Incident Response and Computer Forensics, 2nd Ed

Name: Incident Response and Computer Forensics, 2nd Ed
Price: 4.07 USD
Availability: InStock
ISBN: 9780072226966

ISBN-10: 007222696X

ISBN-13: 9780072226966

Edition: 2nd 2003 (Revised)

Authors: Kevin Mandia, Chris Prosise

List price: $59.00

30 day, 100% satisfaction guarantee!

Marketplace

4 new & used from $4.07

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

This guide, with the help of insider FBI information, discusses how to respond to hacker attacks after they occur. It includes real case scenarios with insightful tips on how to respond and gives an insider's perspective on the incident reponse process.

Book details

List price: $59.00
Edition: 2nd
Copyright year: 2003
Publisher: McGraw-Hill Osborne
Publication date: 7/17/2003
Binding: Paperback
Pages: 544
Size: 7.50" wide x 9.00" long x 1.25" tall
Weight: 0.396
Language: English



Foreword


Acknowledgments


Introduction



Introduction



Real-World Incidents


Factors Affecting Response


International Crime


Traditional Hacks


So What?



Introduction to the Incident Response Process


What Is a Computer Security Incident?


What Are the Goals of Incident Response?


Who Is Involved in the Incident Response Process?


Incident Response Methodology


So What?


Questions



Preparing for Incident Response


Overview of Pre-incident Preparation


Identifying Risk


Preparing Individual Hosts


Preparing a Network


Establishing Appropriate Policies and Procedures


Creating a Response Toolkit


Establishing an Incident Response Team


So What?


Questions



After Detection of an Incident


Overview of the Initial Response Phase


Establishing an Incident Notification Procedure


Recording the Details after Initial Detection


Incident Declaration


Assembling the CSIRT


Performing Traditional Investigative Steps


Conducting Interviews


Formulating a Response Strategy


So What?


Questions



Data Collection



Live Data Collection from Windows Systems


Creating a Response Toolkit


Storing Information Obtained during the Initial Response


Obtaining Volatile Data


Performing an In-Depth Live Response


Is Forensic Duplication Necessary?


So What?


Questions



Live Data Collection from Unix Systems


Creating a Response Toolkit


Storing Information Obtained During the Initial Response


Obtaining Volatile Data Prior to Forensic Duplication


Performing an In-Depth, Live Response


So What?


Questions



Forensic Duplication


Forensic Duplicates As Admissible Evidence


Forensic Duplication Tool Requirements


Creating a Forensic Duplicate of a Hard Drive


Creating a Qualified Forensic Duplicate of a Hard Drive


So What?


Questions



Collecting Network-based Evidence


What Is Network-based Evidence?


What Are the Goals of Network Monitoring?


Types of Network Monitoring


Setting Up a Network Monitoring System


Performing a Trap-and-Trace


Using tcpdump for Full-Content Monitoring


Collecting Network-based Log Files


So What?


Questions



Evidence Handling


What Is Evidence?


The Challenges of Evidence Handling


Overview of Evidence-Handling Procedures


So What?


Questions



Data Analysis



Computer System Storage Fundamentals


Hard Drives and Interfaces


Preparation of Hard Drive Media


Introduction to File Systems and Storage Layers


So What?


Questions



Data Analysis Techniques


Preparation for Forensic Analysis


Restoring a Forensic Duplicate


Preparing a Forensic Duplication for Analysis In Linux


Reviewing Image Files with Forensic Suites


Converting a Qualified Forensic Duplicate to a Forensic Duplicate


Recovering Deleted Files on Windows Systems


Recovering Unallocated Space, Free Space, and Slack Space


Generating File Lists


Preparing a Drive for String Searches


So What?


Questions



Investigating Windows Systems


Where Evidence Resides on Windows Systems


Conducting a Windows Investigation


File Auditing and Theft of Information


Handling the Departing Employee


So What?


Questions



Investigating Unix Systems


An Overview of the Steps in a Unix Investigation


Reviewing Pertinent Logs


Performing Keyword Searches


Reviewing Relevant Files


Identifying Unauthorized User Accounts or Groups


Identifying Rogue Processes


Checking for Unauthorized Access Points


Analyzing Trust Relationships


Detecting Trojan Loadable Kernel Modules


So What?


Questions



Analyzing Network Traffic


Finding Network-Based Evidence


Generating Session Data with tcptrace


Reassembling Sessions Using tcpflow


Reassembling Sessions Using Ethereal


Refining tcpdump Filters


So What?


Questions



Investigating Hacker Tools


What Are the Goals of Tool Analysis?


How Files Are Compiled


Static Analysis of a Hacker Tool


Dynamic Analysis of a Hacker Tool


So What?


Questions



Investigating Routers


Obtaining Volatile Data Prior to Powering Down


Finding the Proof


Using Routers as Response Tools


So What?


Questions



Writing Computer Forensic Reports


What Is a Computer Forensics Report?


Report Writing Guidelines


A Template for Computer Forensic Reports


So What?


Questions



Appendixes



Answers to Questions


Chapter 2


Chapter 3


Chapter 4


Chapter 5


Chapter 6


Chapter 7


Chapter 8


Chapter 9


Chapter 10


Chapter 11


Chapter 12


Chapter 13


Chapter 14


Chapter 15


Chapter 16


Chapter 17



Incident Response Forms


Index