526367 Cover_rb2.qxp 3/19/03 3:53 PM Page 1 Networking/Security $45.00 USA/$67.99 CAN/£31.50 UK TIMELY. PRACTICAL. RELIABLE. INCLUDES CD-ROM Your in-depth guide to detecting network breaches, uncovering evidence, Incident Response and preventing future attacks Whether it’s from malicious code sent You’ll learn how to: DOUGLAS SCHWEITZER is an through an e-mail or an unauthorized Internet security specialist and • Recognize the telltale signs of an user accessing company files, your authority on malicious code and incident and take specific response network is vulnerable to attack. Your computer forensics. He is a Cisco measures response to such incidents is critical. Certified Network Associate and Incident With this comprehensive guide, • Search for evidence by preparing Certified Internet Webmaster Douglas Schweitzer arms you with the operating systems, identifying Associate, and holds A+, tools to reveal a security breach, gather network devices, and collecting Network+, and i-Net+ certifica- evidence to report the crime, and con- data from memory tions. Schweitzer is also the duct audits to prevent future attacks. author of Internet Security Made • Analyze and detect when malicious He also provides you with a firm Easy and Securing the Network code enters the system and quickly understanding of the methodologies from Malicious Code. locate hidden files for incident response and computer Response forensics, Federal Computer Crime law • Perform keyword searches, review information and evidence require- browser history, and examine Web ments, legal issues, and how to work caches to retrieve and analyze clues CD-ROM includes: with law enforcement. • Create a forensics toolkit to prop- • Helpful tools to capture and erly collect and preserve evidence protect forensic data; search volumes, drives, and servers for • Contain an incident by severing evidence; and rebuild systems network and Internet connections, quickly after evidence has been and then eradicate any vulnerabili- Computer obtained ties you uncover • Valuable checklists developed • Anticipate future attacks and by the author for all aspects of Forensics monitor your system accordingly incident response and handling • Prevent espionage, insider attacks, and inappropriate use of Toolkit the network • Develop policies and procedures to carefully audit the system Wiley Technology Publishing Timely. Practical. Reliable. Visit our Web site at www.wiley.com/compbooks/ Schweitzer ISBN: 0-7645-2636-7 *85555-IGFADh ,!7IA7G4-fcgdgh!:p;o;p;K;K Douglas Schweitzer a526367 FM.qxd 3/21/03 3:37 PM Page i Incident Response: Computer Forensics Toolkit a526367 FM.qxd 3/21/03 3:37 PM Page ii a526367 FM.qxd 3/21/03 3:37 PM Page iii Incident Response: Computer Forensics Toolkit Douglas Schweitzer a526367 FM.qxd 3/21/03 3:37 PM Page iv Incident Response: Computer Forensics Toolkit Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 0-7645-2636-7 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1O/RR/QU/QT/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data on file with the publisher. Trademarks: Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. a526367 FM.qxd 3/21/03 3:37 PM Page v About the Author Douglas Schweitzer is an Internet security specialist with Brainbench certifications in Internet security and ITAA Information Security Awareness. Douglas is a Certified Internet Webmaster Associate, and he holds A+, Network+, and i-Net+ certifications from the Computing Technology Industry Association. He has appeared as an Internet security guest speaker on several radio shows, including KYW Philadelphia, as well as on Something You Should Know and Computer Talk America, two nationally syndicated radio shows. He is also the author of Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans and Internet Security Made Easy: A Plain-English Guide to Protecting Yourself and Your Company Online. a526367 FM.qxd 3/21/03 3:37 PM Page vi Credits ACQUISITIONS EDITOR PROJECT COORDINATORS Katie Feltman Cindy Phipps, Bill Ramsey PROJECT EDITOR GRAPHICS AND PRODUCTION SPECIALISTS Mark Enochs Beth Brooks, Sean Decker, LeAndra Johnson, Stephanie Jumper, TECHNICAL EDITOR Kristin McMullan, Heather Pope, Russell Shumway Julia Trippetti COPY EDITOR QUALITY CONTROL TECHNICIANS Maarten Reilingh Carl W. Pierce, Robert Springer EDITORIAL MANAGER PERMISSIONS EDITOR Mary Beth Wakefield Laura Moss VICE PRESIDENT & EXECUTIVE MEDIA DEVELOPMENT SPECIALIST GROUP PUBLISHER Travis Silvers Richard Swadley PROOFREADING VICE PRESIDENT AND EXECUTIVE PUBLISHER Kim Cofer Bob Ipsen INDEXING EXECUTIVE EDITOR Virginia Bess Carol Long EXECUTIVE EDITORIAL DIRECTOR Mary Bednarek a526367 FM.qxd 3/21/03 3:37 PM Page vii This book is dedicated in loving memory of Mirhan “Mike” Arian, whose insight and camaraderie are forever missed. a526367 FM.qxd 3/21/03 3:37 PM Page viii a526367 FM.qxd 3/21/03 3:37 PM Page ix Acknowledgments This book would not have been possible without the combined efforts of some very talented peo- ple. I would first like to thank my agent, Carole McClendon of Waterside Productions for her assis- tance in again finding me a superb publisher. I would also like to thank the hard-working individuals at Wiley Publishing who helped to make this book a reality. Their enthusiasm and sup- port were a continued shot in the arm. In particular, I would like to thank Acquisitions Editor, Katie Feltman for her confidence in me and for helping me to shape and hone the initial outline for the book. I am also grateful to Project Editor, Mark Enochs for all his suggestions. I would like to say thank you to my wife and best friend, Monique, for without her help, this book would not have been possible. I tip my hat to Russ Shumway who, as my technical editor, did a superb job ensuring that all my facts were correct and who suggested a number of additions that kept this book technically sound. Thanks, as well, to my sons Deran and Alex for their enduring patience with me while I spent many long hours writing. ix a526367 FM.qxd 3/21/03 3:37 PM Page x a526367 FM.qxd 3/21/03 3:37 PM Page xi Contents at a Glance Acknowledgments . ix Introduction . xix Chapter 1 Computer Forensics and Incident Response Essentials . 1 Chapter 2 Addressing Law Enforcement Considerations . 27 Chapter 3 Forensic Preparation and Preliminary Response . 45 Chapter 4 Windows Registry, Recycle Bin, and Data Storage . 69 Chapter 5 Analyzing and Detecting Malicious Code and Intruders . 91 Chapter 6 Retrieving and Analyzing Clues. 115 Chapter 7 Procedures for Collecting and Preserving Evidence. 135 Chapter 8 Incident Containment and Eradication of Vulnerabilities . 155 Chapter 9 Disaster Recovery and Follow-Up . 177 Chapter 10 Responding to Different Types of Incidents . 195 Chapter 11 Assessing System Security to Prevent Further Attacks . 215 Chapter 12 Pulling It All Together. 235 Appendix A What’s on the CD-ROM . 247 Appendix B Commonly Attacked Ports . 257 Appendix C Field Guidance on USA Patriot Act 2001 . 269 Appendix D Computer Records and the Federal Rules of Evidence . 281 Appendix E Glossary . 289 Index . 297 a526367 FM.qxd 3/21/03 3:37 PM Page xii a526367 FM.qxd 3/21/03 3:37 PM Page xiii Contents Acknowledgments . ix Introduction . xix Chapter 1 Computer Forensics and Incident Response Essentials . 1 Catching the Criminal: The Basics of Computer Forensics . 2 Recognizing the Signs of an Incident . 5 Preparing for Incidents . 14 Developing a Computer Security Incident Response Capability. 16 The Computer Security Incident Response Team. 17 The Incident Reporting Process .
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages362 Page
-
File Size-