book

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

December 2022

Intermediate to advanced

532 pages

13h 54m

English

Packt Publishing

Read now

Unlock full access

About the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
The IR processThe role of digital forensicsThe IR frameworkThe IR charterCSIRT teamThe IR planIncident classificationThe IR playbook/handbookEscalation processTesting the IR frameworkSummaryQuestionsFurther reading
Engaging the incident response teamCSIRT engagement modelsInvestigating incidentsThe CSIRT war roomCommunicationsRotating staffSOARIncorporating crisis communicationsInternal communicationsExternal communicationsPublic notificationIncorporating containment strategiesGetting back to normal – eradication, recovery, and post-incident activitySummaryQuestionsFurther reading
An overview of forensic scienceLocard’s exchange principleLegal issues in digital forensicsLaw and regulationsRules of evidenceForensic procedures in incident responseA brief history of digital forensicsThe digital forensics processThe digital forensics labSummaryQuestionsFurther reading
An intrusion analysis case study: The Cuckoo’s EggTypes of incident investigation analysisFunctional digital forensic investigation methodologyIdentification and scopingCollecting evidenceThe initial event analysisThe preliminary correlationEvent normalizationEvent deconflictionThe second correlationThe timelineKill chain analysisReportingThe cyber kill chainThe diamond model of intrusion analysisDiamond model axiomsA combined diamond model and kill chain intrusion analysisAttributionSummaryQuestions
An overview of network evidencePreparationA network diagramConfigurationFirewalls and proxy logsFirewallsWeb application firewallsWeb proxy serversNetFlowPacket capturetcpdumpWinPcap and RawCapWiresharkEvidence collectionSummaryQuestionsFurther reading
PreparationOrder of volatilityEvidence acquisitionEvidence collection proceduresAcquiring volatile memoryFTK ImagerWinPmemRAM CapturerVirtual systemsAcquiring non-volatile evidenceFTK obtaining protected filesThe CyLR response toolKroll Artifact Parser and ExtractorSummaryQuestionsFurther reading

Enterprise incident response challengesEndpoint detection and responseVelociraptor overview and deploymentVelociraptor serverVelociraptor Windows collectorVelociraptor scenariosVelociraptor evidence collectionCyLRWinPmemSummaryQuestions
Understanding forensic imagingImage versus copyLogical versus physical volumesTypes of image filesSSD versus HDDTools for imagingPreparing a staging driveUsing write blockersImaging techniquesDead imagingLive imagingVirtual systemsLinux imagingSummaryQuestionsFurther reading
Network evidence overviewAnalyzing firewall and proxy logsSIEM toolsThe Elastic StackAnalyzing NetFlowAnalyzing packet capturesCommand-line toolsReal Intelligence Threat AnalyticsNetworkMinerArkimeWiresharkSummaryQuestionsFurther reading
Memory analysis overviewMemory analysis methodologySANS six-part methodologyNetwork connections methodologyMemory analysis toolsMemory analysis with VolatilityVolatility WorkbenchMemory analysis with StringsInstalling StringsCommon Strings searchesSummaryQuestionsFurther reading
Forensic platformsAutopsyInstalling AutopsyStarting a caseAdding evidenceNavigating AutopsyExamining a caseMaster File Table analysisPrefetch analysisRegistry analysisSummaryQuestionsFurther reading
Logs and log managementWorking with SIEMsSplunkElastic StackSecurity OnionWindows LogsWindows Event LogsAnalyzing Windows Event LogsAcquisitionTriageDetailed Event Log analysisSummaryQuestionsFurther reading
Documentation overviewWhat to documentTypes of documentationSourcesAudienceExecutive summaryIncident investigation reportForensic reportPreparing the incident and forensic reportNote-takingReport languageSummaryQuestionsFurther reading
History of ransomwareCryptoLockerCryptoWallCTB-LockerTeslaCryptSamSamLockyWannaCryRyukConti ransomware case studyBackgroundOperational disclosureTactics and techniquesExfiltrationImpactProper ransomware preparationRansomware resiliencyPrepping the CSIRTEradication and recoveryContainmentEradicationRecoverySummaryQuestionsFurther reading
Ransomware initial access and executionInitial accessExecutionDiscovering credential access and theftProcDumpMimikatzInvestigating post-exploitation frameworksCommand and ControlSecurity OnionRITAArkimeInvestigating lateral movement techniquesSummaryQuestionsFurther reading
Malware analysis overviewMalware classificationSetting up a malware sandboxLocal sandboxCloud sandboxStatic analysisStatic properties analysisDynamic analysisProcess ExplorerProcess Spawn ControlAutomated analysisClamAVYARAYarGenSummaryQuestionsFurther reading
Threat intelligence overviewThreat intelligence typesThe Pyramid of PainThe threat intelligence methodologySourcing threat intelligenceInternally developed sourcesCommercial sourcingOpen source intelligenceThe MITRE ATT&CK frameworkWorking with IOCs and IOAsThreat intelligence and incident responseAutopsyMaltegoYARA and LokiSummaryQuestionsFurther reading
Threat hunting overviewThreat hunt cycleThreat hunt reportingThreat hunting maturity modelCrafting a hypothesisMITRE ATT&CKPlanning a huntDigital forensic techniques for threat huntingEDR for threat huntingSummaryQuestionsFurther reading
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16Chapter 17Chapter 18
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Content preview from Digital Forensics and Incident Response - Third Edition

4 Investigation Methodology

So far, the last three chapters have set out the basics of incident response and how digital forensics plays a key role in understanding the nature of an incident. Another key component of incident response is the investigation component. An incident investigation is a methodology and process through which analysts form a hypothesis and test that hypothesis to answer questions regarding digital events. The main data that is fed into the digital investigation process comes from the proper handling and analysis of digital evidence. Figure 4.1 shows the relationship between digital forensics, incident response, and incident investigation.

Figure 4.1 – Relationship between digital forensics, incident investigation ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Digital Forensics and Incident Response - Fourth Edition

Publisher Resources

ISBN: 9781803238678

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

4

Investigation Methodology

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

4

Investigation Methodology

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.