book

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

December 2022

Intermediate to advanced

532 pages

13h 54m

English

Packt Publishing

Read now

Unlock full access

About the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
The IR processThe role of digital forensicsThe IR frameworkThe IR charterCSIRT teamThe IR planIncident classificationThe IR playbook/handbookEscalation processTesting the IR frameworkSummaryQuestionsFurther reading
Engaging the incident response teamCSIRT engagement modelsInvestigating incidentsThe CSIRT war roomCommunicationsRotating staffSOARIncorporating crisis communicationsInternal communicationsExternal communicationsPublic notificationIncorporating containment strategiesGetting back to normal – eradication, recovery, and post-incident activitySummaryQuestionsFurther reading
An overview of forensic scienceLocard’s exchange principleLegal issues in digital forensicsLaw and regulationsRules of evidenceForensic procedures in incident responseA brief history of digital forensicsThe digital forensics processThe digital forensics labSummaryQuestionsFurther reading
An intrusion analysis case study: The Cuckoo’s EggTypes of incident investigation analysisFunctional digital forensic investigation methodologyIdentification and scopingCollecting evidenceThe initial event analysisThe preliminary correlationEvent normalizationEvent deconflictionThe second correlationThe timelineKill chain analysisReportingThe cyber kill chainThe diamond model of intrusion analysisDiamond model axiomsA combined diamond model and kill chain intrusion analysisAttributionSummaryQuestions
An overview of network evidencePreparationA network diagramConfigurationFirewalls and proxy logsFirewallsWeb application firewallsWeb proxy serversNetFlowPacket capturetcpdumpWinPcap and RawCapWiresharkEvidence collectionSummaryQuestionsFurther reading
PreparationOrder of volatilityEvidence acquisitionEvidence collection proceduresAcquiring volatile memoryFTK ImagerWinPmemRAM CapturerVirtual systemsAcquiring non-volatile evidenceFTK obtaining protected filesThe CyLR response toolKroll Artifact Parser and ExtractorSummaryQuestionsFurther reading

Enterprise incident response challengesEndpoint detection and responseVelociraptor overview and deploymentVelociraptor serverVelociraptor Windows collectorVelociraptor scenariosVelociraptor evidence collectionCyLRWinPmemSummaryQuestions
Understanding forensic imagingImage versus copyLogical versus physical volumesTypes of image filesSSD versus HDDTools for imagingPreparing a staging driveUsing write blockersImaging techniquesDead imagingLive imagingVirtual systemsLinux imagingSummaryQuestionsFurther reading
Network evidence overviewAnalyzing firewall and proxy logsSIEM toolsThe Elastic StackAnalyzing NetFlowAnalyzing packet capturesCommand-line toolsReal Intelligence Threat AnalyticsNetworkMinerArkimeWiresharkSummaryQuestionsFurther reading
Memory analysis overviewMemory analysis methodologySANS six-part methodologyNetwork connections methodologyMemory analysis toolsMemory analysis with VolatilityVolatility WorkbenchMemory analysis with StringsInstalling StringsCommon Strings searchesSummaryQuestionsFurther reading
Forensic platformsAutopsyInstalling AutopsyStarting a caseAdding evidenceNavigating AutopsyExamining a caseMaster File Table analysisPrefetch analysisRegistry analysisSummaryQuestionsFurther reading
Logs and log managementWorking with SIEMsSplunkElastic StackSecurity OnionWindows LogsWindows Event LogsAnalyzing Windows Event LogsAcquisitionTriageDetailed Event Log analysisSummaryQuestionsFurther reading
Documentation overviewWhat to documentTypes of documentationSourcesAudienceExecutive summaryIncident investigation reportForensic reportPreparing the incident and forensic reportNote-takingReport languageSummaryQuestionsFurther reading
History of ransomwareCryptoLockerCryptoWallCTB-LockerTeslaCryptSamSamLockyWannaCryRyukConti ransomware case studyBackgroundOperational disclosureTactics and techniquesExfiltrationImpactProper ransomware preparationRansomware resiliencyPrepping the CSIRTEradication and recoveryContainmentEradicationRecoverySummaryQuestionsFurther reading
Ransomware initial access and executionInitial accessExecutionDiscovering credential access and theftProcDumpMimikatzInvestigating post-exploitation frameworksCommand and ControlSecurity OnionRITAArkimeInvestigating lateral movement techniquesSummaryQuestionsFurther reading
Malware analysis overviewMalware classificationSetting up a malware sandboxLocal sandboxCloud sandboxStatic analysisStatic properties analysisDynamic analysisProcess ExplorerProcess Spawn ControlAutomated analysisClamAVYARAYarGenSummaryQuestionsFurther reading
Threat intelligence overviewThreat intelligence typesThe Pyramid of PainThe threat intelligence methodologySourcing threat intelligenceInternally developed sourcesCommercial sourcingOpen source intelligenceThe MITRE ATT&CK frameworkWorking with IOCs and IOAsThreat intelligence and incident responseAutopsyMaltegoYARA and LokiSummaryQuestionsFurther reading
Threat hunting overviewThreat hunt cycleThreat hunt reportingThreat hunting maturity modelCrafting a hypothesisMITRE ATT&CKPlanning a huntDigital forensic techniques for threat huntingEDR for threat huntingSummaryQuestionsFurther reading
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16Chapter 17Chapter 18
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Content preview from Digital Forensics and Incident Response - Third Edition

6 Acquiring Host-Based Evidence

Host systems are the targets of malicious actions far too often. Host systems represent a possible initial target so that someone can gain a foothold in the network or a pivot point for additional attacks, or the end goal of threat actors. As a result, incident response analysts should be prepared to investigate these systems. Modern operating systems such as Microsoft Windows create a variety of evidentiary artifacts during the execution of an application, when changes to files are made, or when user accounts are added. All these changes leave traces of activity that can be evaluated by incident response analysts. The amount of data that’s available to incident response analysts is increasing as storage and memory ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Digital Forensics and Incident Response - Fourth Edition

Publisher Resources

ISBN: 9781803238678

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

6

Acquiring Host-Based Evidence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

6

Acquiring Host-Based Evidence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.