Features
- Cover Type: Paperback with 507 pages
- Published by: McGraw-Hill/Osborne
- Edition: 2nd Edition July 17, 2003
- Written in: English
- ISBN 10 Number: 007222696X
- ISBN 13 Number: 978-0072226966
-
Book Dimensions:
9.1 x 7.2 x 1.3 inches
- Weighs: 2.5 pounds
Product Review
A strong system of defenses will save your systems from falling victim to published and otherwise uninventive attacks, but even the most heavily defended system can be cracked under the right conditions.
Incident Response aims to teach you how to determine when an attack has occurred or is underway--they're often hard to spot--and show you what to do about it. Authors Kevin Mandia and Chris Prosise favor a tools- and procedures-centric approach to the subject, thereby distinguishing this book from others that catalog particular attacks and methods for dealing with each one. The approach is more generic, and therefore better suited to dealing with newly emerging attack techniques.
Anti-attack procedures are presented with the goal of identifying, apprehending, and successfully prosecuting attackers. The advice on carefully preserving volatile information, such as the list of processes active at the time of an attack, is easy to follow. The book is quick to endorse tools, the functionalities of which are described so as to inspire creative applications. Information on bad-guy behavior is top quality as well, giving readers knowledge of how to interpret logs and other observed phenomena. Mandia and Prosise don't--and can't--offer a foolproof guide to catching crackers in the act, but they do offer a great "best practices" guide to active surveillance.
--David Wall Topics covered: Monitoring computer systems for evidence of malicious activity, and reacting to such activity when it's detected. With coverage of Windows and Unix systems as well as non-platform-specific resources like Web services and routers, the book covers the basics of incident response, processes for gathering evidence of an attack, and tools for making forensic work easier.
--This text refers to an out of print or unavailable edition of this title.
Product Description
Written by FBI insiders, this updated best-seller offers a look at the legal, procedural, and technical steps of incident response and computer forensics. Including new chapters on forensic analysis and remediation, and real-world case studies, this revealing book shows how to counteract and conquer today’s hack attacks.
Reader Reviews
This review is from: Incident Response: Investigating Computer Crime (Paperback)
I am a senior engineer for network security operations. I am a graduate of the flagship session of the System Administration, Networking, and Security institute's Forensics, Investigations, and Response Education (SANS FIRE) program. "Incident Response" (IR) should have been the textbook for that program. It is the most definitive work I've read on incident response and computer forensics. I highly recommend every security professional take advantage of this book. IR starts with a revealing case study, and follows through with additional mini-studies and "eye witness reports" based on the authors' experiences. It provides plenty of clear diagrams and charts to reinforce key points, like the innovative "hard drive layers" outlined in chapter five. Most every mention of a command line program is followed by an example of that command in action, either via screenshot or text sample. These examples let readers try similar commands on their own workstations, reinforcing the authors' investigative directions. Beyond the excellent presentation of technical material, IR frames its discussion of incident response and computer forensics in a practical investigative methodology. My SANS FIRE training repeatedly stressed the importance of documentation, policies, processes, and methodology when performing forensic work worthy of adversarial legal scrutiny. IR's attention to detail helps investigators collect evidence in a professional, repeatable, forensically sound manner. Having appeared in court to defend their investigations, the authors share their knowledge and emphasize crucial steps to avoid forensic pitfalls. (An example is a DOS boot floppy's interaction with the DRVSPACE.BIN file. IR explains how to avoid this issue in detail.) Falling victim to these pitfalls could give a defense attorney an easy way to clear his client, or at least make certain evidence questionable in court. The book is not perfect. Several typos indicated somewhat rushed publication, but did not detract from technical accuracy. I would have liked more material in chapter five on file systems; perhaps another appendix would be useful? Many books and papers describe incident response procedures for UNIX, but few dare to discuss Windows. Given the predominance of compromised Windows hosts, this book thankfully addresses the Windows response task in a complete and clear manner. In many cases UNIX and Windows are compared side-by-side, and commands for one OS are explained using equivalents for the other OS. IR provides a durable blend of practical investigative techniques and technical insights. I predict that investigators will cite the procedures in this book as examples of "best practices" when they defend their actions in court. I plan to build my company's incident response capability around IR's recommendations. (Disclaimer: I received my review copy free from Foundstone.)
Search for books at
