Security Incidents mailing list archives
RE: Re: REVIEW: "Incident Response", Douglas Schweitzer
From: "Mike Coliton" <mcoliton () twmi rr com>
Date: Tue, 24 Jan 2006 17:13:06 -0500
Taking a forensics course from a group like Pelttech or other is a great hands on way to learn in a safe environment. They are not that expensive and worth the time. The data is there as well as the technical staff overseeing the learning progres. Better to learn such methods in a controlled environment, before actually attempting life. Compromising evidence isn't great when needed most. -----Original Message----- From: frank_kenisky () psc uscourts gov [mailto:frank_kenisky () psc uscourts gov] Sent: Tuesday, January 24, 2006 10:35 AM To: incidents () securityfocus com Subject: Re: Re: REVIEW: "Incident Response", Douglas Schweitzer Good question but too general for any type of specific response. What exactly are you looking to examine? Router activity, servers, workstation (probably considered by many to be one in the same) network, disk, etc. The first thing I would recommend to anyone considering what to do regarding computer forensics is to get involved with your local ISSA or ISACA chapters, they usually have a monthly luncheon where you can recommend speakers. Sometimes they have speakers who address issues like hacker activity of various sorts, footprints and other issues that would help you understand what to look for and on what type of medium. Read. There are a lot of books (good books) that can help you grasp an understanding of what you need to look for technically. I caution you, these books are meant to understand the technical aspect of forensics not the legal aspects thats a completely different book. The Hacking Exposed books are a good start they have a few that address forensics. But like I said, you need to understand what it is youre looking for. Other books in this same series help you comprehend various types of footprints. The SNORT book is very good and so are books by Stephen Northcutt understanding Intrusion Detection. There are other books as well, but before you buy look over the reviews, Amazon has some very good reviews on these books then look for youre self. Go down to the store and sit there on the floor (like I sometimes do) and read a few pages. If the author doesnt grab your attention in the first few random pages you read, chances are hes just rambling anyway and trying to sell a book based on his self-proclaimed expertise. Then you need to work with some of the software available. If you have a few thousand dollars you can get a trimmed down version of eNcase. Or if youre like many you have about zero budget for that type of software so you download a copy of Autopsy and Sleuthkit. These are becoming terrific tools that are NOT for the point and click community. Then there is the legal aspect which is 80% or more of actual forensics. Finding the data becomes the no brainer its how you go about getting it that falls into the spectrum of what you did as legal. You are not the President of the U.S. so dont make any assumptions. A good course on incident response and legal steps is probably of utmost importance. Probably not real fun but just as important if not critical. Thanks for asking.
Current thread:
- REVIEW: "Incident Response", Douglas Schweitzer Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 23)
- <Possible follow-ups>
- Re: REVIEW: "Incident Response", Douglas Schweitzer frank_kenisky (Jan 23)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Dude VanWinkle (Jan 23)
- RE: Re: REVIEW: "Incident Response", Douglas Schweitzer Cooper, Christopher (Jan 24)
- RE: Re: REVIEW: "Incident Response", Douglas Schweitzer Robinson, Sonja (Jan 24)
- Re: Re: REVIEW: "Incident Response", Douglas Schweitzer frank_kenisky (Jan 24)
- RE: Re: REVIEW: "Incident Response", Douglas Schweitzer Mike Coliton (Jan 24)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Meadows, Chip (Jan 24)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Stephen J. Smoogen (Jan 24)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Volker Tanger (Jan 25)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Jess Garcia (Jan 25)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Kenneth R. van Wyk (Jan 27)
- Re: REVIEW: "Incident Response", Douglas Schweitzer Stephen J. Smoogen (Jan 24)
- RE: REVIEW: "Incident Response", Douglas Schweitzer Chain, David (NA ITRC Team Lead) (Jan 25)