Edition: 2nd Edition
Author: Chris Prosise
Now, while this book may seem a little outdated, it was considered as a “gem” it’s own time and still is today. Chris Prosise’s “Incident Response and Computer Forensics” does indeed contain somewhat older methods of digital forensics and incident response procedures, but the documented processes, suggestions, procedures and examples that are detailed in this book will help provide any organization (or individual) a framework for building an Incident Response/Forensic team.
The Good: I’ve got a couple of thoughts on where this book shines and really stands out and I’d like to share them with you.
First off, Chris Prosise has done an excellent job in composing and consolidating the material that really provides the “procedural” means to establish an incident response infrastructure in your organization. I also enjoyed that this book provides a beginners overview of using EnCase and FTK, for those who aren’t all too familiar with the day-to-day use of these forensic software packages .
A personal selling point for me on buying this book was the promoted used of free and open-source software to perform forensics and incident response. I personally enjoyed that this book does focus around the use of of a lot of free and open-source tools. It’s not fair to assume that every organization or individual can afford thousands to hundreds-of-thousands of dollars to invest into forensic software. The heavy use of free and open-source tools also allows one to learn and tinker with IR and forensics at home thereby allowing you to learn on a tight or non-existent budget. I applaud the author in his promotion of these utilities.
The first few chapters really focus around what drives the need for incident response and computer forensics and helps to answer the question ”how does one get started”. As you quickly move through the chapters, you’ll be introduced to all the steps in a forensic investigation process – from the initial incident occurring, to acquisition of drive images and of course analysis of those images. Make no mistake, even though I’m sticking with my thoughts that this is a beginner’s guide to Incident Response, Mr. Prosise has made sure to cover and dive into every fine technical detail you should be looking at -
- Date/time stamp importance
- locations and paths of pertinent log files
- anti-forensic tools (used by attackers)
- forensic duplication of digital evidence
- and so much more…
The real meat for the content and material of this book begins with Chapter 12: Investigating Windows Systems and the following chapter, Chapter 13: Investigating Linux Systems (bet you didn’t see that coming, did you) dives into Linux systems incident investigation as well. A newbie to incident response will really enjoy a thorough explanation and analysis of all the different areas in an operating systems that contain forensic evidence. Chapters 12 & 13 handle this very well in my opinion.
This book also goes into a good length of detail on file/folder recovery from unallocated space, free space and slack space; a must-know for any Incident Response/Forensic Analyst and in a lot of cases these areas are those that tend to be over-looked by any “noob”. I can speak from personal experience in saying that data contained in slack/free space may contain evidence as important if not more important. As I mentioned before, Chris has does a fine job in detailing and highlighting every step of the way, and this area of the book is no different.
The Bad: Again, it’s outdated by about 9 years so it won’t cover the more “current” storage mediums such as the SAS or SATA interfaces or newer drive types solid-state or removable storage drives, but the concepts in this book can still be applied to all current storage technologies. Obviously because of it’s age, smartphone and tablet evidence handling isn’t covered in this book, but again, we are talking about a book from 2003. The only other thing I find missing in this, and the majority of digital forensic titles, is the lack of image acquisition and investigation of SAN/NAS/or backup storage, such as EMC’s Avamar. As far as this forensic guy knows, pulling the drive from the appliance or array is still going to be the easiest.
The Ugly: None, despite it’s age. In 2003, this book was one of the sources to go for incident response and now in 2012 it still is. It’s important to note this book is mainly meant for beginners – those first introducing themselves to incident response and forensics. That said, it makes a good refresher and a great reference book for those of us who are a bit more seasoned with Incident Response.
Overall: I strongly recommend this book to anyone considering a career in Incident Response or Computer Forensics or for someone who’s just interested who has a strong interest in computer forensics. It will help to give one a basic understanding of incident response and a lot of the basic concepts defined in this book are very much in use still to this day. Overall, I’d like to see Mr. Prosise come forward with a third “updated” edition of this book that would include the items I mentioned above.
I rate this book a 4 out of a possible 5.
For my readers convenience, I’ve included a link below if you’re interested in picking this book up and adding it to the rest of your invaluable resources at home or in the office.