Good question but too general for any type of specific response. What exactly are you looking to examine? Router activity, servers, workstation (probably considered by many to be one in the same) network, disk, etc.
The first thing I would recommend to anyone considering what to do regarding computer forensics is to get involved with your local ISSA or ISACA chapters, they usually have a monthly luncheon where you can recommend speakers. Sometimes they have speakers who address issues like hacker activity of various sorts, footprints and other issues that would help you understand what to look for and on what type of medium. Read. There are a lot of books (good books) that can help you grasp an understanding of what you need to look for technically. I caution you, these books are meant to understand the technical aspect of forensics not the legal aspects thats a completely different book. The Hacking Exposed books are a good start they have a few that address forensics. But like I said, you need to understand what it is youre looking for. Other books in this same series help you comprehend various types of footprints. The SNORT book is very good and so are books by Stephen Northcutt understanding Intrusion Detection. There are other books as well, but before you buy look over the reviews, Amazon has some very good reviews on these books then look for youre self. Go down to the store and sit there on the floor (like I sometimes do) and read a few pages. If the author doesnt grab your attention in the first few random pages you read, chances are hes just rambling anyway and trying to sell a book based on his self-proclaimed expertise. Then you need to work with some of the software available. If you have a few thousand dollars you can get a trimmed down version of eNcase. Or if youre like many you have about zero budget for that type of software so you download a copy of Autopsy and Sleuthkit. These are becoming terrific tools that are NOT for the point and click community. Then there is the legal aspect which is 80% or more of actual forensics. Finding the data becomes the no brainer its how you go about getting it that falls into the spectrum of what you did as legal. You are not the President of the U.S. so dont make any assumptions. A good course on incident response and legal steps is probably of utmost importance. Probably not real fun but just as important if not critical. Thanks for asking.
