RE: Re: REVIEW: "Incident Response", Douglas Schweitzer

["Robinson, Sonja" <SRobinson () HIPUSA com>]

Try Harlan Carvey's book or Warren Kruse.  HTCIA  is good group to start
with.  Also see GMU2006 hosted by rcfg.org.  It has very good entry
level classes. 

-----Original Message-----
From: frank_kenisky () psc uscourts gov
[mailto:frank_kenisky () psc uscourts gov] 
Sent: Tuesday, January 24, 2006 10:35 AM
To: incidents () securityfocus com
Subject: Re: Re: REVIEW: "Incident Response", Douglas Schweitzer

Good question but too general for any type of specific response.  What
exactly are you looking to examine?  Router activity, servers,
workstation (probably considered by many to be one in the same) network,
disk, etc.

The first thing I would recommend to anyone considering what to do
regarding computer forensics is to get involved with your local ISSA or
ISACA chapters, they usually have a monthly luncheon where you can
recommend speakers.  Sometimes they have speakers who address issues
like hacker activity of various sorts, footprints and other issues that
would help you understand what to look for and on what type of medium.

Read.  There are a lot of books (good books) that can help you grasp an
understanding of what you need to look for technically.  I caution you,
these books are meant to understand the technical aspect of forensics
not the legal aspects that's a completely different book.

The Hacking Exposed books are a good start they have a few that address
forensics.  But like I said, you need to understand what it is you're
looking for.  Other books in this same series help you comprehend
various types of footprints.  The SNORT book is very good and so are
books by Stephen Northcutt understanding Intrusion Detection.

There are other books as well, but before you buy look over the reviews,
Amazon has some very good reviews on these books then look for you're
self.  Go down to the store and sit there on the floor (like I sometimes
do) and read a few pages.  If the author doesn't grab your attention in
the first few random pages you read, chances are he's just rambling
anyway and trying to sell a book based on his self-proclaimed expertise.

Then you need to work with some of the software available.  If you have
a few thousand dollars you can get a trimmed down version of eNcase.  Or
if you're like many you have about zero budget for that type of software
so you download a copy of Autopsy and Sleuthkit.  These are becoming
terrific tools that are NOT for the point and click community.

Then there is the legal aspect which is 80% or more of actual forensics.
Finding the data becomes the no brainer it's how you go about getting it
that falls into the spectrum of what you did as legal.  You are not the
President of the U.S. so don't make any assumptions.  A good course on
incident response and legal steps is probably of utmost importance.
Probably not real fun but just as important if not critical.

Thanks for asking.