Joined: 18 Apr 2002
Location: Kuala Lumpur, Malaysia
|Posted: Sun Oct 26, 2003 5:08 am Post subject: Book Review - Incident Response & Computer Forensics 2E
Incident Response & Computer Forensics Second Edition
Authors: Kevin Mandia, Chris Prosise & Matt Pepe
Book Specifications: Soft-Cover, 507 Pages
Category: Computer Forensics
User Level: This is a highly technical book that covers many areas so a strong knowledge of Networking, Windows and Linux is recommended
Suggested Publisher Price: $49.99 USA/ $78.95 CAN/ £36.99 Net UK (inc of VAT)
Amazon.co.uk: Incident Response & Computer Forensics Second Edition
Amazon.com: Incident Response & Computer Forensics Second Edition
Info from Back: "Written by FBI insiders, this updated best-seller offers a look at the legal, procedural, and technical steps of incident response and computer forensics. Including new chapters on forensic analysis and remediation, and real-world case studies, this revealing book shows how to counteract and conquer today's hack attacks."
Along with Cryptography, Forensics is probably my weakest area, I am familiar with it on a base level as with Crypto but I am not totally comfortable and well versed in it as I desire to be and believe I should (being a consummate sec pro as always). It is however an area that fascinates me and I've always tinkered with either accidentally (trying to retrieve deleted files) or purposely (trying to tell what has happened to a hacked machine). In the main part I just really wanted to know what IS possible and what IS NOT possible as you all know people always make inflated claims and seen as though EnCase is so expensive I wanted to know if it was actually any good.
As I mentioned above I do have little experience with forensics but I don't feel I have the depth of knowledge to actually respond professionally to a large scale computer security incident. Also the professional side of Incident Response interests me, the procedures and legalities involved and how evidence is stored safely and it's integrity verified. Also of course the more technical details of reading files systems and how you go about thoroughly checking a compromised host of whatever OS.
As with most of the books I review this book again covers only a very narrow area, it's not a beginners guide to computer security and is definitely not for the uninitiated. It is however an area in which everyone involved in computer security should be very comfortable with, computers DO get hacked and incidents DO occur, we should all know how to deal with them. I would say this book is aimed at everyone involved in security, even Systems Administrators who only have a passing security role. I will stress again though it *IS* technical and you could do with being pretty strong in all areas (Do you know your SYN from your ACK? Your sector from your cluster? Your LKM from your Monolith?)
This book is split into 4 parts and 17 chapters (plus Appendixes) the parts are as follows:
The foreword for this book was written by Scott K. Larson a former FBI special agent and current Executive Vice President of Stroz Friedberg, LLC. As always there is a large acknowledgements section then an Introduction which outlines the aim of the book, who should read this book, graphical and textual conventions and a brief guide as to how the book is organised. There is a website for the book as mentioned above but it doesn't actually contain anything useful, which is a bit disappointing!
- Part I: Introduction
- Part II: Data Collection
- Part III: Data Analysis
- Part IV: Appendixes
Chapters of Interest
This is not a complete chapter list, a full Table of Contents can be found HERE.
- Real World Incidents
- Preparing for Incident Response
- Live Data Collection from a Windows System
- Live Data Collection from a UNIX System
- Collecting Network-based Evidence
- Evidence Handling
- Data Analysis Techniques
- Investigating Hacker Tools
- Investigating Routers
- Writing Computer Forensics Reports
The chapters begin with a textual introduction to the topic, which is sometimes short but the chapters are well split up with easy to read and straightforward headings so the introductions don't need to be lengthy.
The book covers pretty much everything you could wish to know (or not!) about Computer Forensics and Incident Response from technicalities to formalities. It's laid out very well with an easy to read format and nice visual elements with Icons for What can Happen? Where to Look for Evidence, Law Enforcements Tips, Legal Issues, Notes, Cautions and various Boxed Elements (Eye Witness Reports, Recommended Practise etc.). There is a liberal use of code, screen shots and tables which makes it very easy to absorb the wealth of information contained in the book.
Anti-attack procedures are covered with details on how to look for anomalies, how to apprehend and prosecute attackers/intruders, how to securely store evidence and more. From a general security point of view the in depth sections on creating secure and auditable hosts, secure remote system logging and controlling network access are especially interesting. Quite a lot of detail about obtaining or building Forensics workstations is also included.
One thing I found really good about this book is they don't just tell you what needs to be done, they show you what needs to be done, how to do it, what tools to use, where to get the tools and how to use them!
The chapter on Investigating Hacker Tools may sound a bit cheesy but it's actually fascinating. Essentially it's a section on tool/binary analysis, how files are compiled and static (file types, ASCII strings, source code reviewing) and dynamic analysis (sandboxing) of tools.
Style and Detail
The writing style made this book very easy to read even though, as before mentioned, it's a highly technical book. There is a good sense of humour throughout, which again gives the book a good natural flow. The authors have successfully managed to strike good balance between high level policies and things to approach management with and low level highly technical tools and analysis (not an easy task!). While reading the book it becomes clear very quickly that these guys REALLY do know their stuff, they have been there done that and got the T-shirt. It's not just another 'Hacker' book full of stuff freely available online.
As mentioned in the contents section of the review, the book is extremely well laid out with a mixture of pictures of actual equipment and screenshots. There are a huge amount of references in the book to all kinds of software, freeware, OSS and commercial. Surprisingly there also references to other useful books for specific areas and there are many references to online resources and usual web sites.
When it comes to the more technical parts the authors have gone into a huge amount of detail. This is shown best in the chapters on Analysing Network Traffic and Investigating Hacker Tools. For example in the Network Traffic chapter there are full packet dumps including the tcpdump switches used to capture the traffic and how to reassemble sessions using tcpflow, in the Hacker Tools chapter how to dynamically analyse a binary using strace is examined extensively.
It actually took me a *VERY* long time to review this book, the reason? I couldn't put the damn thing down. Every chapter was something new, another way to look at things, a "Hmm, I didn't know you could do that!". It's been quite some time since I found a technical book quite so interesting. Maybe because I'm a newcomer to this area or perhaps it's a testament to the way the book is written and laid out (I'd lean towards the latter).
If this is an area you know nothing about but think hmm that may be interesting, get this book! I guarantee it will fascinate you. Even if you know a little about the area I would recommend getting it as I'm pretty sure you'll learn some new things. EnCase does seem to be the tool of choice and it's quite amazing what it can do. There are also some excellent free tools out there such as Autopsy.
The only thing I found lacking was a CD containing all the tools and report templates in the book. This would have been excellent and would have been a great start for a forensics toolkit. I was hoping to find more stuff for download on the associated website but there actually wasn't anything of interest. All the things in the book do have URLs associated but I find it tiresome typing URL's in from books when I could just go the site and find a links list or go on the CD and find the tools. This is the only point that stops me giving the book a 10. Even with this if I could I'd give it 9.5.
I highly recommend this book to anyone interested in computer security.
I give it an extremely interesting and well written 9/10
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Joined: 16 Mar 2003
|Posted: Thu Jan 06, 2005 1:52 am Post subject:
I agree, if you're looking for a book on IR, then this is the one to get. I've read a lot of books and this one is definitely my favorite. Windows Forensics and Incident Recovery by Harlan Carvey is a great addition to it since it goes into a greater depth for responding to, and investigating incidents involving Windows.
The two most interesting things i learned from Windows Forensics and Incident Recover was that if you are logged in as a domain administer, you can use perl scripts (which he includes) to easily scan many computers for signs of modems, or packet sniffers that have been installed, and since it is open source you could edit it to include searches for other things like P2P programs.
There is also a chapter about the Forensic Server Project he has created. I can guarantee you if the authors of Incident Response & Computer Forensics Second Edition knew about it, it would of been included in their book, although it may of not been available at the time. You can check it out here http://www.windows-ir.com/fsp.html It lets you easily put together a incident response disk and takes care of sending the evidence to another computer in a convenient and forensically sound manner, including automatically creating hashes. I'm pretty sure there is a perl version of it so you can use it to respond to incidents involving *nix as well. I see no reason why this shouldn't be the standard tool for collecting volatile evidence. It's that good
And to get back on subject, I can vouch for everything you said. I take notes on the books I read and Incident Response & Computer Forensics was only book that I've read where I just said the hell with it because I'd honestly end up highlighting the whole book. I look forward to reading it again.