Book Layout
The chapters of this book are provided in a progressive sequence, each chapter building on the information discussed in the previous chapter. The progression through the chapters is intended to provide a thorough understanding of the issues presented when faced with performing live investigations of security incidents on Windows systems. However, several of the chapters can also be standalone references.
The chapters and appendices in this book are provided in the following sequence:
Chapter 1:
Introduction is, well, this chapter. The introduction provides an overview of the book and why it was written, what the reader should expect, and the target audience of the book.
Chapter 2:
How Incidents Occur addresses...well...how incidents happen. Knowing how incidents occur helps administrators understand how to protect their systems against them, limit the damage that is done, and provide some indication of malicious activity if other alarms fail to go off. Knowing and understanding the conditions that lead to incidents helps administrators understand how to prevent them from occurring and how to detect them when they do occur.
Chapter 3:
Data Hiding describes various ways that many kinds of data can be hidden on a live system (anything from text files to executables, such as games and malware). This chapter not only addresses how attackers and automated software such as worms may hide files on a compromised system, but it also describes what kind of information is hidden in files by applications used on a daily basis (i.e., Microsoft's Indexing Service, as well as Office applications). The chapter also addresses how that hidden information can be discovered. Some of this information can be very revealing and extremely sensitive to organizations and document authors.
Chapter 4:
Incident Preparation addresses steps that should be taken to prepare for incidents. The goal is to provide system administrators and IT managers with the information they need to set up systems within their networks in such a manner as to prevent incidents from occurring and to detect them when they do occur. The necessary steps involve system configuration and hardening, as well as taking steps to design and configure the infrastructure to establish a defense in depth posture.
Chapter 5:
Incident Response Tools describes many freely available software tools used in incident response and forensics activities. Most of the tools described in this chapter are freely available on the Internet (be sure to read the licensing information when you download them!). Other tools are native to Windows systems. Some of the tools listed are Perl scripts, used to collect information and demonstrate how data can be collected from a Windows system.
Chapter 6:
Developing a Methodology takes something of a different approach in walking through the development of an incident response methodology. The chapter is written as a story about a system administrator who has a series of dreams and learns lessons about incident response from each previous dream. In his dreams, the system administrator walks through some of the same problems and issues experienced by system administrators every day, as well as how to address and resolve those issues.
Chapter 7:
Knowing What To Look For describes the fingerprints of various types of malware, from network backdoors to rootkits. This chapter not only points out what to look for when you're trying to determine if a system has been infected with spyware, network backdoors, or a rootkit, but it also discusses and demonstrates tools and techniques for detecting this malware.
Chapter 8:
Using the Forensic Server Project describes how to set up and use the Forensic Server Project and the associated client components.
Chapter 9:
Scanners and Sniffers discusses various port scanning and network sniffing tools and how to use them. There are also several network traffic captures available on the accompanying CD, with questions about each of these captures asked in Chapter 9. The reader should use the tools described in the chapter to answer the questions.
Read Comments To Download This Book
The chapters of this book are provided in a progressive sequence, each chapter building on the information discussed in the previous chapter. The progression through the chapters is intended to provide a thorough understanding of the issues presented when faced with performing live investigations of security incidents on Windows systems. However, several of the chapters can also be standalone references.
The chapters and appendices in this book are provided in the following sequence:
Chapter 1:
Introduction is, well, this chapter. The introduction provides an overview of the book and why it was written, what the reader should expect, and the target audience of the book.
Chapter 2:
How Incidents Occur addresses...well...how incidents happen. Knowing how incidents occur helps administrators understand how to protect their systems against them, limit the damage that is done, and provide some indication of malicious activity if other alarms fail to go off. Knowing and understanding the conditions that lead to incidents helps administrators understand how to prevent them from occurring and how to detect them when they do occur.
Chapter 3:
Data Hiding describes various ways that many kinds of data can be hidden on a live system (anything from text files to executables, such as games and malware). This chapter not only addresses how attackers and automated software such as worms may hide files on a compromised system, but it also describes what kind of information is hidden in files by applications used on a daily basis (i.e., Microsoft's Indexing Service, as well as Office applications). The chapter also addresses how that hidden information can be discovered. Some of this information can be very revealing and extremely sensitive to organizations and document authors.
Chapter 4:
Incident Preparation addresses steps that should be taken to prepare for incidents. The goal is to provide system administrators and IT managers with the information they need to set up systems within their networks in such a manner as to prevent incidents from occurring and to detect them when they do occur. The necessary steps involve system configuration and hardening, as well as taking steps to design and configure the infrastructure to establish a defense in depth posture.
Chapter 5:
Incident Response Tools describes many freely available software tools used in incident response and forensics activities. Most of the tools described in this chapter are freely available on the Internet (be sure to read the licensing information when you download them!). Other tools are native to Windows systems. Some of the tools listed are Perl scripts, used to collect information and demonstrate how data can be collected from a Windows system.
Chapter 6:
Developing a Methodology takes something of a different approach in walking through the development of an incident response methodology. The chapter is written as a story about a system administrator who has a series of dreams and learns lessons about incident response from each previous dream. In his dreams, the system administrator walks through some of the same problems and issues experienced by system administrators every day, as well as how to address and resolve those issues.
Chapter 7:
Knowing What To Look For describes the fingerprints of various types of malware, from network backdoors to rootkits. This chapter not only points out what to look for when you're trying to determine if a system has been infected with spyware, network backdoors, or a rootkit, but it also discusses and demonstrates tools and techniques for detecting this malware.
Chapter 8:
Using the Forensic Server Project describes how to set up and use the Forensic Server Project and the associated client components.
Chapter 9:
Scanners and Sniffers discusses various port scanning and network sniffing tools and how to use them. There are also several network traffic captures available on the accompanying CD, with questions about each of these captures asked in Chapter 9. The reader should use the tools described in the chapter to answer the questions.
Read Comments To Download This Book
1 comments:
http://rapidshare.com/files/115938222/Windows_Forensics_And_Incident_Recovery__2004_.chm
or
http://tinyurl.com/42jcwj
Post a Comment