Incident Response: Investigating Computer Crime

As an attorney and a formally-trained computer forensics examiner and instructor who has been tilling the fields of digital evidence for some time, I'm always on the prowl for the next great computer forensics tool or text that's going to help me find the next smoking gun...or at least be confident I haven't overlooked it. I've built a substantial library of books and articles on computer forensics, some very good and some a complete waste of money. But, this book is the best of the best.From its step-by-step detail of the forensic process to its copious and helpful illustrations and screen shots to its unvarnished discussion of the tools in the marketplace, the second edition of Incident Response and Computer Forensics is, for my money, the most valuable resource any computer forensic examiner could have on their shelf. Many of the techniques and shortcuts detailed are "trade secrets" in that I've never seen them described in print. Unlike other forensic guides that assume the reader owns a costly forensic software suite, this book fairly splits its emphasis between Linux tools, shareware and the best software packages. That means the reader can begin the learning process at once, without investing anything more than their time and interest.Another strength is that the book neither presupposes a too-high level of knowledge or experience nor dumbs down its content such that an expert wouldn't derive any value. There's something here for everyone who cares about computer forensics, from the neophyte to the grizzled veteran. When I paid $50.00 for this tome at a big box bookstore, I worried I was paying too much. Now, I'd think it cheap at twice the price.As another reviewer pointed out, it doesn't devote a chapter to the law, but that is not to say that legal considerations are ignored. To the contrary, I think the authors do an excellent job of giving a useful "heads-up" where needed and not moving out of their depth. I don't know these guys, but I'd sure like to shake their hands for a job well done! Thanks.Craig Ball is an attorney and certified computer forensic examiner based in Montgomery, Texas, who teaches and consults with attorneys and the courts on matters of computer forensics and electronic discovery.

This is my review for the Second Edition.Incident Response is back with a vengeance! I should disclose that I was very impressed with the first edition, for many reasons. Most of the points I liked about it are still valid and new ones abound.Same as the before, the book is a great combination of a high level policy and methodology material with hands-on, "hex dumps and disk images" stuff. The focus is on tools and technology as well as the process of response and forensics. The authors cover incident response process in great detail: from policy to secure and auditable host configuration, system logging, network monitoring, and acquiring the evidence on multiple platforms. In fact, I liked the balanced platform coverage of both UNIX/Linux and Windows. The book also contains a lot of neat background material on TCP/IP and file systems, making the book useful for less security-savvy.The useful distinction between the first response and investigation is outlined: the reader will know what to do when confronted with a freshly hacked box and will also learn how to approach a hard disk extracted from a dishonest employee workstation. So, both cursory and in-depth response are covered.I also enjoyed network-based evidence chapters on monitoring and traffic analysis (using tcpdump, ethereal, tcpflow, tcptrace). Overall, Data Analysis chapter was the most fun for me. Also enlightening were evidence collection and preservation methods. To navigate the maze of what is allowed and what is not - get the book.Another awesome chapter was the one on reversing and hostile binary analysis. While not comprehensive, it seem to summarize the "busy man's reversing tips", applicable in real daily security practice.The main advantage of the book is, in my opinion, its comprehensive nature. It is both a practical HOWTO guide, a reference and nice awareness material on "what is out there". The book emanates the fact that it is written by people who actually did all the things described in it. It might sound strange, but I also appreciated the lack of a "legal material" chapter. Legal advice should be heard from a lawyer and not from a security book (and its is usually extremely boring anyway...)Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

First, full disclosure: the publisher sent me a free review copy, I used to work for Mandia and now work with Prosise and Pepe, and I contributed material incorporated into chapters 8 and 14. I still think "Incident Response and Computer Forensics, 2nd Edition" (IRCF2E) is the best forensics book on the market. Notice I said "forensics." It's significant that the first edition's title was "Incident Response: Investigating Computer Crime." While IRCF2E contains plenty of IR material, I sense a shift away from computer security and towards the legal world in this second edition. Readers of the first edition will want to know what's new. While reading IRCF2E I thumbed through the first edition and make some notes. The following chapters appear mostly or totally new: 1 (Real-World Incidents), 3 (Preparing for Incident Response), 4 (After Detection of an Incident), 9 (Evidence Handling), 10 (Computer System Storage Fundamentals), 11 (Data Analysis Techniques), 17 (Writing Computer Forensics Reports). Some chapters contain rewrites or new material: 2 (Intro to the IR Process), 5 (Live Data Collection from Windows), 6 (Live Data Collection from UNIX), 7 (Forensic Duplication), 8 (Collecting Network-based Evidence), and 14 (Analyzing Network Traffic). The remainder received minor rewrites. Some chapters from the first edition on IIS and application forensics were integrated elsewhere. The most informative sections for me, as a reader of both editions, appear in chapters 7, 10, and 17. Chapter 7 lays down the law on differences between a "forensic duplication," a "qualified forensic duplication," and a "mirror image." Expert witnesses can turn to IRCF2E as a standard when testifying, thanks to this chapter's clarity and citations of "Daubert" and "Kumho." Chapter 10 nicely explains file systems and storage layers. Chapter 17 gives desperately needed guidance on writing forensics reports -- the part of an engagement the client really wants. I found a few errata items, such as p. 61's reference to the PPA; it should be "Privacy Protection Act." On pp. 97-98, all of the "ps" tools should list the Sysinternals home page, not Foundstone. Despite my contribution of material to the network-oriented chapters of IRCF2E, don't believe that I advocate using laptops for monitoring duties (p. 179). Laptops and especially their NIC drivers are not built for packet capture in high speed environments. IRCF2E is one of the few books in print where the word "forensics" deserves to be on the cover. Many prominent "forensics" titles deliver nothing useful to practitioners. As was the case with the first edition, investigators can use IRCF2E in operational environments to do real work. This book lays much of the groundwork for doing cases. Watch for "Real Digital Forensics" to be published next year, which walks readers through case-based evidence to teach how to collect, interpret, and analyze host- and network-based evidence.

I am a senior engineer for network security operations. I am a graduate of the flagship session of the System Administration, Networking, and Security institute's Forensics, Investigations, and Response Education (SANS FIRE) program. "Incident Response" (IR) should have been the textbook for that program. It is the most definitive work I've read on incident response and computer forensics. I highly recommend every security professional take advantage of this book.IR starts with a revealing case study, and follows through with additional mini-studies and "eye witness reports" based on the authors' experiences. It provides plenty of clear diagrams and charts to reinforce key points, like the innovative "hard drive layers" outlined in chapter five. Most every mention of a command line program is followed by an example of that command in action, either via screenshot or text sample. These examples let readers try similar commands on their own workstations, reinforcing the authors' investigative directions.Beyond the excellent presentation of technical material, IR frames its discussion of incident response and computer forensics in a practical investigative methodology. My SANS FIRE training repeatedly stressed the importance of documentation, policies, processes, and methodology when performing forensic work worthy of adversarial legal scrutiny. IR's attention to detail helps investigators collect evidence in a professional, repeatable, forensically sound manner.Having appeared in court to defend their investigations, the authors share their knowledge and emphasize crucial steps to avoid forensic pitfalls. (An example is a DOS boot floppy's interaction with the DRVSPACE.BIN file. IR explains how to avoid this issue in detail.) Falling victim to these pitfalls could give a defense attorney an easy way to clear his client, or at least make certain evidence questionable in court.The book is not perfect. Several typos indicated somewhat rushed publication, but did not detract from technical accuracy. I would have liked more material in chapter five on file systems; perhaps another appendix would be useful?Many books and papers describe incident response procedures for UNIX, but few dare to discuss Windows. Given the predominance of compromised Windows hosts, this book thankfully addresses the Windows response task in a complete and clear manner. In many cases UNIX and Windows are compared side-by-side, and commands for one OS are explained using equivalents for the other OS.IR provides a durable blend of practical investigative techniques and technical insights. I predict that investigators will cite the procedures in this book as examples of "best practices" when they defend their actions in court. I plan to build my company's incident response capability around IR's recommendations.(Disclaimer: I received my review copy free from Foundstone.)

I got an advanced copy of this book and I must say that it was not dissappointing. After reading hacking exposed, I expected usefull material from the Foundstone people and they have really come through with this book. There aren't that many good IR books out there. This has set a good standard. Like the Hacking Exposed book, you need to sit down at a computer when reading IR. With any technical book, the real values comes with using the tools and techniques that the book describes at the computer and learning the ins and outs.I wonder if they have the second addition already in the works?