Chapter 11. Forensic Tools
All of the tools and techniques described in this book so far will make your network very secure if implemented properly and maintained vigilantly. But even if you do everything right, no network is 100 percent secure. If attackers are dedicated enough or lucky enough, sometimes they can break in anyway. An outsider can take advantage of a zero-day exploit that isn't published yet or catch you in the window of opportunity between exploit announcement and patching. A tricky insider can use physical means to break in, such as gaining physical access to a server or stealing a password. Or they might use social engineering to bypass all your security measures by getting an overly helpful employee to give them access. So what do you do if in spite of all your preparations your network or systems get compromised?
Assuming you still have a job, it's not the end of the world. Even the largest companies in the world with huge security staffs get hacked, so it is nothing to be ashamed of. However, now it is time to pick up the pieces, figure out how they got in, patch up the holes, and if necessary, track down the perpetrators and take further action. A number of open source tools can help you in this endeavor. They are called forensic tools since you are trying to determine what happened based on the evidence you have available to you.
Concepts you will learn:
Uses for forensic tools
Incident response concepts
Preparing for forensic investigation
Tenets of good forensic investigation
Tools you will use:
Fport, lsof, DD, UNIX and Windows log files, Sleuth Kit, Autopsy Forensic Browser, and The Forensic Toolkit