You are previewing Incident Response & Computer Forensics, 2nd Ed..
O'Reilly logo
Incident Response & Computer Forensics, 2nd Ed.

Book Description

Written by FBI insiders, this updated best-seller offers a look at the legal, procedural, and technical steps of incident response and computer forensics. Including new chapters on forensic analysis and remediation, and real-world case studies, this revealing book shows how to counteract and conquer today’s hack attacks.

Table of Contents

  1. Cover 
  2. Half Title
  3. Title
  4. Copyright
  5. Dedication
  6. About the Authors
  7. At a Glance
  8. Contents 
  9. Foreword
  10. Acknowledgments
  11. Introduction
  12. Part I: Introduction
    1. Real-World Incidents
      1. Factors Affecting Response
      2. International Crime
        1. Welcome to Invita
        2. The PathStar Conspiracy
      3. Traditional Hacks
      4. So What?
    2. Introduction to the Incident Response Process
      1. What Is a Computer Security Incident
      2. What Are the Goals of Incident Response?
      3. Who Is Involved in the Incident Response Process?
      4. Incident Response Methodology
        1. Pre-Incident Preparation
        2. Detection of Incidents
        3. Initial Response
        4. Formulate a Response Strategy
        5. Investigate the Incident
        6. Reporting
        7. Resolution
      5. So What?
      6. Questions
    3. Preparing for Incident Response
      1. Overview of Pre-incident Preparation
      2. Identifying Risk
      3. Preparing Individual Hosts
        1. Recording Cryptographic Checksums of Critical Files
        2. Increasing or Enabling Secure Audit Logging
        3. Building Up Your Host’s Defenses
        4. Backing Up Critical Data
        5. Educating Your Users about Host-Based Security
      4. Preparing a Network
        1. Installing Firewalls and Intrusion Detection Systems
        2. Using Access Control Lists on Your Routers
        3. Creating a Network Topology Conducive to Monitoring
        4. Encrypting Network Traffic
        5. Requiring Authentication
      5. Establishing Appropriate Policies and Procedures
        1. Determining Your Response Stance
        2. Understanding How Policies Can Aid Investigative Steps
        3. Developing Acceptable Use Policies
        4. Designing AUPs
        5. Developing Incident Response Procedures
      6. Creating a Response Toolkit
        1. The Response Hardware
        2. The Response Software
        3. The Networking Monitoring Platform
        4. Documentation
      7. Establishing an Incident Response Team
        1. Deciding on the Team’s Mission
        2. Training the Team
      8. So What?
      9. Questions
    4. After Detection of an Incident
      1. Overview of the Initial Response Phase
        1. Obtaining Preliminary Information
        2. Documenting Steps to Take
      2. Establishing an Incident Notification Procedure
      3. Recording the Details after Initial Detection
        1. Initial Response Checklists
        2. Case Notes
      4. Incident Declaration
      5. Assembling the CSIRT
        1. Determining Escalation Procedures
        2. Implementing Notification Procedures
        3. Scoping an Incident and Assembling the Appropriate Resources
      6. Performing Traditional Investigative Steps
      7. Conducting Interviews
        1. Getting Contact Information
        2. Interviewing System Administrators
        3. Interviewing Managers
        4. Interviewing End Users
      8. Formulating a Response Strategy
        1. Response Strategy Considerations
        2. Policy Verification
      9. So What?
      10. Questions
  13. Part II: Data Collection
    1. Live Data Collection from Windows Systems
      1. Creating a Response Toolkit
        1. Gathering the Tools
        2. Preparing the Toolkit
      2. Storing Information Obtained during the Initial Response
        1. Transferring Data with netcat
        2. Encrypting Data with cryptcat
      3. Obtaining Volatile Data
        1. Organizing and Documenting Your Investigation
        2. Collecting Volatile Data
        3. Scripting Your Initial Response
      4. Performing an In-Depth Live Response
        1. Collecting the Most Volatile Data
        2. Creating an In-Depth Response To
        3. Collecting Live Response Data
      5. Is Forensic Duplication Necessary?
      6. So What?
      7. Questions
    2. Live Data Collection from Unix
      1. Creating a Response Toolkit
      2. Storing Information Obtained During the Initial Response
      3. Obtaining Volatile Data Prior to Forensic Duplication
        1. Collecting the Data
        2. Scripting Your Initial Response
      4. Performing an In-Depth, Live Response
        1. Detecting Loadable Kernel Module Rootkits
        2. Obtaining the System Logs During Live Response
        3. Obtaining Important Configuration Files
        4. Discovering Illicit Sniffers on Unix Systems
        5. Reviewing the /Proc File System
        6. Dumping System RAM
      5. So What?
      6. Questions
    3. Forensic Duplication
      1. Forensic Duplicates As Admissible Evidence
        1. What Is a Forensic Duplicate?
        2. What Is a Qualified Forensic Duplicate?
        3. What Is a Restored Image?
        4. What Is a Mirror Image?
      2. Forensic Duplication Tool Requirements
      3. Creating a Forensic Duplicate of a Hard Drive
        1. Duplicating with dd and dcfldd
        2. Duplicating with the Open Data Duplicator (ODD)
      4. Creating a Qualified Forensic Duplicate of a Hard Drive
        1. Creating a Boot Disk
        2. Creating a Qualified Forensic Duplicate with SafeBack
        3. Creating a Qualified Forensic Duplicate with EnCase
      5. So What?
      6. Questions
    4. Collecting Network-based Evidence
      1. What Is Network-based Evidence?
      2. What Are the Goals of Network Monitoring?
      3. Types of Network Monitoring
        1. Event Monitoring
        2. Trap-and-Trace Monitoring
        3. Full-Content Monitoring
      4. Setting Up a Network Monitoring System
        1. Determining Your Goals
        2. Choosing Appropriate Hardware
        3. Choosing Appropriate Software
        4. Deploying the Network Monitor
        5. Evaluating Your Network Monitor
      5. Performing a Trap-and-Trac
        1. Initiating a Trap-and-Trace with tcpdump
        2. Performing a Trap-and-Trace with WinDump
        3. Creating a Trap-and-Trace Output File
      6. Using tcpdump for Full-Content Monitoring
        1. Filtering Full-Content Data
        2. Maintaining Your Full-Content Data Files
      7. Collecting Network-based Log Files
      8. So What?
      9. Questions
    5. Evidence Handling
      1. What Is Evidence?
        1. The Best Evidence Rule
        2. Original Evidence
      2. The Challenges of Evidence Handling
        1. Authentication of Evidence
        2. Chain of Custody
        3. Evidence Validation
      3. Overview of Evidence-Handling Procedures
        1. Evidence System Description
        2. Digital Photos
        3. Evidence Tags
        4. Evidence Labels
        5. Evidence Storage
        6. The Evidence Log
        7. Working Copies
        8. Evidence Backups
        9. Evidence Disposition
        10. Evidence Custodian Audits
      4. So What?
      5. Questions
  14. Part III: Data Analysis
    1. Computer System Storage Fundamentals
      1. Hard Drives and Interfaces
        1. The Swiftly Moving ATA Standard
        2. SCSI (Not Just a Bad-Sounding Word)
      2. Preparation of Hard Drive Media
        1. Wiping Storage Media
        2. Partitioning and Formatting Storage Drives
      3. Introduction to File Systems and Storage Layers
        1. The Physical Layer
        2. The Data Classification Layer
        3. The Allocation Units Layer
        4. The Storage Space Management Layer
        5. The Information Classification and Application-level Storage Layers
      4. So What?
      5. Questions
    2. Data Analysis Techniques
      1. Preparation for Forensic Analysis
      2. Restoring a Forensic Duplicate
        1. Restoring a Forensic Duplication of a Hard Disk
        2. Restoring a Qualified Forensic Duplication of a Hard Disk
      3. Preparing a Forensic Duplication for Analysis In Linux
        1. Examining the Forensic Duplicate File
        2. Associating the Forensic Duplicate File with the Linux Loopback Device
      4. Reviewing Image Files with Forensic Suites
        1. Reviewing Forensic Duplicates in EnCase
        2. Reviewing Forensic Duplicates in the Forensic Toolkit
      5. Converting a Qualified Forensic Duplicate to a Forensic Duplicate
      6. Recovering Deleted Files on Windows Systems
        1. Using Windows-Based Tools To Recover Files on FAT File Systems
        2. Using Linux Tools To Recover Files on FAT File Systems
        3. Running Autopsy as a GUI for File Recovery
        4. Using Foremost to Recover Lost Files
        5. Recovering Deleted Files on Unix Systems
      7. Recovering Unallocated Space, Free Space, and Slack Space
      8. Generating File Lists
        1. Listing File Metadata
        2. Identifying Known System Files
      9. Preparing a Drive for String Searches
        1. Performing String Searches
      10. So What?
      11. Questions
    3. Investigating Windows Systems
      1. Where Evidence Resides on Windows Systems
      2. Conducting a Windows Investigation
        1. Reviewing All Pertinent Logs
        2. Performing Keyword Searches
        3. Reviewing Relevant Files
        4. Identifying Unauthorized User Accounts or Groups
        5. Identifying Rogue Processes
        6. Looking for Unusual or Hidden Files
        7. Checking for Unauthorized Access Points
        8. Examining Jobs Run by the Scheduler Service
        9. Analyzing Trust Relationships
        10. Reviewing Security Identifiers (SIDs)
      3. File Auditing and Theft of Information
      4. Handling the Departing Employee
        1. Reviewing Searches and Files Used
        2. Conducting String Searches on Hard Drives
      5. So What?
      6. Questions
    4. Investigating Unix Systems
      1. An Overview of the Steps in a Unix Investigation
      2. Reviewing Pertinent Logs
        1. Network Logging
        2. Host Logging
        3. User Activity Logging
      3. Performing Keyword Searches
        1. String Searches with grep
        2. File Searches with find
      4. Reviewing Relevant Files
        1. Incident Time and Time/Date Stamps
        2. Special Files
      5. Identifying Unauthorized User Accounts or Groups
        1. User Account Investigation
        2. Group Account Investigation
      6. Identifying Rogue Processes
      7. Checking for Unauthorized Access Points
      8. Analyzing Trust Relationships
      9. Detecting Trojan Loadable Kernel Modules
        1. LKMs on Live Systems
        2. LKM Elements
        3. LKM Detection Utilities
      10. So What?
      11. Questions
    5. Analyzing Network Traffic
      1. Finding Network-Based Evidence
        1. Tools for Network Traffic Analysis
        2. Reviewing Network Traffic Collected with tcpdump
      2. Generating Session Data with tcptrace
        1. Parsing a Capture File
        2. Interpreting the tcptrace Output
        3. Using Snort to Extract Event Data
        4. Checking for SYN Packets
        5. Interpreting the Snort Output
      3. Reassembling Sessions Using tcpflow
        1. Focusing on FTP Sessions
        2. Interpreting the tcpflow Output
        3. Reviewing SSH Sessions
      4. Reassembling Sessions Using Ethereal
      5. Refining tcpdump Filters
      6. So What?
      7. Questions
    6. Investigating Hacker Tools
      1. What Are the Goals of Tool Analysis?
      2. How Files Are Compiled
        1. Statically Linked Programs
        2. Dynamically Linked Programs
        3. Programs Compiled with Debug Options
        4. Stripped Programs
        5. Programs Packed with UPX
        6. Compilation Techniques and File Analysis
      3. Static Analysis of a Hacker Tool
        1. Determining the Type of File
        2. Reviewing the ASCII and Unicode Strings
        3. Performing Online Research
        4. Performing Source Code Review
      4. Dynamic Analysis of a Hacker Tool
        1. Creating the Sandbox Environment
        2. Dynamic Analysis on a Unix System
        3. Dynamic Analysis on a Windows System
      5. So What?
      6. Questions
    7. Investigating Routers
      1. Obtaining Volatile Data Prior to Powering Down
        1. Establishing a Router Connection
        2. Recording System Time
        3. Determining Who Is Logged On
        4. Determining the Router’s Uptime
        5. Determining Listening Sockets
        6. Saving the Router Configuration
        7. Reviewing the Routing Table
        8. Checking Interface Configurations
        9. Viewing the ARP Cache
      2. Finding the Proof
        1. Handling Direct-Compromise Incidents
        2. Handling Routing Table Manipulation Incidents
        3. Handling Theft of Information Incidents
        4. Handling Denial-of-Service (DoS) Attacks
      3. Using Routers as Response Tools
        1. Understanding Access Control Lists (ACLs)
        2. Monitoring with Routers
        3. Responding to DDoS Attacks
      4. So What?
      5. Questions
    8. Writing Computer Forensic Reports
      1. What Is a Computer Forensics Report?
        1. What Is an Expert Report?
        2. Report Goals
      2. Report Writing Guidelines
        1. Document Investigative Steps Immediately and Clearly
        2. Know the Goals of Your Analysis
        3. Organize Your Report
        4. Follow a Template
        5. Use Consistent Identifiers
        6. Use Attachments and Appendixes
        7. Have Co-workers Read Your Reports
        8. Use MD5 Hashes
        9. Include Metadata
      3. A Template for Computer Forensic Reports
        1. Executive Summary
        2. Objectives
        3. Computer Evidence Analyzed
        4. Relevant Findings
        5. Supporting Details
        6. Investigative Leads
        7. Additional Report Subsections
      4. So What?
      5. Questions
  15. Part IV: Appendixes
    1. Answers to Questions
    2. Incident Response Forms
    3. Index
  16. International Contact Information
  17. About The Companion Web Site
  18. Foundstone
  19. Advertisement
  20. About the Author