Chris Prosise, Kevin Mandia, Matt Pepe9780072226966, 007222696X
Table of contents :
Cover……Page 1
About the Authors……Page 8
AT A GLANCE……Page 11
Table of Contents……Page 13
FOREWORD……Page 23
ACKNOWLEDGMENTS……Page 25
INTRODUCTION……Page 27
PART I Introduction……Page 33
CHAPTER 1 Real-World Incidents……Page 35
FACTORS AFFECTING RESPONSE……Page 36
Welcome to Invita……Page 37
The PathStar Conspiracy……Page 38
TRADITIONAL HACKS……Page 39
SO WHAT?……Page 41
CHAPTER 2 Introduction to the Incident Response Process……Page 43
WHAT IS A COMPUTER SECURITY INCIDENT?……Page 44
WHO IS INVOLVED IN THE INCIDENT RESPONSE PROCESS?……Page 45
INCIDENT RESPONSE METHODOLOGY……Page 46
Pre-Incident Preparation……Page 48
Detection of Incidents……Page 49
Initial Response……Page 50
Formulate a Response Strategy……Page 52
Investigate the Incident……Page 56
Reporting……Page 62
Resolution……Page 63
QUESTIONS……Page 64
CHAPTER 3 Preparing for Incident Response……Page 65
OVERVIEW OF PRE-INCIDENT PREPARATION……Page 66
IDENTIFYING RISK……Page 67
Recording Cryptographic Checksums of Critical Files……Page 68
Increasing or Enabling Secure Audit Logging……Page 71
Building Up Your Host’s Defenses……Page 78
Backing Up Critical Data……Page 79
Educating Your Users about Host-Based Security……Page 80
PREPARING A NETWORK……Page 81
Creating a Network Topology Conducive to Monitoring……Page 82
Requiring Authentication……Page 84
ESTABLISHING APPROPRIATE POLICIES AND PROCEDURES……Page 85
Determining Your Response Stance……Page 86
Understanding How Policies Can Aid Investigative Steps……Page 88
Developing Acceptable Use Policies……Page 95
Designing AUPs……Page 96
CREATING A RESPONSE TOOLKIT……Page 98
The Response Hardware……Page 99
The Networking Monitoring Platform……Page 100
Deciding on the Team’s Mission……Page 101
Training the Team……Page 102
QUESTIONS……Page 105
CHAPTER 4 After Detection of an Incident……Page 107
OVERVIEW OF THE INITIAL RESPONSE PHASE……Page 108
ESTABLISHING AN INCIDENT NOTIFICATION PROCEDURE……Page 109
Initial Response Checklists……Page 110
INCIDENT DECLARATION……Page 112
ASSEMBLING THE CSIRT……Page 113
Determining Escalation Procedures……Page 114
Implementing Notification Procedures……Page 115
Scoping an Incident and Assembling the Appropriate Resources……Page 116
PERFORMING TRADITIONAL INVESTIGATIVE STEPS……Page 118
CONDUCTING INTERVIEWS……Page 119
Interviewing System Administrators……Page 120
Interviewing Managers……Page 121
Response Strategy Considerations……Page 122
Policy Verification……Page 123
QUESTIONS……Page 124
PART II Data Collection……Page 125
CHAPTER 5 Live Data Collection from Windows Systems……Page 127
CREATING A RESPONSE TOOLKIT……Page 128
Gathering the Tools……Page 129
Preparing the Toolkit……Page 130
Transferring Data with netcat……Page 132
Encrypting Data with cryptcat……Page 134
Organizing and Documenting Your Investigation……Page 135
Collecting Volatile Data……Page 136
Scripting Your Initial Response……Page 146
Creating an In-Depth Response Toolkit……Page 147
Collecting Live Response Data……Page 148
SO WHAT?……Page 155
QUESTIONS……Page 156
CHAPTER 6 Live Data Collection from Unix Systems……Page 157
CREATING A RESPONSE TOOLKIT……Page 158
STORING INFORMATION OBTAINED DURING THE INITIAL RESPONSE……Page 159
Collecting the Data……Page 160
Scripting Your Initial Response……Page 169
Detecting Loadable Kernel Module Rootkits……Page 170
Obtaining the System Logs During Live Response……Page 172
Discovering Illicit Sniffers on Unix Systems……Page 173
Reviewing the /Proc File System……Page 176
Dumping System RAM……Page 179
SO WHAT?……Page 180
QUESTIONS……Page 181
CHAPTER 7 Forensic Duplication……Page 183
FORENSIC DUPLICATES AS ADMISSIBLE EVIDENCE……Page 184
What Is a Restored Image?……Page 185
What Is a Mirror Image?……Page 186
FORENSIC DUPLICATION TOOL REQUIREMENTS……Page 187
Duplicating with dd and dcfldd……Page 189
Duplicating with the Open Data Duplicator (ODD)……Page 191
Creating a Boot Disk……Page 195
Creating a Qualified Forensic Duplicate with SafeBack……Page 196
Creating a Qualified Forensic Duplicate with EnCase……Page 200
QUESTIONS……Page 204
CHAPTER 8 Collecting Network-based Evidence……Page 205
WHAT ARE THE GOALS OF NETWORK MONITORING?……Page 206
Trap-and-Trace Monitoring……Page 207
Full-Content Monitoring……Page 208
Determining Your Goals……Page 209
Choosing Appropriate Hardware……Page 210
Choosing Appropriate Software……Page 212
Deploying the Network Monitor……Page 216
Evaluating Your Network Monitor……Page 217
PERFORMING A TRAP-AND-TRACE……Page 218
Initiating a Trap-and-Trace with tcpdump……Page 219
Performing a Trap-and-Trace with WinDump……Page 220
USING TCPDUMP FOR FULL-CONTENT MONITORING……Page 222
Filtering Full-Content Data……Page 223
Maintaining Your Full-Content Data Files……Page 224
COLLECTING NETWORK-BASED LOG FILES……Page 225
QUESTIONS……Page 226
CHAPTER 9 Evidence Handling……Page 229
The Best Evidence Rule……Page 230
THE CHALLENGES OF EVIDENCE HANDLING……Page 231
Chain of Custody……Page 232
Evidence Validation……Page 233
OVERVIEW OF EVIDENCE-HANDLING PROCEDURES……Page 234
Digital Photos……Page 235
Evidence Tags……Page 237
Evidence Storage……Page 239
The Evidence Log……Page 242
Evidence Backups……Page 243
Evidence Custodian Audits……Page 244
QUESTIONS……Page 245
PART III Data Analysis……Page 247
CHAPTER 10 Computer System Storage Fundamentals……Page 249
The Swiftly Moving ATA Standard……Page 250
SCSI (Not Just a Bad-Sounding Word)……Page 255
Wiping Storage Media……Page 259
Partitioning and Formatting Storage Drives……Page 260
INTRODUCTION TO FILE SYSTEMS AND STORAGE LAYERS……Page 263
The Physical Layer……Page 264
The Data Classification Layer……Page 265
The Storage Space Management Layer……Page 266
SO WHAT?……Page 268
QUESTIONS……Page 269
CHAPTER 11 Data Analysis Techniques……Page 271
PREPARATION FOR FORENSIC ANALYSIS……Page 272
Restoring a Forensic Duplication of a Hard Disk……Page 273
Restoring a Qualified Forensic Duplication of a Hard Disk……Page 276
PREPARING A FORENSIC DUPLICATION FOR ANALYSIS IN LINUX……Page 280
Examining the Forensic Duplicate File……Page 281
Associating the Forensic Duplicate File with the Linux Loopback Device……Page 282
Reviewing Forensic Duplicates in EnCase……Page 285
Reviewing Forensic Duplicates in the Forensic Toolkit……Page 287
CONVERTING A QUALIFIED FORENSIC DUPLICATE TO A FORENSIC DUPLICATE……Page 289
Using Linux Tools To Recover Files on FAT File Systems……Page 292
Running Autopsy as a GUI for File Recovery……Page 296
Using Foremost to Recover Lost Files……Page 300
Recovering Deleted Files on Unix Systems……Page 303
RECOVERING UNALLOCATED SPACE, FREE SPACE, AND SLACK SPACE……Page 307
Listing File Metadata……Page 310
PREPARING A DRIVE FOR STRING SEARCHES……Page 314
Performing String Searches……Page 316
SO WHAT?……Page 320
QUESTIONS……Page 321
CHAPTER 12 Investigating Windows Systems……Page 323
WHERE EVIDENCE RESIDES ON WINDOWS SYSTEMS……Page 324
CONDUCTING A WINDOWS INVESTIGATION……Page 325
Reviewing All Pertinent Logs……Page 326
Performing Keyword Searches……Page 334
Reviewing Relevant Files……Page 335
Identifying Rogue Processes……Page 352
Looking for Unusual or Hidden Files……Page 353
Checking for Unauthorized Access Points……Page 355
Examining Jobs Run by the Scheduler Service……Page 358
Analyzing Trust Relationships……Page 359
FILE AUDITING AND THEFT OF INFORMATION……Page 360
HANDLING THE DEPARTING EMPLOYEE……Page 363
Conducting String Searches on Hard Drives……Page 364
QUESTIONS……Page 365
CHAPTER 13 Investigating Unix Systems……Page 367
AN OVERVIEW OF THE STEPS IN A UNIX INVESTIGATION……Page 368
Network Logging……Page 369
Host Logging……Page 372
User Activity Logging……Page 373
PERFORMING KEYWORD SEARCHES……Page 374
String Searches with grep……Page 375
REVIEWING RELEVANT FILES……Page 376
Incident Time and Time/Date Stamps……Page 377
Special Files……Page 379
User Account Investigation……Page 382
IDENTIFYING ROGUE PROCESSES……Page 383
ANALYZING TRUST RELATIONSHIPS……Page 384
DETECTING TROJAN LOADABLE KERNEL MODULES……Page 385
LKM Elements……Page 386
LKM Detection Utilities……Page 387
QUESTIONS……Page 390
CHAPTER 14 Analyzing Network Traffic……Page 391
Tools for Network Traffic Analysis……Page 392
Reviewing Network Traffic Collected with tcpdump……Page 393
Parsing a Capture File……Page 394
Interpreting the tcptrace Output……Page 395
Using Snort to Extract Event Data……Page 396
Checking for SYN Packets……Page 397
Focusing on FTP Sessions……Page 401
Interpreting the tcpflow Output……Page 402
Reviewing SSH Sessions……Page 406
REASSEMBLING SESSIONS USING ETHEREAL……Page 408
REFINING TCPDUMP FILTERS……Page 410
SO WHAT?……Page 411
QUESTIONS……Page 412
CHAPTER 15 Investigating Hacker Tools……Page 417
HOW FILES ARE COMPILED……Page 418
Programs Compiled with Debug Options……Page 419
Programs Packed with UPX……Page 421
Compilation Techniques and File Analysis……Page 424
Determining the Type of File……Page 426
Reviewing the ASCII and Unicode Strings……Page 427
Performing Online Research……Page 429
Performing Source Code Review……Page 430
Creating the Sandbox Environment……Page 431
Dynamic Analysis on a Unix System……Page 433
Dynamic Analysis on a Windows System……Page 441
QUESTIONS……Page 445
CHAPTER 16 Investigating Routers……Page 447
OBTAINING VOLATILE DATA PRIOR TO POWERING DOWN……Page 448
Determining Who Is Logged On……Page 449
Determining the Router’s Uptime……Page 450
Determining Listening Sockets……Page 451
Saving the Router Configuration……Page 452
Reviewing the Routing Table……Page 453
Checking Interface Configurations……Page 454
Handling Direct-Compromise Incidents……Page 455
Handling Routing Table Manipulation Incidents……Page 457
Handling Denial-of-Service (DoS) Attacks……Page 458
Understanding Access Control Lists (ACLs)……Page 460
Monitoring with Routers……Page 462
Responding to DDoS Attacks……Page 463
QUESTIONS……Page 465
CHAPTER 17 Writing Computer Forensic Reports……Page 467
What Is an Expert Report?……Page 468
Report Goals……Page 469
Document Investigative Steps Immediately and Clearly……Page 471
Know the Goals of Your Analysis……Page 472
Use Consistent Identifiers……Page 473
Have Co-workers Read Your Reports……Page 474
Include Metadata……Page 475
A TEMPLATE FOR COMPUTER FORENSIC REPORTS……Page 476
Objectives……Page 477
Computer Evidence Analyzed……Page 478
Relevant Findings……Page 479
Supporting Details……Page 480
Additional Report Subsections……Page 483
SO WHAT?……Page 484
QUESTIONS……Page 485
PART IV Appendixes……Page 487
APPENDIX A Answers to Questions……Page 489
CHAPTER 2……Page 490
CHAPTER 3……Page 492
CHAPTER 4……Page 493
CHAPTER 5……Page 494
CHAPTER 7……Page 495
CHAPTER 8……Page 497
CHAPTER 9……Page 500
CHAPTER 10……Page 502
CHAPTER 11……Page 505
CHAPTER 13……Page 506
CHAPTER 14……Page 507
CHAPTER 16……Page 509
CHAPTER 17……Page 510
APPENDIX B Incident Response Forms……Page 513
INDEX……Page 523
Reviews
There are no reviews yet.