Before I took the SANS 504 course I had picked up the book Incident Response & Computer Forensic (2nd Ed.) by Kevin Mandia, Chris Prosise and Matt Pepe. I was well into the book before the class started, and I'm glad class began while reading the book. The book almost makes a perfect companion for the class. The book helped me re-enforce many of the concepts taught in the class.
I'll start out by saying the book is excellent, well written, easy to read; and chock full of sites to pick up the tools used in the examples written about in the book. I learned many new tactics that I have already put into practice and I believe have made me a better security warrior. Rest assured, the authors are well versed in the field and they rely on their vast experience to convey their points. Many chapters contain real-world anecdotes to cases the authors worked on/witnessed and lend credence to the points being discussed.
The book is divided up into four logical sections: an introduction to incident response, collecting data, analyzing data, and an appendix (one chapter of which contains common sample forms.) The introductory chapters explain the basics of IR, what to expect, creating a team, and establishing the processes. Specific chapters deal with preparing for incidents and what to do after an incident has been declared. I really liked the chapters on data acquisition as it applies the most to what I do. Chapters deal with Windows, unix/linux, network data collection, and an important chapter on evidence and evidence handling. (The latter chapter is important for everyone, but the authors stress why this would be important in a corporate setting.) I especially liked the tools discussed and the scripts that are presented with the methodology for using them. The next section presented how to analyze the data that has been collected. While there is heavy presentation on forensics duplication (and rightly so,) there are chapters on Windows analysis, unix/linux analysis, and network analysis. From the network analysis chapter, the points on network data capture and reconstruction helped me the most.
My only complaint about the book is no fault of the author's. The book is copyright 2003. And, while the processes and methodologies could be considered timeless, unfortunately; the links to some of the software is not. In the five years, some companies have gone out of business, some have been absorbed by other (larger) companies. And some tools are no longer available. A great benefit of the book is that much of the software is free (and open source.) However, there are instances where the software linked to now costs.
All in all, I highly recommend the book to anyone looking to get into the field, or, anyone charged with setting up (or running) an incident handling team in their company. The methodologies and processes should be employed in any company where an incident response team works so that incidents can come to their proper conclusion. Many tools are presented in the chapters along with insights on how to get the most out of those tools.