forensic Toolkit
• Converting a Qualified Forensic Duplicate to a Forensic Duplicate
• Recovering Deleted Files on Windows Systems
• Using Windows-Based Tools To Recover Files on FAT File Systems
• Using Linux Tools To Recover Files on FAT File Systems
• Running Autopsy as a GUI for File Recovery
• Using Foremost to Recover Lost Files
• Recovering Deleted Files on Unix Systems
• Recovering Unallocated Space, Free Space, and Slack Space
• Generating File Lists
• Listing File Metadata
• Identifying Known System Files
• Preparing a Drive for String Searches
• Performing String Searches
• So What?
• Questions
12. Investigating Windows Systems
• Where Evidence Resides on Windows Systems
• Conducting a Windows Investigation
• Reviewing all Pertinent Logs
• Performing Keyword Searches
• Reviewing Relevant Files
• Identifying Unauthorized User Accounts or Groups
• Identifying Rogue Processes
• Looking for Unusual or Hidden Files
• Checking for Unauthorized Access Points
• Examining Hobs Run by the Scheduler Service
• Analyzing Trust Relationships
• Reviewing Security Identifiers
• File Auditing and Theft of Information
• Handling the Departing Employee
• Reviewing Searches and Files Used
• Conducting String Searches on Hard Drives
• So What?
• Questions
13. Investigating Unix Systems
• An Overview of the Steps in a Unix Investigation
• Reviewing Pertinent Logs
• Network Logging
• Host logging
• User Activity Logging
• Performing Keyword Searches
• String Searches with grep
• File Searches with find
• Reviewing Relevant Files
• Incident Time and Time/Date Stamps
• Special Files
• Identifying Unauthorized User Accounts or Groups
• User Account Investigation
• Group Account Investigation
• Identifying Rogue Processes
• Checking for Unauthorized Access Points
• Analyzing Trust Relationships
• Detecting Trojan Loadable Kernel Modules
• LKMs on Live Systems
• LKM Elements
• LKM Detection Utilities
• So What?
• Questions
14. Analyzing Network Traffic
• Finding Network-Based Evidence
• Tools for Network Traffic Analysis
• Reviewing Network Traffic Collected with tcpdum
• Generating Session Data with tcptrace
• Parsing a Capture File
• Interpreting the tcptrace Output
• Using Snort to Extract Event Data
• Checking for SYN Packets
• Interpreting the Snort Output
• Reassembling Sessions Using tcpflow
• Focusing on FTP Sessions
• Interpreting the tcpflow Output
• Reviewing SSH Sessions
• Reassembling Sessions Using Ethereal
• Refining tcpdump Filters
• So What?
• Questions
15. Investigating Hacker Tools
• What Are the Goals of Tool Analysis?
• How Files Are Compiled
• Statically Linked Programs
• Dynamically Linked Programs
• Programs Compiled with Debug Options
• Stripped Programs
• Programs Packed with UPX
• Compilation Techniques and File Analysis
• Static Analysis of a Hacker Tool
• Determining the Type of File
• Reviewing the ASCII and Unicode Strings
• Performing Online Research
• Performing Source Code Review
• Dynamic Analysis of a Hacker Tool
• Creating the Sandbox Environment
• Dynamic Analysis on a Unix System
• Dynamic Analysis on a Windows System
• So What?
• Questions
16. Investigating Routers
• Obtaining Volatile Data Prior to Powering Down
• Establishing a Router Connection
• Recording System Time
• Determining Who Is Logged On
• Determining the Router's Uptime
• Determining Listening Sockets
• Saving the Router Configuration
• Reviewing the Routing Table
• Checking Interface Configurations
• Viewing the ARP Cache
• Finding the Proof
• Handling Direct-Compromise Incidents
• Handling Routing Table Manipulation Incidents
• Handling Theft of Information Incidents
• Handling Denial-of-Service (DoS) Attacks
• Using Routers as Response Tools
• Understanding Access Control Lists (ACLs)
• Monitoring with Routers
• Responding to DoS Attacks
• So What?
• Questions
17. Writing Computer Forensic Reports
• What Is a Computer Forensic Report?
• What Is an Expert Report?
• Report Goals
• Report Writing Guidelines
• Document Investigative Steps Immediately and Clearly
• Know the Goals of Your Analysis
• Organize Your Report
• Follow a Template
• Use Consistent Identifiers
• Use Attachments and Appendixes
• Have Co-workers Read Your Reports
• Use MD5 Hashes
• Include Metadata
• A Template for Computer Forensic Reports
• Executive Summary
• Objectives
• Computer Evidence Analyzed
• Relevant Findings
• Supporting Details
• Investigative Leads
• Additional Report Subsections
• So What?
• Questions
4. Appendixes
1. Answers to Questions
• Chapter 2
• Chapter 3
• Chapter 4
• Chapter 5
• Chapter 6
• Chapter 7
• Chapter 8
• Chapter 9
• Chapter 10
• Chapter 11
• Chapter 12
• Chapter 13
• Chapter 14
• Chapter 15
• Chapter 16
• Chapter 17
2. Incident Response Forms

Do they really know what they're talking about?

A very basic primer about computer forensics and not incident response. But the authors seems to have a lot of the technical background and the technical details wrong, so I must question if this is worth reading?

Don't trust anything written in this book (on a detailed level), but see it as introduction to what areas the forensic field may require you to learn.