You are previewing Computer Incident Response and Forensics Team Management.
O'Reilly logo
Computer Incident Response and Forensics Team Management

Book Description

Computer Incident Response and Forensics Team Management provides security professionals with a complete handbook of computer incident response from the perspective of forensics team management. This unique approach teaches readers the concepts and principles they need to conduct a successful incident response investigation, ensuring that proven policies and procedures are established and followed by all team members.

Leighton R. Johnson III describes the processes within an incident response event and shows the crucial importance of skillful forensics team management, including when and where the transition to forensics investigation should occur during an incident response event. The book also provides discussions of key incident response components.



  • Provides readers with a complete handbook on computer incident response from the perspective of forensics team management
  • Identify the key steps to completing a successful computer incident response investigation
  • Defines the qualities necessary to become a successful forensics investigation team member, as well as the interpersonal relationship skills necessary for successful incident response and forensics investigation teams

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. About the Author
  7. Section 1. Introduction
  8. Section 2. Definitions
  9. Part 1: Incident Response Team
    1. Part 1. Incident Response Team
    2. Section 3. The Stages of Incident Response
      1. Methodology #1
      2. Methodology #2
      3. Post-incident Activity
    3. Section 4. The Security Incident Response Team Members
      1. Types of Technical Skills Needed
      2. Types of Personal Skills Needed
    4. Section 5. Incident Evidence
    5. Section 6. Incident Response Tools
    6. Section 7. Incident Response Policies and Procedures
      1. SIRT IR Policies
      2. Corporate IR Strategy and General Use Security Policies
    7. Section 8. Legal Requirements and Considerations
      1. Privacy
      2. Ethics
      3. Investigation Guidelines
    8. Section 9. Governmental Laws, Policies, and Procedures
      1. US Government
      2. Canadian Government
      3. EU
  10. Part 2: Forensics Team
    1. Part 2. Forensics Team
    2. Section 10. Forensics Process
      1. Prepare
      2. Identify
      3. Preserve
      4. Select
      5. Examine
      6. Classify
      7. Analyze
      8. Present
    3. Section 11. Forensics Team Requirements Members
      1. Member Criteria
      2. Member Expertise
      3. Member Certification
    4. Section 12. Forensics Team Policies and Procedures
      1. Forensics Analysis Process
      2. Data Collection
      3. Chain of Custody
      4. Evidence Handling and Control
      5. Evidence “Hand-over” to External Parties, LEO
      6. Hardware Specific Acquisition—SIM Cards, Cell Phone, USB Storage, etc.
      7. Data Type Acquisition—Audio Files, Video Files, Image Files, Network Files, Log Files
      8. Investigation Process
      9. Examination Process
      10. Data Review
      11. Research Requirements
      12. Forensics Reporting
      13. Analysis of Results
      14. Expert Witness Process
    5. Section 13. Management of Forensics Evidence Handling
      1. Chain of Evidence
      2. US Federal Rules of Civil Procedure
      3. UK Civil Procedure Rules
    6. Section 14. Forensics Tools
      1. Types of Forensics Tools
      2. Tools for Specific Operating Systems and Platforms
    7. Section 15. Legalities of Forensics
      1. Reasons for Legal, Statutory, and Regulatory Compliance
      2. US Criteria, Laws, and Regulations
      3. EU Criteria, Laws, and Regulations
    8. Section 16. Forensics Team Oversight
      1. Investigator’s Code of Conduct
      2. Use of Templates for Information Recording
  11. Part 3: General Management and Team
    1. Part 3. General Management and Team
      1. External Considerations
    2. Section 17. General Team Management
      1. Corporate Level Management Considerations
      2. Corporate Needs to Support the Team Activities
      3. Third-Party Support During and After Events
    3. Section 18. Corporate IT-Related Security Relationship with SIR&FT
      1. Basic IT Control and Security Areas of Interest
    4. Section 19. Relationship Management
    5. Section 20. Conclusion
      1. The Incident Response Team
      2. The Forensics Team
      3. Final Words
  12. Appendix A. References
    1. Incident Response Online Resources
  13. Appendix B. Relevant Incident Response and Forensics Publications from Governmental Agencies and Organizations
    1. US
    2. EU
  14. Appendix C. Forensics Team Templates
  15. Index