REVIEW: "Incident Response", Douglas Schweitzer

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>]

BKINCRSP.RVW   20051029

"Incident Response", Douglas Schweitzer, 2003, 0-7645-2636-7,
U$45.00/C$67.99/UK#31.50
%A   Douglas Schweitzer
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-7645-2636-7
%I   John Wiley & Sons, Inc.
%O   U$45.00/C$67.99/UK#31.50 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764526367/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0764526367/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764526367/robsladesin03-20
%O   Audience s+ Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   323 p. + CD-ROM
%T   "Incident Response: Computer Forensics Toolkit"

The title talks about incident response.  The subtitle talks about
computer forensics.  The introduction doesn't clear up the confusion. 
Is the book about forensics?  Response?  Does Schweitzer think that
forensics (and which kind?) is the only response there is?

Chapter one purports to be an introduction to forensic and response
essentials.  It is a vague and disorganized grab bag of issues.  (A
section entitled "Recognizing the Signs of an Incident" talks about
the fact the you should respond properly, and one supposedly
addressing issues around preparation suggests that there is a need for
response to incidents.  A two page list of characteristics of various
operating systems provides such amazing advice as that MS-DOS has text
on a black screen, while Windows has colours.  In any case, the
response to an incident is the same: pull the plug.  Legal issues are
said to be the topic of chapter two: it lists some US laws related to
computers.  Some items that should be examined in computer or network
forensic investigations are tabulated in chapter three.  Chapter four
has miscellaneous information about the Registry and file systems. 
Processes (on Windows) and some indications of the potential presence
of a backdoor (or simply the fact that parts of your operating system
are running) make up chapter five.  Chapter six has random and
incomplete data on utilities and items that might hold information. 
Procedures for collecting evidence, and lots of other material, is in
chapter seven.  The advice on containment of incidents, in chapter
eight, seems to be limited to "pull the plug."  Chapter nine has
incomplete recommendations for business continuity and disaster
recovery.  The response to different kinds of threats, in chapter ten,
is terse, and the largest space is given to a discussion of sexual
harassment.  Chapter eleven is supposed to be dedicated to assessing
system security in order to prevent further attacks: there is limited
advice on hardening Windows, and some directions on general security
reviews.  A list of miscellaneous computer attacks and incidents
closes off the book in chapter twelve.

The book is randomly structured, disorganized in terms of the written
material, and excessively verbose.  There is some coverage in regard
to computer forensics for those with no experience in the field, but
nothing that can't be found elsewhere, with much less work, and in a
more complete state.

copyright Robert M. Slade, 2005   BKINCRSP.RVW   20051029


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
The difficulty lies, not in the new ideas, but in escaping the
old ones that ramify, for those brought up as most of us have
been, into every corner of our minds.          - John Maynard Keynes
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade