Re: Re: REVIEW: "Incident Response", Douglas Schweitzer

[frank_kenisky () psc uscourts gov]

Good question but too general for any type of specific response.  What exactly are you looking to examine?  Router 
activity, servers, workstation (probably considered by many to be one in the same) network, disk, etc.

The first thing I would recommend to anyone considering what to do regarding computer forensics is to get involved with 
your local ISSA or ISACA chapters, they usually have a monthly luncheon where you can recommend speakers.  Sometimes 
they have speakers who address issues like hacker activity of various sorts, footprints and other issues that would 
help you understand what to look for and on what type of medium.

Read.  There are a lot of books (good books) that can help you grasp an understanding of what you need to look for 
technically.  I caution you, these books are meant to understand the technical aspect of forensics not the legal 
aspects that’s a completely different book.

The Hacking Exposed books are a good start they have a few that address forensics.  But like I said, you need to 
understand what it is you’re looking for.  Other books in this same series help you comprehend various types of 
footprints.  The SNORT book is very good and so are books by Stephen Northcutt understanding Intrusion Detection.

There are other books as well, but before you buy look over the reviews, Amazon has some very good reviews on these 
books then look for you’re self.  Go down to the store and sit there on the floor (like I sometimes do) and read a few 
pages.  If the author doesn’t grab your attention in the first few random pages you read, chances are he’s just 
rambling anyway and trying to sell a book based on his self-proclaimed expertise.

Then you need to work with some of the software available.  If you have a few thousand dollars you can get a trimmed 
down version of eNcase.  Or if you’re like many you have about zero budget for that type of software so you download a 
copy of Autopsy and Sleuthkit.  These are becoming terrific tools that are NOT for the point and click community.

Then there is the legal aspect which is 80% or more of actual forensics.  Finding the data becomes the no brainer it’s 
how you go about getting it that falls into the spectrum of what you did as legal.  You are not the President of the 
U.S. so don’t make any assumptions.  A good course on incident response and legal steps is probably of utmost 
importance.  Probably not real fun but just as important if not critical.

Thanks for asking.