RE: Re: REVIEW: "Incident Response", Douglas Schweitzer

["Mike Coliton" <mcoliton () twmi rr com>]

Taking a forensics course from a group like Pelttech or other is a great
hands on way to learn in a safe environment.   They are not that expensive
and worth the time.   The data is there as well as the technical staff
overseeing the learning progres.   Better to learn such methods in a
controlled environment, before actually attempting life.  Compromising
evidence isn't great when needed most.

-----Original Message-----
From: frank_kenisky () psc uscourts gov
[mailto:frank_kenisky () psc uscourts gov]
Sent: Tuesday, January 24, 2006 10:35 AM
To: incidents () securityfocus com
Subject: Re: Re: REVIEW: "Incident Response", Douglas Schweitzer


Good question but too general for any type of specific response.  What
exactly are you looking to examine?  Router activity, servers, workstation
(probably considered by many to be one in the same) network, disk, etc.

The first thing I would recommend to anyone considering what to do regarding
computer forensics is to get involved with your local ISSA or ISACA
chapters, they usually have a monthly luncheon where you can recommend
speakers.  Sometimes they have speakers who address issues like hacker
activity of various sorts, footprints and other issues that would help you
understand what to look for and on what type of medium.

Read.  There are a lot of books (good books) that can help you grasp an
understanding of what you need to look for technically.  I caution you,
these books are meant to understand the technical aspect of forensics not
the legal aspects that’s a completely different book.

The Hacking Exposed books are a good start they have a few that address
forensics.  But like I said, you need to understand what it is you’re
looking for.  Other books in this same series help you comprehend various
types of footprints.  The SNORT book is very good and so are books by
Stephen Northcutt understanding Intrusion Detection.

There are other books as well, but before you buy look over the reviews,
Amazon has some very good reviews on these books then look for you’re self.
Go down to the store and sit there on the floor (like I sometimes do) and
read a few pages.  If the author doesn’t grab your attention in the first
few random pages you read, chances are he’s just rambling anyway and trying
to sell a book based on his self-proclaimed expertise.

Then you need to work with some of the software available.  If you have a
few thousand dollars you can get a trimmed down version of eNcase.  Or if
you’re like many you have about zero budget for that type of software so you
download a copy of Autopsy and Sleuthkit.  These are becoming terrific tools
that are NOT for the point and click community.

Then there is the legal aspect which is 80% or more of actual forensics.
Finding the data becomes the no brainer it’s how you go about getting it
that falls into the spectrum of what you did as legal.  You are not the
President of the U.S. so don’t make any assumptions.  A good course on
incident response and legal steps is probably of utmost importance.
Probably not real fun but just as important if not critical.

Thanks for asking.