Unlike other incident response books, this one has all the technical details.
Having just the book and equipment the authors recommend, one will be able to start doing computer forensics after two hours of reading. The focus is on technology and the process of response and forensics.
The authors also cover preparing for incident response in great detail: from measures such as secure and auditable host configuration, system logging, network access control, up to acquiring the forensics workstation and assembling the tools.
The response procedures cover general techniques for any computer incident and then go into platform-specific details. The useful distinction between the first response and investigation is outlined: the reader will know what to do when confronted with a freshly hacked box and will also learn how to approach a hard disk extracted from a dishonest employee workstation.
Advanced network monitoring section is simply brilliant: catching the bad guys using SYN-less TCP communication or ICMP tunneling certainly presents a fun challenge for ‘cybercops.’ Application specific tips will be useful for many, as well. Nowadays, everybody knows that a Word document identifies the creator, but did you know that MAC address of the hardware is actually recorded and can be extracted by the forensics expert?
While definitely not giving legal advice, authors also go though many of the cybercrime regulations and relevant laws. For example, did you know that if your system administrator monitors the firewall logs to see LAN traffic it is fine, while if a law enforcement agent does the same with no court order – it is illegal. On the other had, if the administrator does it in violation of company policy it is illegal as well. Also enlightening are evidence collection and preservation methods. To navigate the maze of what is allowed and what is not – read the book.
The book, as the authors suggest, is useful not only for security professionals, but for law enforcement as well. That is supported by lots of background information such as TCP header formats and general knowledge of file systems.
Book: Incident Response: Investigating Computer Crime
Authors: Kevin Mandia and Chris Prosise
Publisher: Osborne McGraw-Hill, 2001
List price: $39.99
Paperback, 520 pages
Anton Chuvakin (www.info-secure.org; www.chuvakin.org) is an expert in several areas of information security (network security, Linux firewalling, UNIX hardening, security administration, etc) and has written many articles on information security. He is now looking for an information security position, preferably in the R&D area.