Incident Response: Computer Forensics Toolkit
Author: Douglas Schweitzer
Available for download is chapter 1 entitled “Computer Forensics and Incident Response Essentials”.
At the end of every year I read reports on almost all computer security related news outlets that promise more incidents, vulnerabilities and viruses in the upcoming year. They all say that security has never been weaker and that we’re up for some really bad days. One of the things that you can do to assure the safety of your network is to be prepared, for anything. This book promises to prepare you to efficiently respond to an incident, discover what happened and secure your system for the future. Does it deliver? Read on and find out.
About the author
Douglas Schweitzer is an Internet security specialist and authority on malicious code and computer forensics. He is a Cisco Certified Network Associate and Certified Internet Webmaster Associate, and holds A+, Network+, and i-Net+ certifications. Schweitzer is also the author of “Internet Security Made Easy” and “Securing the Network from Malicious Code”.
Inside the book
The book begins with a clarification of what computer crime is, what computer forensics is, and the importance of incident response. Schweitzer also notes the types of incidents according to the Federal Computer Incident Response Center (FedCIRC). Once the very basics are covered, you move on to discover the first chapter that covers computer forensics and incident response essentials. The author shows you how to recognize the signs of an incident, introduces the computer security incident response team, teaches you how to build an incident response and forensics toolkit, and much more. The tools introduced here are SuperScan and RegCleaner.
Chapter two covers the pros and cons of dealing with law enforcement. Schweitzer offers a brief primer of the Freedom of Information Act, an overview of Federal computer crimes and laws, etc. This is not a large chapter but it does provide enough information to get you started.
In order to be efficient when a network intrusion occurs, you have to realize that it can happen and you have to be adequately prepared. The author shows you how to get prepared and how to properly respond when an incident occurs. The topics covered in this chapter include: auditing, logging, imaging hard drives, identifying network devices, and more.
What follows is an overview of the Windows registry as well as its role in incident response. You learn how to view, edit and collect registry data. Schweitzer gives you an understanding of data storage and the Windows recycle bin before moving on to discuss the analysis and detection of malicious code. This is where the book gets truly interesting as the author writes about abnormal system processes, rootkits, backdoors and network sniffers. As for software titles, mentioned here are Process Explorer, PromiscDetect, Nmap, and others.
A forensic investigator has to uncover various types of data in order to conduct an efficient investigation. Schweitzer covers a lot of ground as he shows you how to examine the Windows swap file, recover evidence from the browser cache, locate hidden data, and other related material. Every craftsman needs good tools so no wonder the author mentions software titles he deems to be the best for the job: Cain & Abel, Ultimate ZIP Cracker, BinText, Disk Investigator, etc. Provided with the descriptions of the tools are the links to the websites where you can obtain them.
Having the right tool alone is not enough. Schweitzer moves on to illustrate the correct procedures for collecting and preserving evidence. You don’t learn only about the technical details but also about the legal requirements for collecting electronic evidence. Due to the different types of information, the order of collection is very important as is the understanding of evidence volatility. One of the most popular ways of gathering evidence is certainly by using packet sniffers. Mentioned are: Ethereal, NGSSniff, Snort and AnalogX PacketMon. Described in more detail is The Coroner’s Toolkit by Dan Farmer and Wietse Venema, also included on the CD-ROM.
The author continues as he writes about choices by discussing what to do after an incident occurs. You get an overview of the quarantine and containment procedures and see the pros and cons of certain actions that have to be taken upon the discovery of an incident. Here you also find tips on how to increase security awareness within the company and proper password procedures.
If you want to react properly to an emergency, you must have a disaster recovery plan that provides well defined procedures and other detailed information in order to help you with critical decisions. Schweitzer notes the importance of advanced planning of a disaster recovery plan, incident recordkeeping, UPS devices and backup procedures.
There’s a myriad of different types of incidents that you need to learn to defend yourself from. The author teaches you how to respond to hacker, cracker and malicious code attacks, and provides and understanding of industrial espionage. In the past year there have been many news stories covering cracking incidents involving people from inside the company and the public has begun to realize the threat insiders pose to the overall security architecture. The author covers this growing threat by showing you how to defend against insider attacks.
Now that you know what threats you’re facing and how to react to them, it’s time to audit your systems and increase security in order to diminish the possibility of future attacks. Schweitzer covers the auditing of workstations and servers, underlines the benefits of penetration testing and you learn how to build security policy checklists.
The last chapter of the book analyzes real world attacks and you get a list of websites you can visit for up to date information. The appendices provide a list of commonly attacked ports, a field guidance on USA Patriot Act 2001 and details on computer records and the Federal rules of evidence.
About the CD-ROM
The CD-ROM is, as always, an excellent addition to the book. It contains a plethora of checklists (for data collection, evidence conservation, etc.), many software titles and a PDF version of the book. This is very useful since you can take it with you on the field and search its contents when you need a specific piece of information.
My 2 cents
Schweitzer managed to put together a book that’s not only easy to follow but packed with wisely chosen information. Backed up by a CD and an electronic version of the book, “Incident Response: Computer Forensics Toolkit” is a valuable resource for every computer security professional yet still friendly with inexperienced users as it’s easy to understand.