| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Introduction | |
| |
| |
| |
Real-World Incidents | |
| |
| |
Factors Affecting Response | |
| |
| |
International Crime | |
| |
| |
Traditional Hacks | |
| |
| |
So What? | |
| |
| |
| |
Introduction to the Incident Response Process | |
| |
| |
What Is a Computer Security Incident? | |
| |
| |
What Are the Goals of Incident Response? | |
| |
| |
Who Is Involved in the Incident Response Process? | |
| |
| |
Incident Response Methodology | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Preparing for Incident Response | |
| |
| |
Overview of Pre-incident Preparation | |
| |
| |
Identifying Risk | |
| |
| |
Preparing Individual Hosts | |
| |
| |
Preparing a Network | |
| |
| |
Establishing Appropriate Policies and Procedures | |
| |
| |
Creating a Response Toolkit | |
| |
| |
Establishing an Incident Response Team | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
After Detection of an Incident | |
| |
| |
Overview of the Initial Response Phase | |
| |
| |
Establishing an Incident Notification Procedure | |
| |
| |
Recording the Details after Initial Detection | |
| |
| |
Incident Declaration | |
| |
| |
Assembling the CSIRT | |
| |
| |
Performing Traditional Investigative Steps | |
| |
| |
Conducting Interviews | |
| |
| |
Formulating a Response Strategy | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Data Collection | |
| |
| |
| |
Live Data Collection from Windows Systems | |
| |
| |
Creating a Response Toolkit | |
| |
| |
Storing Information Obtained during the Initial Response | |
| |
| |
Obtaining Volatile Data | |
| |
| |
Performing an In-Depth Live Response | |
| |
| |
Is Forensic Duplication Necessary? | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Live Data Collection from Unix Systems | |
| |
| |
Creating a Response Toolkit | |
| |
| |
Storing Information Obtained During the Initial Response | |
| |
| |
Obtaining Volatile Data Prior to Forensic Duplication | |
| |
| |
Performing an In-Depth, Live Response | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Forensic Duplication | |
| |
| |
Forensic Duplicates As Admissible Evidence | |
| |
| |
Forensic Duplication Tool Requirements | |
| |
| |
Creating a Forensic Duplicate of a Hard Drive | |
| |
| |
Creating a Qualified Forensic Duplicate of a Hard Drive | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Collecting Network-based Evidence | |
| |
| |
What Is Network-based Evidence? | |
| |
| |
What Are the Goals of Network Monitoring? | |
| |
| |
Types of Network Monitoring | |
| |
| |
Setting Up a Network Monitoring System | |
| |
| |
Performing a Trap-and-Trace | |
| |
| |
Using tcpdump for Full-Content Monitoring | |
| |
| |
Collecting Network-based Log Files | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Evidence Handling | |
| |
| |
What Is Evidence? | |
| |
| |
The Challenges of Evidence Handling | |
| |
| |
Overview of Evidence-Handling Procedures | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Data Analysis | |
| |
| |
| |
Computer System Storage Fundamentals | |
| |
| |
Hard Drives and Interfaces | |
| |
| |
Preparation of Hard Drive Media | |
| |
| |
Introduction to File Systems and Storage Layers | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Data Analysis Techniques | |
| |
| |
Preparation for Forensic Analysis | |
| |
| |
Restoring a Forensic Duplicate | |
| |
| |
Preparing a Forensic Duplication for Analysis In Linux | |
| |
| |
Reviewing Image Files with Forensic Suites | |
| |
| |
Converting a Qualified Forensic Duplicate to a Forensic Duplicate | |
| |
| |
Recovering Deleted Files on Windows Systems | |
| |
| |
Recovering Unallocated Space, Free Space, and Slack Space | |
| |
| |
Generating File Lists | |
| |
| |
Preparing a Drive for String Searches | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Investigating Windows Systems | |
| |
| |
Where Evidence Resides on Windows Systems | |
| |
| |
Conducting a Windows Investigation | |
| |
| |
File Auditing and Theft of Information | |
| |
| |
Handling the Departing Employee | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Investigating Unix Systems | |
| |
| |
An Overview of the Steps in a Unix Investigation | |
| |
| |
Reviewing Pertinent Logs | |
| |
| |
Performing Keyword Searches | |
| |
| |
Reviewing Relevant Files | |
| |
| |
Identifying Unauthorized User Accounts or Groups | |
| |
| |
Identifying Rogue Processes | |
| |
| |
Checking for Unauthorized Access Points | |
| |
| |
Analyzing Trust Relationships | |
| |
| |
Detecting Trojan Loadable Kernel Modules | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Analyzing Network Traffic | |
| |
| |
Finding Network-Based Evidence | |
| |
| |
Generating Session Data with tcptrace | |
| |
| |
Reassembling Sessions Using tcpflow | |
| |
| |
Reassembling Sessions Using Ethereal | |
| |
| |
Refining tcpdump Filters | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Investigating Hacker Tools | |
| |
| |
What Are the Goals of Tool Analysis? | |
| |
| |
How Files Are Compiled | |
| |
| |
Static Analysis of a Hacker Tool | |
| |
| |
Dynamic Analysis of a Hacker Tool | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Investigating Routers | |
| |
| |
Obtaining Volatile Data Prior to Powering Down | |
| |
| |
Finding the Proof | |
| |
| |
Using Routers as Response Tools | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Writing Computer Forensic Reports | |
| |
| |
What Is a Computer Forensics Report? | |
| |
| |
Report Writing Guidelines | |
| |
| |
A Template for Computer Forensic Reports | |
| |
| |
So What? | |
| |
| |
Questions | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Answers to Questions | |
| |
| |
Chapter 2 | |
| |
| |
Chapter 3 | |
| |
| |
Chapter 4 | |
| |
| |
Chapter 5 | |
| |
| |
Chapter 6 | |
| |
| |
Chapter 7 | |
| |
| |
Chapter 8 | |
| |
| |
Chapter 9 | |
| |
| |
Chapter 10 | |
| |
| |
Chapter 11 | |
| |
| |
Chapter 12 | |
| |
| |
Chapter 13 | |
| |
| |
Chapter 14 | |
| |
| |
Chapter 15 | |
| |
| |
Chapter 16 | |
| |
| |
Chapter 17 | |
| |
| |
| |
Incident Response Forms | |
| |
| |
Index | |