book

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

December 2022

Intermediate to advanced

532 pages

13h 54m

English

Packt Publishing

Read now

Unlock full access

About the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
The IR processThe role of digital forensicsThe IR frameworkThe IR charterCSIRT teamThe IR planIncident classificationThe IR playbook/handbookEscalation processTesting the IR frameworkSummaryQuestionsFurther reading
Engaging the incident response teamCSIRT engagement modelsInvestigating incidentsThe CSIRT war roomCommunicationsRotating staffSOARIncorporating crisis communicationsInternal communicationsExternal communicationsPublic notificationIncorporating containment strategiesGetting back to normal – eradication, recovery, and post-incident activitySummaryQuestionsFurther reading
An overview of forensic scienceLocard’s exchange principleLegal issues in digital forensicsLaw and regulationsRules of evidenceForensic procedures in incident responseA brief history of digital forensicsThe digital forensics processThe digital forensics labSummaryQuestionsFurther reading
An intrusion analysis case study: The Cuckoo’s EggTypes of incident investigation analysisFunctional digital forensic investigation methodologyIdentification and scopingCollecting evidenceThe initial event analysisThe preliminary correlationEvent normalizationEvent deconflictionThe second correlationThe timelineKill chain analysisReportingThe cyber kill chainThe diamond model of intrusion analysisDiamond model axiomsA combined diamond model and kill chain intrusion analysisAttributionSummaryQuestions
An overview of network evidencePreparationA network diagramConfigurationFirewalls and proxy logsFirewallsWeb application firewallsWeb proxy serversNetFlowPacket capturetcpdumpWinPcap and RawCapWiresharkEvidence collectionSummaryQuestionsFurther reading
PreparationOrder of volatilityEvidence acquisitionEvidence collection proceduresAcquiring volatile memoryFTK ImagerWinPmemRAM CapturerVirtual systemsAcquiring non-volatile evidenceFTK obtaining protected filesThe CyLR response toolKroll Artifact Parser and ExtractorSummaryQuestionsFurther reading

Enterprise incident response challengesEndpoint detection and responseVelociraptor overview and deploymentVelociraptor serverVelociraptor Windows collectorVelociraptor scenariosVelociraptor evidence collectionCyLRWinPmemSummaryQuestions
Understanding forensic imagingImage versus copyLogical versus physical volumesTypes of image filesSSD versus HDDTools for imagingPreparing a staging driveUsing write blockersImaging techniquesDead imagingLive imagingVirtual systemsLinux imagingSummaryQuestionsFurther reading
Network evidence overviewAnalyzing firewall and proxy logsSIEM toolsThe Elastic StackAnalyzing NetFlowAnalyzing packet capturesCommand-line toolsReal Intelligence Threat AnalyticsNetworkMinerArkimeWiresharkSummaryQuestionsFurther reading
Memory analysis overviewMemory analysis methodologySANS six-part methodologyNetwork connections methodologyMemory analysis toolsMemory analysis with VolatilityVolatility WorkbenchMemory analysis with StringsInstalling StringsCommon Strings searchesSummaryQuestionsFurther reading
Forensic platformsAutopsyInstalling AutopsyStarting a caseAdding evidenceNavigating AutopsyExamining a caseMaster File Table analysisPrefetch analysisRegistry analysisSummaryQuestionsFurther reading
Logs and log managementWorking with SIEMsSplunkElastic StackSecurity OnionWindows LogsWindows Event LogsAnalyzing Windows Event LogsAcquisitionTriageDetailed Event Log analysisSummaryQuestionsFurther reading
Documentation overviewWhat to documentTypes of documentationSourcesAudienceExecutive summaryIncident investigation reportForensic reportPreparing the incident and forensic reportNote-takingReport languageSummaryQuestionsFurther reading
History of ransomwareCryptoLockerCryptoWallCTB-LockerTeslaCryptSamSamLockyWannaCryRyukConti ransomware case studyBackgroundOperational disclosureTactics and techniquesExfiltrationImpactProper ransomware preparationRansomware resiliencyPrepping the CSIRTEradication and recoveryContainmentEradicationRecoverySummaryQuestionsFurther reading
Ransomware initial access and executionInitial accessExecutionDiscovering credential access and theftProcDumpMimikatzInvestigating post-exploitation frameworksCommand and ControlSecurity OnionRITAArkimeInvestigating lateral movement techniquesSummaryQuestionsFurther reading
Malware analysis overviewMalware classificationSetting up a malware sandboxLocal sandboxCloud sandboxStatic analysisStatic properties analysisDynamic analysisProcess ExplorerProcess Spawn ControlAutomated analysisClamAVYARAYarGenSummaryQuestionsFurther reading
Threat intelligence overviewThreat intelligence typesThe Pyramid of PainThe threat intelligence methodologySourcing threat intelligenceInternally developed sourcesCommercial sourcingOpen source intelligenceThe MITRE ATT&CK frameworkWorking with IOCs and IOAsThreat intelligence and incident responseAutopsyMaltegoYARA and LokiSummaryQuestionsFurther reading
Threat hunting overviewThreat hunt cycleThreat hunt reportingThreat hunting maturity modelCrafting a hypothesisMITRE ATT&CKPlanning a huntDigital forensic techniques for threat huntingEDR for threat huntingSummaryQuestionsFurther reading
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16Chapter 17Chapter 18
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Content preview from Digital Forensics and Incident Response - Third Edition

5 Collecting Network Evidence

The traditional focus of digital forensics has been on locating evidence on a potentially compromised endpoint. More specifically, computer forensics is largely focused on a system’s storage. Law enforcement officers interested in criminal activity such as fraud or child exploitation can find the evidence required for prosecution on a single hard drive. In the realm of incident response, however, it is critical that the focus extends far beyond a suspected compromised system. For example, there is a wealth of information that can be obtained within the hardware and software in question, along with the flow of traffic from a compromised host to an external Command-and-Control (C2) server.

This chapter focuses on ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Digital Forensics and Incident Response - Fourth Edition

Publisher Resources

ISBN: 9781803238678

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

5

Collecting Network Evidence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

5

Collecting Network Evidence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.