Accession Number:



First Responders Guide to Computer Forensics: Advanced Topics

Descriptive Note:

Final rept.

Corporate Author:


Report Date:


Pagination or Media Count:



First Responders Guide to Computer Forensics Advanced Topics expands on the technical material presented in SEI handbook CMUSEI-2005-HB-001, First Responders Guide to Computer Forensics Nolan 05. While the latter presented techniques for forensically sound collection of data and reviewed the fundamentals of admissibility pertaining to electronic files, this handbook focuses exclusively on more advanced technical operations like process characterization and spoofed email. It is designed for experienced security and network professionals who already have a fundamental understanding of forensic methodology. Therefore, emphasis is placed on technical procedures and not forensic methodology. The first module focuses on log file analysis as well as exploring techniques for using common analysis tools such as Swatch and Log Parser. The second module focuses on advanced techniques for process characterization, analysis, and volatile data recovery. The third module demonstrates advanced usage of the dd command-line utility. Topics include how to slice an image and reassemble it with dd, carving out a section of data with dd, and imaging a running process with dd. The fourth and final module examines spoofed email messages. This module looks at the RFCs for email, describes how email messages are spoofed, and presents some techniques for identifying and tracing spoofed email. Our focus is to provide system and network administrators with advanced methodologies, tools, and procedures for applying sound computer forensics best practices when performing routine log file reviews, network alert verifications, and other routine interactions with systems and networks. The final goal is to create trained system and network professionals who are able to understand the fundamentals of computer forensics so that in the normal course of their duties they can safely preserve technical information related to network alerts and other security issues.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement: