book

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

December 2022

Intermediate to advanced

532 pages

13h 54m

English

Packt Publishing

Read now

Unlock full access

About the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
The IR processThe role of digital forensicsThe IR frameworkThe IR charterCSIRT teamThe IR planIncident classificationThe IR playbook/handbookEscalation processTesting the IR frameworkSummaryQuestionsFurther reading
Engaging the incident response teamCSIRT engagement modelsInvestigating incidentsThe CSIRT war roomCommunicationsRotating staffSOARIncorporating crisis communicationsInternal communicationsExternal communicationsPublic notificationIncorporating containment strategiesGetting back to normal – eradication, recovery, and post-incident activitySummaryQuestionsFurther reading
An overview of forensic scienceLocard’s exchange principleLegal issues in digital forensicsLaw and regulationsRules of evidenceForensic procedures in incident responseA brief history of digital forensicsThe digital forensics processThe digital forensics labSummaryQuestionsFurther reading
An intrusion analysis case study: The Cuckoo’s EggTypes of incident investigation analysisFunctional digital forensic investigation methodologyIdentification and scopingCollecting evidenceThe initial event analysisThe preliminary correlationEvent normalizationEvent deconflictionThe second correlationThe timelineKill chain analysisReportingThe cyber kill chainThe diamond model of intrusion analysisDiamond model axiomsA combined diamond model and kill chain intrusion analysisAttributionSummaryQuestions
An overview of network evidencePreparationA network diagramConfigurationFirewalls and proxy logsFirewallsWeb application firewallsWeb proxy serversNetFlowPacket capturetcpdumpWinPcap and RawCapWiresharkEvidence collectionSummaryQuestionsFurther reading
PreparationOrder of volatilityEvidence acquisitionEvidence collection proceduresAcquiring volatile memoryFTK ImagerWinPmemRAM CapturerVirtual systemsAcquiring non-volatile evidenceFTK obtaining protected filesThe CyLR response toolKroll Artifact Parser and ExtractorSummaryQuestionsFurther reading

Enterprise incident response challengesEndpoint detection and responseVelociraptor overview and deploymentVelociraptor serverVelociraptor Windows collectorVelociraptor scenariosVelociraptor evidence collectionCyLRWinPmemSummaryQuestions
Understanding forensic imagingImage versus copyLogical versus physical volumesTypes of image filesSSD versus HDDTools for imagingPreparing a staging driveUsing write blockersImaging techniquesDead imagingLive imagingVirtual systemsLinux imagingSummaryQuestionsFurther reading
Network evidence overviewAnalyzing firewall and proxy logsSIEM toolsThe Elastic StackAnalyzing NetFlowAnalyzing packet capturesCommand-line toolsReal Intelligence Threat AnalyticsNetworkMinerArkimeWiresharkSummaryQuestionsFurther reading
Memory analysis overviewMemory analysis methodologySANS six-part methodologyNetwork connections methodologyMemory analysis toolsMemory analysis with VolatilityVolatility WorkbenchMemory analysis with StringsInstalling StringsCommon Strings searchesSummaryQuestionsFurther reading
Forensic platformsAutopsyInstalling AutopsyStarting a caseAdding evidenceNavigating AutopsyExamining a caseMaster File Table analysisPrefetch analysisRegistry analysisSummaryQuestionsFurther reading
Logs and log managementWorking with SIEMsSplunkElastic StackSecurity OnionWindows LogsWindows Event LogsAnalyzing Windows Event LogsAcquisitionTriageDetailed Event Log analysisSummaryQuestionsFurther reading
Documentation overviewWhat to documentTypes of documentationSourcesAudienceExecutive summaryIncident investigation reportForensic reportPreparing the incident and forensic reportNote-takingReport languageSummaryQuestionsFurther reading
History of ransomwareCryptoLockerCryptoWallCTB-LockerTeslaCryptSamSamLockyWannaCryRyukConti ransomware case studyBackgroundOperational disclosureTactics and techniquesExfiltrationImpactProper ransomware preparationRansomware resiliencyPrepping the CSIRTEradication and recoveryContainmentEradicationRecoverySummaryQuestionsFurther reading
Ransomware initial access and executionInitial accessExecutionDiscovering credential access and theftProcDumpMimikatzInvestigating post-exploitation frameworksCommand and ControlSecurity OnionRITAArkimeInvestigating lateral movement techniquesSummaryQuestionsFurther reading
Malware analysis overviewMalware classificationSetting up a malware sandboxLocal sandboxCloud sandboxStatic analysisStatic properties analysisDynamic analysisProcess ExplorerProcess Spawn ControlAutomated analysisClamAVYARAYarGenSummaryQuestionsFurther reading
Threat intelligence overviewThreat intelligence typesThe Pyramid of PainThe threat intelligence methodologySourcing threat intelligenceInternally developed sourcesCommercial sourcingOpen source intelligenceThe MITRE ATT&CK frameworkWorking with IOCs and IOAsThreat intelligence and incident responseAutopsyMaltegoYARA and LokiSummaryQuestionsFurther reading
Threat hunting overviewThreat hunt cycleThreat hunt reportingThreat hunting maturity modelCrafting a hypothesisMITRE ATT&CKPlanning a huntDigital forensic techniques for threat huntingEDR for threat huntingSummaryQuestionsFurther reading
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14Chapter 15Chapter 16Chapter 17Chapter 18
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Content preview from Digital Forensics and Incident Response - Third Edition

11 Analyzing System Storage

So far, the evidence that has been analyzed has focused on those elements that are obtained from the network traffic or the system’s memory. Even though an incident’s root cause may be ferreted out from these evidence sources, it is important to understand how to obtain evidentiary material from a system’s storage, whether that is removable storage such as USB devices or the larger connected disk drives. These containers carry a massive amount of data that may be leveraged by incident response analysts to determine a root cause. It should be noted that this chapter will only be able to scratch the surface as entire volumes have been devoted to the depth of forensic evidence that’s available.

To provide a better understanding ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Digital Forensics and Incident Response - Fourth Edition

Publisher Resources

ISBN: 9781803238678

Digital Forensics and Incident Response - Third Edition

by Gerard Johansen

11

Analyzing System Storage

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

11

Analyzing System Storage

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Learn Computer Forensics - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.