Computer security is a crucial aspect of modern information management, and one of the latest buzzwords is
incident response--detecting and reacting to security breaches.
Computer Forensics offers information professionals a disciplined approach to implementing a comprehensive incident-response plan, with a focus on being able to detect intruders, discover what damage they did, and hopefully find out who they are.
There is little doubt that the authors are serious about cyberinvestigation. They advise companies to "treat every case like it will end up in court," and although this sounds extreme, it is good advice. Upon detecting a malicious attack on a system, many system administrators react instinctively. This often involves fixing the problem with minimal downtime, then providing the necessary incremental security to protect against an identical attack. The authors warn that this approach often contaminates evidence and makes it difficult to track the perpetrator. This book describes how to maximize system uptime while protecting the integrity of the "crime scene."
The bulk of
Computer Forensics details the technical skills required to become an effective electronic sleuth, with an emphasis on providing a well-documented basis for a criminal investigation. The key to success is becoming a "white hat" hacker in order to combat the criminal "black hat" hackers. The message is clear: if you're not smart enough to break into someone else's system, you're probably not smart enough to catch someone breaking into your system. In this vein, the authors use a number of technical examples and encourage the readers to develop expertise in Unix/Linux and Windows NT fundamentals. They also provide an overview of a number of third-party tools, many of which can be used for both tracking hackers and to probe your own systems.
The authors explain their investigative techniques via a number of real-world anecdotes. It is striking that many of the same hacks detailed in Cliff Stoll's classic
The Cuckoo's Egg are still in use over 10 years later--both on the criminal and investigative fronts. It is up to individual companies whether or not to pursue each attempted security violation as a potential criminal case, but
Computer Forensics provides a strong argument to consider doing so.
--Pete Ostenson Topics covered: Overview of computer crime investigative response, including extensive descriptions of hacking techniques. Frequent examples are used to demonstrate how to extract evidence from a violated computer system. Appendices include sample incident-response forms.
Customer Reviews & Comments
I am a senior engineer for network security operations. I read "Computer Forensics: Incident Response Essentials" (CFIRE) because I am responsible for performing intrusion detection and incident response on a daily basis. Those with similar skills will probably consider CFIRE too basic. Those working outside the information technology world may find CFIRE enlightening. I'm a graduate of the SANS System Forensics, Investigation, and Response course and have read "Incident Response: Investigating Computer Crime" (IRICC) by Mandia, Prosise, and Pepe. In my opinion, CFIRE does not offer any new or truly significant material. For example, chapter 2 ("Tracking an Offender") offers several pages on how to find the headers in Outlook messages. Elsewhere, one discovers very elementary information on UNIX commands, searching Windows hard drives, and understanding UNIX file systems. All of this appears in other books or is common knowledge for IT staff. I was disappointed that the impressive reviewer list did not detect several errors. As a fairly young network engineer, I still recognized this mistake on page 32: "When you dial to an ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol (PPP). Referring back to Figure 2-1, layer 3 is the network layer, and in the case of a dial-up connection, PPP replaces IP." Untrue -- PPP is actually a layer 2 protocol; IP is used above PPP. Furthermore, figure 2-1 on page 24 presents numerous problems: NetBEUI spans layers 3 to 5 (not 3 to 4), web browsers and email clients do not belong at layer 7 (they are applications which call layer 7 protocols), and so on. Also, page 121 claims "you cannot delete an alternate stream from the command line." However, page 193 of "Hacking Exposed: Windows 2000" demonstrates how to remove streams. On the positive side, CFIRE will probably not scare non-IT staff. They will probably find the numerous tables, screen shots, and references useful. This book could be viewed as a gentle introduction to the incident response and forensics field, especially for the Microsoft Windows crowd. Two types of staff wear "computer forensics" hats. The first type investigate misuse of computers, typically by authorized personnel. This group is happy to know how to image a drive and search the copy for signs of illicit images or software. The second type investigates compromises, where unknown (usually remote) parties have penetrated a network and used machines for their own purposes. This group will be unsatisfied when CFIRE states on page 132 "we don't anticipate that most readers of this book will become this specialized." If you need that deep level of knowledge, read "Incident Response: Investigating Computer Crime." (Disclaimer: The publisher provided a free review copy.)
