Customer Reviews

Computer Forensics: Incident Response Essentials

5 star:		(14)
4 star:		(7)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

I am a senior engineer for network security operations. I read "Computer Forensics: Incident Response Essentials" (CFIRE) because I am responsible for performing intrusion detection and incident response on a daily basis. Those with similar skills will probably consider CFIRE too basic. Those working outside the information technology world may find CFIRE enlightening.

I'm a graduate of the SANS System Forensics, Investigation, and Response course and have read "Incident Response: Investigating Computer Crime" (IRICC) by Mandia, Prosise, and Pepe. In my opinion, CFIRE does not offer any new or truly significant material. For example, chapter 2 ("Tracking an Offender") offers several pages on how to find the headers in Outlook messages. Elsewhere, one discovers very elementary information on UNIX commands, searching Windows hard drives, and understanding UNIX file systems. All of this appears in other books or is common knowledge for IT staff.

I was disappointed that the impressive reviewer list did not detect several errors. As a fairly young network engineer, I still recognized this mistake on page 32: "When you dial to an ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol (PPP). Referring back to Figure 2-1, layer 3 is the network layer, and in the case of a dial-up connection, PPP replaces IP." Untrue -- PPP is actually a layer 2 protocol; IP is used above PPP. Furthermore, figure 2-1 on page 24 presents numerous problems: NetBEUI spans layers 3 to 5 (not 3 to 4), web browsers and email clients do not belong at layer 7 (they are applications which call layer 7 protocols), and so on. Also, page 121 claims "you cannot delete an alternate stream from the command line." However, page 193 of "Hacking Exposed: Windows 2000" demonstrates how to remove streams.

On the positive side, CFIRE will probably not scare non-IT staff. They will probably find the numerous tables, screen shots, and references useful. This book could be viewed as a gentle introduction to the incident response and forensics field, especially for the Microsoft Windows crowd.

Two types of staff wear "computer forensics" hats. The first type investigate misuse of computers, typically by authorized personnel. This group is happy to know how to image a drive and search the copy for signs of illicit images or software. The second type investigates compromises, where unknown (usually remote) parties have penetrated a network and used machines for their own purposes. This group will be unsatisfied when CFIRE states on page 132 "we don't anticipate that most readers of this book will become this specialized." If you need that deep level of knowledge, read "Incident Response: Investigating Computer Crime."

(Disclaimer: The publisher provided a free review copy.)

The authors, both of whom have impeccable credentials, have managed to distill a complex subject into a book that can be understood by anyone with intermediate-level computer skills. More importantly, computer forensics is a relatively new sub discipline of IT security, making this book important in that there are few books on the topic.

I'll start with the beginning and end of the book, each of which are focused on legal aspects of forensics. The book begins by explaining what forensics is, and giving a three-step process that covers the essentials at a high level: (1) acquire evidence, (2) authenticate it, and (3) analyze it. Although this process is presented at a high level, important details, such as the importance of establishing and maintaining a chain of custody, how to collect and document evidence and key issues to consider when presenting the evidence in court are covered. This discussion is picked up again in Chapter 12, Introduction to the Criminal Justice System, in which applicable laws, advice on dealing with law enforcement agencies, and the distinction between criminal and civil cases are discussed. There is sufficient detail and pointers to put sources of information to arm you with the bare essentials.

Between the opening chapter and Chapter 12 described above are chapters devoted to basic techniques and procedures for tracing email, specific operating system issues (the book deals with UNIX and Windows), encryption, codes and compression and other common challenges an investigator will face. The material is not overly technical, and is presented in easy-to-understand prose. Anyone who works as a network or system administrator, provides desktop support, or is an advanced end user will have no problems following the techniques that are presented or the underlying technical details. If you're seeking an advanced text this book will probably disappoint you, although there is sure to be some new trick or fact that you'll learn. For example, I have over 25 years of IT experience and was fascinated by the discussion of steganography (an information hiding technique). There were other chapters that I quickly skimmed because I was well-versed in the subject matter.

What I like about the book is the easy approach, which makes it easy to develop the fundamental skills necessary to perform forensics. The few other papers and books on the subject are far more advanced and the learning curve is a barrier. This book will give the new security investigator a foothold in the topic upon which he or she can build. I especially liked the appendices, which provide an excellent framework for incident response. One of the best features is the detailed roles and responsibilities, which are well thought out and reinforce the axiom that security is everyone's business. Another outstanding feature is the flowcharts for various incident types, such as denial of service, hostile code, etc. These can be used verbatim in a security policies and procedures manual, as can the incident response form provided in Appendix B. I also liked the valuable URLs provided throughout the book. I knew of many, but was surprised to find invaluable resources that I didn't know about.

Even though much of this book presented information I already knew, I still enjoyed reading it because I picked up facts that I didn't previously know, and was reminded of legal aspects of forensics and security that I'd forgotten. The appendices alone make this worthwhile to even advanced readers, and the fact that it provides an entry point into forensics for new practitioners makes this book invaluable as a training tool and vehicle for professional growth.

As a high technology crimes prosecutor in Silicon Valley, this book is just what I've been waiting for. While not an exhaustive treatise on the minutia of computer systems and forensic tools, the authors provide a comprehensive overview of investigative approaches, tools, and techniques desperately needed in the field. This book should be a must read for investigators (public and private), attorneys, and system administrators, as well as corporate management responsible for overseeing either personnel, or the security of network infrastructure and information assets. Both an excellent primer on the developing field of computer forensics and a good resource from which to launch more in depth research into a specific area in the field. While many of the previous works in this field proved to be either uninformative cursory overviews or mind numbing forays into the depths of the arcane, the authors have struck a good balance that makes for an enjoyable and informative read. Not the end all, be all of computer crime investigation, but a damn fine starting point.

This is an outstanding book. Well written, very educational. If you're tasked with handling computer security incidents, you'll want to have a copy of this book on your bookshelf. The first chapter is an outstanding quick overview of the entire scope of incident response.

As the title indicates this text is one of the "essentials." When it comes to crimes committed with and by the computer, it is no easy task to train and relate the process. Kruse and Heiser, in clear no nonsense language have relayed the complexities of forensic examination quiet well. Computer Forensics is a fundamental guide that takes on the task of describing the process, details and intricacies including the societal and legal aspects. (a point often missed by technical writers)

This is a must read for technologists familiar with computer and network operations, but unfamiliar with computer crime issues. On the other side of the coin, a user new to this arena will benefit greatly with their start to finish approach in each chapter.

This book is perfect for a classroom environment and as a reference work.

This book is an excellent resource for anyone who is responsible for computer incident investigation and response, as well as anyone who performs computer forensic examinations. It describes a sound scientific method of preservation and analysis of computer data evidence, and covers DOS/Windows, Unix-based, and MacIntosh systems. In addition, the experience of the authors is shared in describing the presentation of data evidence in court. The flow charts and sample forms help to clarify the methods and techniques of forensic examinations and incident response. This book is an essential addition to the computer professional's library.

The authors did a great job covering forensics and response. Very thorough and easy to follow. I read this book in two evenings and use it as a reference as I audit my networks. Recommended.

A well organized book begins with clear and precise explanation on the basic of computer forensics.

Chapter 3 provides good technical information on storage media. And it goes on forensics in Windows and Unix from Chapter 8 throught Chapter 11.

The section I like the most is Appendix A, which gives you comprehensive guidelines in dealing with incident response (a good sell to senior management).

It is not a technical reference book but it is one of those "have-to-have" introduction books for anyone who is new in this field.

This book gives a broad overview of computer forensics. It touches on a number of topics but does not go deeply into any one particular area. The book is suitable for people who have no experience with computer forensics. I suspect people with a lot of experience in the field will be disappointed at what this book has to offer.One commendable feature is a list of tools that are suitable for dealing with particular situations. Unfortunately many of the tools are only available commercially. A great introduction but stay away if you are looking for in depth treatment.

Computer Forensics, Incident Response Essentials, is a great book for two groups of people:

1) All computer forensics investigators looking for a better description of the process of collecting and analyzing
data. The book provides great descriptions of the methods for maintaining chain of custody and storage. This is done through the use of example forms and scenarios. Since evidence handling principles are easily overlooked, this book seeks to provide pragmatic techniques for proper evidence preservation.

2) Someone interesting in learning what computer forensics is about. This book is great at providing a high-level description of what computer forensics is used for and how it works. The book does not go into intricate detail on any one software package. Instead, it provides you with a great overview description of numerous software packages and tools. By doing this, the reader can attain a better understanding of what value computer forensics can provide. Since the field is relatively new, it is important for people to understand what computer forensics is capable of.

I highly recommend this book if you are just getting into the field, or if you are tired of reading books that continually tout Encase as the only solution. This book is a critical addition to any computer forensic investigators library.