Front Cover -- Computer Incident Response and Forensics Team Management -- Copyright Page -- Dedication -- Contents -- About the Author -- 1 Introduction -- 2 Definitions -- 1 Incident Response Team -- 3 The Stages of Incident Response -- Methodology #1 -- Preparation -- Identification -- Containment -- Investigation -- Eradication -- Recovery -- Follow-Up -- Methodology #2 -- Preparation -- Detection and Analysis -- Containment, Eradication, and Recovery -- Post-incident Activity -- Secure and Evaluate the Scene -- Document the Scene -- Perform Evidence Collection -- Package, Transport, and Store the Collected Digital Evidence -- Packaging Procedures -- Transportation Procedures -- Storage Procedures -- 4 The Security Incident Response Team Members -- Types of Technical Skills Needed -- Types of Personal Skills Needed -- 5 Incident Evidence -- 6 Incident Response Tools -- 7 Incident Response Policies and Procedures -- SIRT IR Policies -- Incident Response Plan -- Corporate IR Strategy and General Use Security Policies -- 8 Legal Requirements and Considerations -- Privacy -- Ethics -- Investigation Guidelines -- US Federal Rules of Evidence -- US Federal Rules for Civil Procedures -- 9 Governmental Laws, Policies, and Procedures -- US Government -- Privacy Act -- Computer Security Act -- Clinger-Cohen Act -- Computer Fraud & Abuse Act -- COPPA -- Electronic Communications Privacy Act of 1986 (ECPA) -- FISMA -- USA Patriot Act -- Canadian Government -- EU -- 2 Forensics Team -- 10 Forensics Process -- Prepare -- Identify -- Preserve -- Select -- Examine -- Classify -- Analyze -- Present -- 11 Forensics Team Requirements Members -- Member Criteria -- Forensics Analyst or Specialist -- Forensics Investigator -- Forensics Examiner -- Member Expertise -- Forensics Expertise Areas -- Developing and Refining the Investigation Plan.

Member Certification -- Vendor Neutral Certifications -- Certified Computer Examiner -- Certified Forensic Computer Examiner -- CyberSecurity Forensic Analyst -- Certified Hacking Forensics Investigator -- Certified Information Forensics Investigator -- Certified Computer Forensics Examiner -- SANS Forensics -- Global Information Assurance Certification Forensic Analyst (GCFA) -- Global Information Assurance Certification Forensic Examiner -- Certified Skills That GCFEs Possess -- Malware Analyst -- GIAC Malware Analysis Certification: GREM -- Certified Skills That GREM Certified Professionals Possess -- Digital Forensics Certified Practitioner or Digital Forensics Certified Associate -- Certified Digital Forensics Examiner -- Certified eDiscovery Specialist -- Vendor Specific Certifications -- EnCase Certified Examiner -- EnCase Certified eDiscovery Practitioner -- AccessData Certified Examiner -- 12 Forensics Team Policies and Procedures -- Forensics Analysis Process -- Data Collection -- Chain of Custody -- Evidence Handling and Control -- Evidence "Hand-over" to External Parties, LEO -- Hardware Specific Acquisition-SIM Cards, Cell Phone, USB Storage, etc. -- Data Type Acquisition-Audio Files, Video Files, Image Files, Network Files, Log Files -- Investigation Process -- Examination Process -- Data Review -- Research Requirements -- Forensics Reporting -- Analysis of Results -- Expert Witness Process -- 13 Management of Forensics Evidence Handling -- Chain of Evidence -- Initial Evidence Gathering -- Image Control -- Multiple Devices -- Research Requirements -- Data Collection Criteria -- Log Reviews -- eDiscovery -- Information Management -- Identification -- Preservation -- Collection -- Processing -- Review -- Analysis -- Production -- Presentation -- US Federal Rules of Civil Procedure -- UK Civil Procedure Rules -- Digital Evidence Layers.

14 Forensics Tools -- Types of Forensics Tools -- Tools for Specific Operating Systems and Platforms -- 15 Legalities of Forensics -- Reasons for Legal, Statutory, and Regulatory Compliance -- US Criteria, Laws, and Regulations -- EU Criteria, Laws, and Regulations -- Australia -- Canada -- The Results of the Investigation-Investigator Expert Testimony -- 16 Forensics Team Oversight -- Investigator's Code of Conduct -- Use of Templates for Information Recording -- 3 General Management and Team -- External Considerations -- ISO/IEC 18044 -- ISO 27037 -- ISO 27042 -- 17 General Team Management -- Corporate Level Management Considerations -- Corporate Needs to Support the Team Activities -- Third-Party Support During and After Events -- 18 Corporate IT-Related Security Relationship with SIR&FT -- Basic IT Control and Security Areas of Interest -- 19 Relationship Management -- 20 Conclusion -- The Incident Response Team -- The Forensics Team -- Final Words -- Appendix A: References -- Incident Response Online Resources -- Incident Detection -- Incident Response Team -- User Awareness -- Incident Recovery -- Key Organization -- Incident Response -- Incident Reporting/Documentation -- Forensics and eDiscovery Online Resources -- Appendix B: Relevant Incident Response and Forensics Publications from Governmental Agencies and Organizations -- US -- NIST Special Publications -- NIST Interagency Reports -- US-CERT Documents -- EU -- ENISA -- APCO-British Association of Chief Police Officers -- Appendix C: Forensics Team Templates -- Index.