Previous Section  < Day Day Up >  Next Section

Chapter 11. Forensic Tools

All of the tools and techniques described in this book so far will make your network very secure if implemented properly and maintained vigilantly. But even if you do everything right, no network is 100 percent secure. If attackers are dedicated enough or lucky enough, sometimes they can break in anyway. An outsider can take advantage of a zero-day exploit that isn't published yet or catch you in the window of opportunity between exploit announcement and patching. A tricky insider can use physical means to break in, such as gaining physical access to a server or stealing a password. Or they might use social engineering to bypass all your security measures by getting an overly helpful employee to give them access. So what do you do if in spite of all your preparations your network or systems get compromised?

Assuming you still have a job, it's not the end of the world. Even the largest companies in the world with huge security staffs get hacked, so it is nothing to be ashamed of. However, now it is time to pick up the pieces, figure out how they got in, patch up the holes, and if necessary, track down the perpetrators and take further action. A number of open source tools can help you in this endeavor. They are called forensic tools since you are trying to determine what happened based on the evidence you have available to you.

Chapter Overview

Concepts you will learn:

  • Uses for forensic tools

  • Incident response concepts

  • Preparing for forensic investigation

  • Tenets of good forensic investigation

Tools you will use:

Fport, lsof, DD, UNIX and Windows log files, Sleuth Kit, Autopsy Forensic Browser, and The Forensic Toolkit

    Previous Section  < Day Day Up >  Next Section