First Responders Guide to Computer Forensics

This handbook is for technical staff members charged with administering and securing information systems and networks. It targets a critical training gap in the fields of information security, computer forensics, and incident response: performing basic forensic data collection. The first module describes cyber laws and their impact on incident response. The second module builds understanding of file systems and outlines a best practice methodology for creating a trusted first responder tool kit for investigating potential incidents. The third module reviews some best practices, techniques, and tools for collecting volatile data from live Windows and Linux systems. It also explains the importance of collecting volatile data before it is lost or changed. The fourth module reviews techniques for capturing persistent data in a forensically sound manner and describes the location of common persistent data types. Each module ends with a summary and a set of review questions to help clarify understanding. This handbook was developed as part of a larger project. The incorporated slides are from the five day hands-on course Forensics Guide to Incident Response for Technical Staff developed at the SEI. The focus is on providing system and network administrators with methodologies, tools, and procedures for applying fundamental computer forensics when collecting data on both a live and a powered off machine. A live machine is a machine that is currently running and could be connected to the network. The target audience includes system and network administrators, law enforcement, and any information security practitioners who may find themselves in the role of first responder. The handbook should help the target audience to * understand the essential laws that govern their actions * understand key data types residing on live machines * evaluate and create a trusted set of tools for the collection of data * collect, preserve, and protect data from live and powered off machines * learn methodologies for collecting information that are forensically sound (i.e., able to withstand the scrutiny of the courts)