BKINCRSP.RVW 20051029 "Incident Response", Douglas Schweitzer, 2003, 0-7645-2636-7, U$45.00/C$67.99/UK#31.50 %A Douglas Schweitzer %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-7645-2636-7 %I John Wiley & Sons, Inc. %O U$45.00/C$67.99/UK#31.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764526367/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764526367/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764526367/robsladesin03-20 %O Audience s+ Tech 2 Writing 1 (see revfaq.htm for explanation) %P 323 p. + CD-ROM %T "Incident Response: Computer Forensics Toolkit" The title talks about incident response. The subtitle talks about computer forensics. The introduction doesn't clear up the confusion. Is the book about forensics? Response? Does Schweitzer think that forensics (and which kind?) is the only response there is? Chapter one purports to be an introduction to forensic and response essentials. It is a vague and disorganized grab bag of issues. (A section entitled "Recognizing the Signs of an Incident" talks about the fact the you should respond properly, and one supposedly addressing issues around preparation suggests that there is a need for response to incidents. A two page list of characteristics of various operating systems provides such amazing advice as that MS-DOS has text on a black screen, while Windows has colours. In any case, the response to an incident is the same: pull the plug. Legal issues are said to be the topic of chapter two: it lists some US laws related to computers. Some items that should be examined in computer or network forensic investigations are tabulated in chapter three. Chapter four has miscellaneous information about the Registry and file systems. Processes (on Windows) and some indications of the potential presence of a backdoor (or simply the fact that parts of your operating system are running) make up chapter five. Chapter six has random and incomplete data on utilities and items that might hold information. Procedures for collecting evidence, and lots of other material, is in chapter seven. The advice on containment of incidents, in chapter eight, seems to be limited to "pull the plug." Chapter nine has incomplete recommendations for business continuity and disaster recovery. The response to different kinds of threats, in chapter ten, is terse, and the largest space is given to a discussion of sexual harassment. Chapter eleven is supposed to be dedicated to assessing system security in order to prevent further attacks: there is limited advice on hardening Windows, and some directions on general security reviews. A list of miscellaneous computer attacks and incidents closes off the book in chapter twelve. The book is randomly structured, disorganized in terms of the written material, and excessively verbose. There is some coverage in regard to computer forensics for those with no experience in the field, but nothing that can't be found elsewhere, with much less work, and in a more complete state. copyright Robert M. Slade, 2005 BKINCRSP.RVW 20051029