Computer Forensics : Incident Response Essentials

If your interests, whether a seasoned investigator or someone who is intrigued with the field, are Data Recovery Computer Forensics this is a must have book.

Rating:
Summary: Computer Forensics
Review: I liked the book a great deal.
I often instruct others in this field and found it to be helpful, informative, and well written.

Many of the items are of great value in doing proper investigations. I reccomend it as a book to have in your library if you are into PC forensics.

Rating:
Summary: Excellent coverage, recommended reading.
Review: The authors did a great job covering forensics and response. Very thorough and easy to follow. I read this book in two evenings and use it as a reference as I audit my networks. Recommended.

Rating:
Summary: Excellent coverage, recommended reading.
Review: The authors did a great job covering forensics and response. Very thorough and easy to follow. I read this book in two evenings and use it as a reference as I audit my networks. Recommended.

Rating:
Summary: Excellent introduction to the basics
Review: The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.

I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level: (1) acquire evidence, (2) authenticate it, and (3) analyze it. Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.

Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter.

What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about.

Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.

Rating:
Summary: Excellent introduction to the basics
Review: The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.

I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level: (1) acquire evidence, (2) authenticate it, and (3) analyze it. Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.

Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter.

What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about.

Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.

Rating:
Summary: Great for beginners
Review: This book gives a broad overview of computer forensics. It touches on a number of topics but does not go deeply into any one particular area. The book is suitable for people who have no experience with computer forensics. I suspect people with a lot of experience in the field will be disappointed at what this book has to offer.One commendable feature is a list of tools that are suitable for dealing with particular situations. Unfortunately many of the tools are only available commercially. A great introduction but stay away if you are looking for in depth treatment.

Rating:
Summary: Good Introduction to Computer Forensics Investigations
Review: This book is a couple years old now, but the fundamentals remain essentially the same. Kruse and Heiser are seasoned experts in computer forensics and incident response and they have managed to boil down years of knowledge and experience into a format that is easy to read and understand. While security experts may not learn anything new from this book, those entering the field will find it invaluable. It is comprehensive and detailed while remaining easy to read. The foundation provided by reading and understanding this book can be used to move forward into more technical areas. Computer Forensics is not fluff by any means though and could easily be kept nearby as a handy reference for a computer forensic investigation.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Rating:
Summary: Great Computer Forensics and Incident Response guide
Review: This book is an excellent resource for anyone who is responsible for computer incident investigation and response, as well as anyone who performs computer forensic examinations. It describes a sound scientific method of preservation and analysis of computer data evidence, and covers DOS/Windows, Unix-based, and MacIntosh systems. In addition, the experience of the authors is shared in describing the presentation of data evidence in court. The flow charts and sample forms help to clarify the methods and techniques of forensic examinations and incident response. This book is an essential addition to the computer professional's library.

Rating:
Summary: Boring for skilled admins, only good for beginners.
Review: This book spends too much time on the basics of systems operations and lacks depth of forensic examination. The subject matter assumes you are an entry level systems administrator and explains the banalities of SMTP, TCP, et al. In addition it often makes references to commercial tools and gives little emphasis to the power of free tools that are invaluable in any investigation. The Investigating Windows section is sorely lacking, it explains the basic of data stored in Registry hives but fails to mention the metabases where the really valuable info is stored. One quote from the Windows investigation section "A good way to find information is the Windows Find feature", how insightful. The book mentions nothing about secret information stored in the Security Accounts Manager, or imaging RAM to media such as a hard disk or floppy. Nor does it mention techniques such as the technique of DLL examination and volatile unloading. The Dept of Justice provides a FREE whitepaper that covers the evidence gathering techniques this book provides [...]

If you are a skilled admin, this book is a waste of your time.