Enhanced descriptions from Syndetics:

Written by FBI insiders, this updated best-seller offers a look at the legal, procedural, and technical steps of incident response and computer forensics.

Table of contents provided by Syndetics

• Foreword (p. xxi)
• Acknowledgments (p. xxiii)
• Introduction (p. xxv)
• Part I Introduction
• 1 Real-World Incidents (p. 3)
• Factors Affecting Response (p. 4)
• International Crime (p. 5)
• Traditional Hacks (p. 7)
• So What? (p. 9)
• 2 Introduction to the Incident Response Process (p. 11)
• What Is a Computer Security Incident? (p. 12)
• What Are the Goals of Incident Response? (p. 13)
• Who Is Involved in the Incident Response Process? (p. 13)
• Incident Response Methodology (p. 14)
• So What? (p. 32)
• Questions (p. 32)
• 3 Preparing for Incident Response (p. 33)
• Overview of Pre-incident Preparation (p. 34)
• Identifying Risk (p. 35)
• Preparing Individual Hosts (p. 36)
• Preparing a Network (p. 49)
• Establishing Appropriate Policies and Procedures (p. 53)
• Creating a Response Toolkit (p. 66)
• Establishing an Incident Response Team (p. 69)
• So What? (p. 73)
• Questions (p. 73)
• 4 After Detection of an Incident (p. 75)
• Overview of the Initial Response Phase (p. 76)
• Establishing an Incident Notification Procedure (p. 77)
• Recording the Details after Initial Detection (p. 78)
• Incident Declaration (p. 80)
• Assembling the CSIRT (p. 81)
• Performing Traditional Investigative Steps (p. 86)
• Conducting Interviews (p. 87)
• Formulating a Response Strategy (p. 90)
• So What? (p. 92)
• Questions (p. 92)
• Part II Data Collection
• 5 Live Data Collection from Windows Systems (p. 95)
• Creating a Response Toolkit (p. 96)
• Storing Information Obtained during the Initial Response (p. 100)
• Obtaining Volatile Data (p. 103)
• Performing an In-Depth Live Response (p. 115)
• Is Forensic Duplication Necessary? (p. 123)
• So What? (p. 123)
• Questions (p. 124)
• 6 Live Data Collection from Unix Systems (p. 125)
• Creating a Response Toolkit (p. 126)
• Storing Information Obtained During the Initial Response (p. 127)
• Obtaining Volatile Data Prior to Forensic Duplication (p. 128)
• Performing an In-Depth, Live Response (p. 138)
• So What? (p. 148)
• Questions (p. 149)
• 7 Forensic Duplication (p. 151)
• Forensic Duplicates As Admissible Evidence (p. 152)
• Forensic Duplication Tool Requirements (p. 155)
• Creating a Forensic Duplicate of a Hard Drive (p. 157)
• Creating a Qualified Forensic Duplicate of a Hard Drive (p. 163)
• So What? (p. 172)
• Questions (p. 172)
• 8 Collecting Network-based Evidence (p. 173)
• What Is Network-based Evidence? (p. 174)
• What Are the Goals of Network Monitoring? (p. 174)
• Types of Network Monitoring (p. 175)
• Setting Up a Network Monitoring System (p. 177)
• Performing a Trap-and-Trace (p. 186)
• Using tcpdump for Full-Content Monitoring (p. 190)
• Collecting Network-based Log Files (p. 193)
• So What? (p. 194)
• Questions (p. 194)
• 9 Evidence Handling (p. 197)
• What Is Evidence? (p. 198)
• The Challenges of Evidence Handling (p. 199)
• Overview of Evidence-Handling Procedures (p. 202)
• So What? (p. 213)
• Questions (p. 213)
• Part III Data Analysis
• 10 Computer System Storage Fundamentals (p. 217)
• Hard Drives and Interfaces (p. 218)
• Preparation of Hard Drive Media (p. 227)
• Introduction to File Systems and Storage Layers (p. 231)
• So What? (p. 236)
• Questions (p. 237)
• 11 Data Analysis Techniques (p. 239)
• Preparation for Forensic Analysis (p. 240)
• Restoring a Forensic Duplicate (p. 241)
• Preparing a Forensic Duplication for Analysis In Linux (p. 248)
• Reviewing Image Files with Forensic Suites (p. 253)
• Converting a Qualified Forensic Duplicate to a Forensic Duplicate (p. 257)
• Recovering Deleted Files on Windows Systems (p. 260)
• Recovering Unallocated Space, Free Space, and Slack Space (p. 275)
• Generating File Lists (p. 278)
• Preparing a Drive for String Searches (p. 282)
• So What? (p. 288)
• Questions (p. 289)
• 12 Investigating Windows Systems (p. 291)
• Where Evidence Resides on Windows Systems (p. 292)
• Conducting a Windows Investigation (p. 293)
• File Auditing and Theft of Information (p. 328)
• Handling the Departing Employee (p. 331)
• So What? (p. 333)
• Questions (p. 333)
• 13 Investigating Unix Systems (p. 335)
• An Overview of the Steps in a Unix Investigation (p. 336)
• Reviewing Pertinent Logs (p. 337)
• Performing Keyword Searches (p. 342)
• Reviewing Relevant Files (p. 344)
• Identifying Unauthorized User Accounts or Groups (p. 350)
• Identifying Rogue Processes (p. 351)
• Checking for Unauthorized Access Points (p. 352)
• Analyzing Trust Relationships (p. 352)
• Detecting Trojan Loadable Kernel Modules (p. 353)
• So What? (p. 358)
• Questions (p. 358)
• 14 Analyzing Network Traffic (p. 359)
• Finding Network-Based Evidence (p. 360)
• Generating Session Data with tcptrace (p. 362)
• Reassembling Sessions Using tcpflow (p. 369)
• Reassembling Sessions Using Ethereal (p. 376)
• Refining tcpdump Filters (p. 378)
• So What? (p. 379)
• Questions (p. 380)
• 15 Investigating Hacker Tools (p. 385)
• What Are the Goals of Tool Analysis? (p. 386)
• How Files Are Compiled (p. 386)
• Static Analysis of a Hacker Tool (p. 394)
• Dynamic Analysis of a Hacker Tool (p. 399)
• So What? (p. 413)
• Questions (p. 413)
• 16 Investigating Routers (p. 415)
• Obtaining Volatile Data Prior to Powering Down (p. 416)
• Finding the Proof (p. 423)
• Using Routers as Response Tools (p. 428)
• So What? (p. 433)
• Questions (p. 433)
• 17 Writing Computer Forensic Reports (p. 435)
• What Is a Computer Forensics Report? (p. 436)
• Report Writing Guidelines (p. 439)
• A Template for Computer Forensic Reports (p. 444)
• So What? (p. 452)
• Questions (p. 453)
• Part IV Appendixes
• A Answers to Questions (p. 457)
• Chapter 2 (p. 458)
• Chapter 3 (p. 460)
• Chapter 4 (p. 461)
• Chapter 5 (p. 462)
• Chapter 6 (p. 463)
• Chapter 7 (p. 463)
• Chapter 8 (p. 465)
• Chapter 9 (p. 468)
• Chapter 10 (p. 470)
• Chapter 11 (p. 473)
• Chapter 12 (p. 474)
• Chapter 13 (p. 474)
• Chapter 14 (p. 475)
• Chapter 15 (p. 477)
• Chapter 16 (p. 477)
• Chapter 17 (p. 478)
• B Incident Response Forms (p. 481)
• Index (p. 491)

Author notes provided by Syndetics

Chris Prosise, VP of Consulting at Foundstone, is a recognized network security expert with extensive experience in attack and penetration testing and incident response. Chris has led government and commercial security teams on missions worldwide, from sensitive incident response missions on Top Secret government networks to comprehensive security assessments on some of the world's largest corporations. Chris is a featured speaker at multiple security conferences such as Forum of Incident Response and Security Teams (FIRST). Chris is an adjunct professor at Carnegie Mellon University where he teaches a class on Incident Response.

Kevin Mandia, Director of Computer Forensics at Foundstone, is a well-recognized forensics and incident response expert. Kevin leads Foundstone's premiere incident response and forensics services, delivering consulting and training services to Foundstone's clients. Prior to joining Foundstone, Kevin was a Special Agent with AFOSI specializing in computer intrusion cases. Upon leaving the AFOSI, Kevin developed a computer intrusion response course specifically designed at the request of the FBI. Kevin trained over 400 FBI agents as well as personnel from the State Department, the CIA, NASA, the U.S. Postal Service, the Air Force, and other Government Agencies.