Home Page Icon
Home Page
Table of Contents for
At a Glance
Close
At a Glance
by Chris Prosise, Kevin Mandia
Incident Response & Computer Forensics, 2nd Ed.
Half Title
Title
Copyright
Dedication
About the Authors
Contents
Foreword
Introduction
Part I: Introduction
Real-World Incidents
Factors Affecting Response
International Crime
Welcome to Invita
The PathStar Conspiracy
Traditional Hacks
So What?
Preparing for Incident Response
Overview of Pre-incident Preparation
Identifying Risk
Preparing Individual Hosts
Recording Cryptographic Checksums of Critical Files
Increasing or Enabling Secure Audit Logging
Building Up Your Hosts Defenses
Backing Up Critical Data
Educating Your Users about Host-Based Security
Preparing a Network
Installing Firewalls and Intrusion Detection Systems
Using Access Control Lists on Your Routers
Creating a Network Topology Conducive to Monitoring
Encrypting Network Traffic
Requiring Authentication
Establishing Appropriate Policies and Procedures
Determining Your Response Stance
Understanding How Policies Can Aid Investigative Steps
Developing Acceptable Use Policies
Designing AUPs
Developing Incident Response Procedures
Creating a Response Toolkit
The Response Hardware
The Response Software
The Networking Monitoring Platform
Documentation
Establishing an Incident Response Team
Deciding on the Teams Mission
Training the Team
So What?
Questions
Part II: Data Collection
Live Data Collection from Windows Systems
Creating a Response Toolkit
Gathering the Tools
Preparing the Toolkit
Storing Information Obtained during the Initial Response
Transferring Data with netcat
Encrypting Data with cryptcat
Obtaining Volatile Data
Organizing and Documenting Your Investigation
Collecting Volatile Data
Scripting Your Initial Response
Performing an In-Depth Live Response
Collecting the Most Volatile Data
Creating an In-Depth Response To
Collecting Live Response Data
Is Forensic Duplication Necessary?
So What?
Questions
Live Data Collection from Unix
Creating a Response Toolkit
Storing Information Obtained During the Initial Response
Obtaining Volatile Data Prior to Forensic Duplication
Collecting the Data
Scripting Your Initial Response
Performing an In-Depth, Live Response
Detecting Loadable Kernel Module Rootkits
Obtaining the System Logs During Live Response
Obtaining Important Configuration Files
Discovering Illicit Sniffers on Unix Systems
Reviewing the /Proc File System
Dumping System RAM
So What?
Questions
Forensic Duplication
Forensic Duplicates As Admissible Evidence
What Is a Forensic Duplicate?
What Is a Qualified Forensic Duplicate?
What Is a Restored Image?
What Is a Mirror Image?
Forensic Duplication Tool Requirements
Creating a Forensic Duplicate of a Hard Drive
Duplicating with dd and dcfldd
Duplicating with the Open Data Duplicator (ODD)
Creating a Qualified Forensic Duplicate of a Hard Drive
Creating a Boot Disk
Creating a Qualified Forensic Duplicate with SafeBack
Creating a Qualified Forensic Duplicate with EnCase
So What?
Questions
Collecting Network-based Evidence
What Is Network-based Evidence?
What Are the Goals of Network Monitoring?
Types of Network Monitoring
Event Monitoring
Trap-and-Trace Monitoring
Full-Content Monitoring
Setting Up a Network Monitoring System
Determining Your Goals
Choosing Appropriate Hardware
Choosing Appropriate Software
Deploying the Network Monitor
Evaluating Your Network Monitor
Performing a Trap-and-Trac
Initiating a Trap-and-Trace with tcpdump
Performing a Trap-and-Trace with WinDump
Creating a Trap-and-Trace Output File
Using tcpdump for Full-Content Monitoring
Filtering Full-Content Data
Maintaining Your Full-Content Data Files
Collecting Network-based Log Files
So What?
Questions
Evidence Handling
What Is Evidence?
The Best Evidence Rule
Original Evidence
The Challenges of Evidence Handling
Authentication of Evidence
Chain of Custody
Evidence Validation
Overview of Evidence-Handling Procedures
Evidence System Description
Digital Photos
Evidence Tags
Evidence Labels
Evidence Storage
The Evidence Log
Working Copies
Evidence Backups
Evidence Disposition
Evidence Custodian Audits
So What?
Questions
Computer System Storage Fundamentals
Hard Drives and Interfaces
The Swiftly Moving ATA Standard
SCSI (Not Just a Bad-Sounding Word)
Preparation of Hard Drive Media
Wiping Storage Media
Partitioning and Formatting Storage Drives
Introduction to File Systems and Storage Layers
The Physical Layer
The Data Classification Layer
The Allocation Units Layer
The Storage Space Management Layer
The Information Classification and Application-level Storage Layers
So What?
Questions
Data Analysis Techniques
Preparation for Forensic Analysis
Restoring a Forensic Duplicate
Restoring a Forensic Duplication of a Hard Disk
Restoring a Qualified Forensic Duplication of a Hard Disk
Preparing a Forensic Duplication for Analysis In Linux
Examining the Forensic Duplicate File
Associating the Forensic Duplicate File with the Linux Loopback Device
Reviewing Image Files with Forensic Suites
Reviewing Forensic Duplicates in EnCase
Reviewing Forensic Duplicates in the Forensic Toolkit
Converting a Qualified Forensic Duplicate to a Forensic Duplicate
Recovering Deleted Files on Windows Systems
Using Windows-Based Tools To Recover Files on FAT File Systems
Using Linux Tools To Recover Files on FAT File Systems
Running Autopsy as a GUI for File Recovery
Using Foremost to Recover Lost Files
Recovering Deleted Files on Unix Systems
Recovering Unallocated Space, Free Space, and Slack Space
Generating File Lists
Listing File Metadata
Identifying Known System Files
Preparing a Drive for String Searches
Performing String Searches
So What?
Questions
Investigating Windows Systems
Where Evidence Resides on Windows Systems
Conducting a Windows Investigation
Reviewing All Pertinent Logs
Performing Keyword Searches
Reviewing Relevant Files
Identifying Unauthorized User Accounts or Groups
Identifying Rogue Processes
Looking for Unusual or Hidden Files
Checking for Unauthorized Access Points
Examining Jobs Run by the Scheduler Service
Analyzing Trust Relationships
Reviewing Security Identifiers (SIDs)
File Auditing and Theft of Information
Handling the Departing Employee
Reviewing Searches and Files Used
Conducting String Searches on Hard Drives
So What?
Questions
Investigating Unix Systems
An Overview of the Steps in a Unix Investigation
Reviewing Pertinent Logs
Network Logging
Host Logging
User Activity Logging
Performing Keyword Searches
String Searches with grep
File Searches with find
Reviewing Relevant Files
Incident Time and Time/Date Stamps
Special Files
Identifying Unauthorized User Accounts or Groups
User Account Investigation
Group Account Investigation
Identifying Rogue Processes
Checking for Unauthorized Access Points
Analyzing Trust Relationships
Detecting Trojan Loadable Kernel Modules
LKMs on Live Systems
LKM Elements
LKM Detection Utilities
So What?
Questions
Analyzing Network Traffic
Finding Network-Based Evidence
Tools for Network Traffic Analysis
Reviewing Network Traffic Collected with tcpdump
Generating Session Data with tcptrace
Parsing a Capture File
Interpreting the tcptrace Output
Using Snort to Extract Event Data
Checking for SYN Packets
Interpreting the Snort Output
Reassembling Sessions Using tcpflow
Focusing on FTP Sessions
Interpreting the tcpflow Output
Reviewing SSH Sessions
Reassembling Sessions Using Ethereal
Refining tcpdump Filters
So What?
Questions
Investigating Hacker Tools
What Are the Goals of Tool Analysis?
How Files Are Compiled
Statically Linked Programs
Dynamically Linked Programs
Programs Compiled with Debug Options
Stripped Programs
Programs Packed with UPX
Compilation Techniques and File Analysis
Static Analysis of a Hacker Tool
Determining the Type of File
Reviewing the ASCII and Unicode Strings
Performing Online Research
Performing Source Code Review
Dynamic Analysis of a Hacker Tool
Creating the Sandbox Environment
Dynamic Analysis on a Unix System
Dynamic Analysis on a Windows System
So What?
Questions
Investigating Routers
Obtaining Volatile Data Prior to Powering Down
Establishing a Router Connection
Recording System Time
Determining Who Is Logged On
Determining the Routers Uptime
Determining Listening Sockets
Saving the Router Configuration
Reviewing the Routing Table
Checking Interface Configurations
Viewing the ARP Cache
Finding the Proof
Handling Direct-Compromise Incidents
Handling Routing Table Manipulation Incidents
Handling Theft of Information Incidents
Handling Denial-of-Service (DoS) Attacks
Using Routers as Response Tools
Understanding Access Control Lists (ACLs)
Monitoring with Routers
Responding to DDoS Attacks
So What?
Questions
Writing Computer Forensic Reports
What Is a Computer Forensics Report?
What Is an Expert Report?
Report Goals
Report Writing Guidelines
Document Investigative Steps Immediately and Clearly
Know the Goals of Your Analysis
Organize Your Report
Follow a Template
Use Consistent Identifiers
Use Attachments and Appendixes
Have Co-workers Read Your Reports
Use MD5 Hashes
Include Metadata
A Template for Computer Forensic Reports
Executive Summary
Objectives
Computer Evidence Analyzed
Relevant Findings
Supporting Details
Investigative Leads
Additional Report Subsections
So What?
Questions
Part IV: Appendixes
Answers to Questions
Index
International Contact Information
About The Companion Web Site
Foundstone
Advertisement
About the Author
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
About the Authors
Next
Next Chapter
Contents
AT A GLANCE
Part I
Introduction
1 Real-World Incidents
2 Introduction to the Incident Response Process
3 Preparing for Incident Response
4 After Detection of an Incident
Part II
Data Collection
5 Live Data Collection from Windows Systems
6 Live Data Collection from Unix Systems
7 Forensic Duplication
8 Collecting Network-based Evidence
9 Evidence Handling
Part III
Data Analysis
10 Computer System Storage Fundamentals
11 Data Analysis Techniques
12 Investigating Windows Systems
13 Investigating Unix Systems
14 Analyzing Network Traffic
15 Investigating Hacker Tools
16 Investigating Routers
17 Writing Computer Forensic Reports
Part IV
Appendixes
A
Answers to Questions
B
Incident Response Forms
Index
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset