O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Digital Forensics and Incident Response

Book Description

A practical guide to deploying digital forensic techniques in response to cyber security incidents

About This Book

  • Learn incident response fundamentals and create an effective incident response framework
  • Master forensics investigation utilizing digital investigative techniques
  • Contains real-life scenarios that effectively use threat intelligence and modeling techniques

Who This Book Is For

This book is targeted at Information Security professionals, forensics practitioners, and students with knowledge and experience in the use of software applications and basic command-line experience. It will also help professionals who are new to the incident response/digital forensics role within their organization.

What You Will Learn

  • Create and deploy incident response capabilities within your organization
  • Build a solid foundation for acquiring and handling suitable evidence for later analysis
  • Analyze collected evidence and determine the root cause of a security incident
  • Learn to integrate digital forensic techniques and procedures into the overall incident response process
  • Integrate threat intelligence in digital evidence analysis
  • Prepare written documentation for use internally or with external parties such as regulators or law enforcement agencies

In Detail

Digital Forensics and Incident Response will guide you through the entire spectrum of tasks associated with incident response, starting with preparatory activities associated with creating an incident response plan and creating a digital forensics capability within your own organization. You will then begin a detailed examination of digital forensic techniques including acquiring evidence, examining volatile memory, hard drive assessment, and network-based evidence. You will also explore the role that threat intelligence plays in the incident response process. Finally, a detailed section on preparing reports will help you prepare a written report for use either internally or in a courtroom.

By the end of the book, you will have mastered forensic techniques and incident response and you will have a solid foundation on which to increase your ability to investigate such incidents in your organization.

Style and approach

The book covers practical scenarios and examples in an enterprise setting to give you an understanding of how digital forensics integrates with the overall response to cyber security incidents. You will also learn the proper use of tools and techniques to investigate common cyber security incidents such as malware infestation, memory analysis, disk analysis, and network analysis.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Conventions
    5. Reader feedback
    6. Customer support
      1. Downloading the color images of this book
      2. Errata
      3. Piracy
      4. Questions
  2. Incident Response
    1. The incident response process
      1. The role of digital forensics
    2. The incident response framework
      1. The incident response charter
      2. CSIRT
        1. CSIRT core team
        2. Technical support personnel
        3. Organizational support personnel
        4. External resources
    3. The incident response plan
      1. Incident classification
    4. The incident response playbook
      1. Escalation procedures
      2. Maintaining the incident response capability
    5. Summary
  3. Forensic Fundamentals
    1. Legal aspects
      1. Laws and regulations
      2. Rules of evidence
    2. Digital forensic fundamentals
      1. A brief history
      2. The digital forensic process
        1. Identification
        2. Preservation
        3. Collection
          1. Proper evidence handling
          2. Chain of custody
        4. Examination
        5. Analysis
        6. Presentation
      3. Digital forensic lab
      4. Physical security
      5. Tools
      6. Hardware
      7. Software
      8. Jump kit
    3. Summary
  4. Network Evidence Collection
    1. Preparation
      1. Network diagram
      2. Configuration
      3. Logs and log management
    2. Network device evidence
      1. Security information and event management system
      2. Security onion
    3. Packet capture
      1. tcpdump
      2. WinPcap and RawCap
      3. Wireshark
    4. Evidence collection
    5. Summary
  5. Acquiring Host-Based Evidence
    1. Preparation
    2. Evidence volatility
    3. Evidence acquisition
    4. Evidence collection procedures
      1. Memory acquisition
        1. Local acquisition
          1. FTK Imager
          2. Winpmem
      2. Remote acquisition
        1. Winpmem
        2. F-Response
      3. Virtual machines
    5. Non-volatile data
    6. Summary
  6. Understanding Forensic Imaging
    1. Overview of forensic imaging
    2. Preparing a stage drive
    3. Imaging
      1. Dead imaging
      2. Live imaging
      3. Imaging with Linux
    4. Summary
  7. Network Evidence Analysis
    1. Analyzing packet captures
      1. Command-line tools
      2. Wireshark
      3. Xplico and CapAnalysis
        1. Xplico
        2. CapAnalysis
    2. Analyzing network log files
      1. DNS blacklists
      2. SIEM
      3. ELK Stack
    3. Summary
  8. Analyzing System Memory
    1. Memory evidence overview
    2. Memory analysis
      1. Memory analysis methodology
        1. SANS six-part methodology
      2. Network connections methodology
      3. Tools
      4. Redline
      5. Volatility
        1. Installing Volatility
        2. Identifying the image
        3. pslist
        4. psscan
        5. pstree
        6. DLLlist
        7. Handles
        8. svcscan
        9. netscan and sockets
        10. LDR modules
        11. psxview
        12. Dlldump
        13. memdump
        14. procdump
      6. Rekall
        1. imageinfo
          1. pslist
        2. Event logs
        3. Sockets
        4. Malfind
    3. Summary
  9. Analyzing System Storage
    1. Forensic platforms
      1. Autopsy
        1. Installing Autopsy
        2. Opening a case
        3. Navigating Autopsy
        4. Examining a Case
          1. Web Artifacts
        5. Email
        6. Attached Devices
        7. Deleted Files
        8. Keyword Searches
        9. Timeline Analysis
        10. Registry analysis
    2. Summary
  10. Forensic Reporting
    1. Documentation overview
      1. What to document
      2. Types of documentation
      3. Sources
      4. Audience
    2. Incident tracking
      1. Fast incident response
    3. Written reports
      1. Executive summary
      2. Incident report
      3. Forensic report
    4. Summary
  11. Malware Analysis
    1. Malware overview
    2. Malware analysis overview
      1. Static analysis
      2. Dynamic analysis
    3. Analyzing malware
      1. Static analysis
      2. Pestudio
      3. Remnux
    4. Dynamic analysis
      1. Process Explorer
      2. Cuckoo sandbox
    5. Summary
  12. Threat Intelligence
    1. Threat intelligence overview
      1. Threat intelligence types
    2. Threat intelligence methodology
    3. Threat intelligence direction
      1. Cyber kill chain
      2. Diamond model
      3. MITRE ATT&CK
    4. Threat intelligence sources
      1. Internally developed sources
      2. Commercial sourcing
      3. Open source
    5. Threat intelligence platforms
      1. MISP threat sharing
    6. Using threat intelligence
      1. Proactive threat intelligence
      2. Reactive threat intelligence
        1. Autopsy
        2. Redline
        3. Yara and Loki
    7. Summary