Digital Forensics and Incident Response - Second Edition

Digital Forensics and Incident Response - Second Edition

by Gerard Johansen
Released January 2020
Publisher(s): Packt Publishing
ISBN: 9781838649005

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Build your organization’s cyber defense system by effectively implementing digital forensics and incident management techniques

Key Features

  • Create a solid incident response framework and manage cyber incidents effectively
  • Perform malware analysis for effective incident response
  • Explore real-life scenarios that effectively use threat intelligence and modeling techniques

Book Description

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization's infrastructure from attacks. This updated second edition will help you perform cutting-edge digital forensic activities and incident response.

After focusing on the fundamentals of incident response that are critical to any information security team, you’ll move on to exploring the incident response framework. From understanding its importance to creating a swift and effective response to security incidents, the book will guide you with the help of useful examples. You’ll later get up to speed with digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting.

By the end of this book, you’ll have learned how to efficiently investigate and report unwanted security breaches and incidents in your organization.

What you will learn

  • Create and deploy an incident response capability within your own organization
  • Perform proper evidence acquisition and handling
  • Analyze the evidence collected and determine the root cause of a security incident
  • Become well-versed with memory and log analysis
  • Integrate digital forensic techniques and procedures into the overall incident response process
  • Understand the different techniques for threat hunting
  • Write effective incident reports that document the key findings of your analysis

Who this book is for

This book is for cybersecurity and information security professionals who want to implement digital forensics and incident response in their organization. You will also find the book helpful if you are new to the concept of digital forensics and are looking to get started with the fundamentals. A basic understanding of operating systems and some knowledge of networking fundamentals are required to get started with this book.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Digital Forensics and Incident Response Second Edition
  3. About Packt
    1. Why subscribe?
  4. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  6. Section 1: Foundations of Incident Response and Digital Forensics
  7. Understanding Incident Response
    1. The incident response process
      1. The role of digital forensics
    2. The incident response framework
      1. The incident response charter
      2. CSIRT
        1. CSIRT core team
        2. Technical support personnel
        3. Organizational support personnel
        4. External resources
    3. The incident response plan
      1. Incident classification
    4. The incident response playbook
      1. Escalation procedures
    5. Testing the incident response framework
    6. Summary
    7. Questions
    8. Further reading
  8. Managing Cyber Incidents
    1. Engaging the incident response team
      1. CSIRT models
        1. Security Operations Center escalation
        2. SOC and CSIRT combined
        3. CSIRT fusion center
      2. The war room
      3. Communications
      4. Staff rotation
    2. Incorporating crisis communications
      1. Internal communications
      2. External communications
      3. Public notification
    3. Investigating incidents
    4. Incorporating containment strategies
    5. Getting back to normal – eradication and recovery
      1. Eradication strategies
      2. Recovery strategies
    6. Summary
    7. Questions
    8. Further reading
  9. Fundamentals of Digital Forensics
    1. Legal aspects
      1. Laws and regulations
        1. Rules of evidence
    2. Digital forensics fundamentals
      1. A brief history
      2. The digital forensics process
        1. Identification
        2. Preservation
        3. Collection
          1. Proper evidence handling
          2. Chain of custody
        4. Examination
        5. Analysis
        6. Presentation
      3. Digital forensics lab
        1. Physical security
        2. Tools
          1. Hardware
          2. Software
          3. Linux forensic tools
          4. Jump kits
    3. Summary
    4. Questions
    5. Further reading
  10. Section 2: Evidence Acquisition
  11. Collecting Network Evidence
    1. An overview of network evidence
      1. Preparation
      2. Network diagram
      3. Configuration
    2. Firewalls and proxy logs
      1. Firewalls
      2. Web proxy server
    3. NetFlow
    4. Packet captures
      1. tcpdump
      2. WinPcap and RawCap
    5. Wireshark
    6. Evidence collection
    7. Summary
    8. Questions
    9. Further reading
  12. Acquiring Host-Based Evidence
    1. Preparation
    2. Order of Volatility
    3. Evidence acquisition
      1. Evidence collection procedures
    4. Acquiring volatile memory
      1. Local acquisition
        1. FTK Imager
        2. WinPmem
        3. RAM Capturer
      2. Remote acquisition
        1. WinPmem
        2. Virtual machines
    5. Acquiring non-volatile evidence
      1. CyLR.exe
      2. Checking for encryption
    6. Summary
    7. Questions
    8. Further reading
  13. Forensic Imaging
    1. Understanding forensic imaging
    2. Imaging tools
    3. Preparing a stage drive
    4. Using write blockers
    5. Imaging techniques
      1. Dead imaging
        1. Imaging using FTK Imager
      2. Live imaging
      3. Remote memory acquisition
        1. WinPmem
        2. F-Response
      4. Virtual machines
        1. Linux imaging
    6. Summary
    7. Questions
    8. Further reading
  14. Section 3: Analyzing Evidence
  15. Analyzing Network Evidence
    1. Network evidence overview
    2. Analyzing firewall and proxy logs
      1. DNS blacklists
      2. SIEM tools
      3. The Elastic Stack
    3. Analyzing NetFlow
    4. Analyzing packet captures
      1. Command-line tools
      2. Moloch
      3. Wireshark
    5. Summary
    6. Questions
    7. Further reading
  16. Analyzing System Memory
    1. Memory analysis overview
    2. Memory analysis methodology
      1. SANS six-part methodology
      2. Network connections methodology
      3. Memory analysis tools
    3. Memory analysis with Redline
      1. Redline analysis process
      2. Redline process analysis
    4. Memory analysis with Volatility
      1. Installing Volatility
      2. Working with Volatility
      3. Volatility image information
      4. Volatility process analysis
        1. Process list
        2. Process scan
        3. Process tree
        4. DLL list
        5. The handles plugin
        6. LDR modules
        7. Process xview
      5. Volatility network analysis
        1. connscan
      6. Volatility evidence extraction
        1. Memory dump
        2. DLL file dump
        3. Executable dump
    5. Memory analysis with strings
      1. Installing Strings
      2. IP address search
      3. HTTP search
    6. Summary
    7. Questions
    8. Further reading
  17. Analyzing System Storage
    1. Forensic platforms
    2. Autopsy
      1. Installing Autopsy
      2. Opening a case
      3. Navigating Autopsy
      4. Examining a case
        1. Web artifacts
        2. Email
        3. Attached devices
        4. Deleted files
        5. Keyword searches
        6. Timeline analysis
    3. MFT analysis
    4. Registry analysis
    5. Summary
    6. Questions
    7. Further reading
  18. Analyzing Log Files
    1. Logging and log management
    2. Working with event management systems
      1. Security Onion
      2. The Elastic Stack
    3. Understanding Windows logs
    4. Analyzing Windows event logs
      1. Acquisition
      2. Triage
      3. Analysis
        1. Event Log Explorer
        2. Analyzing logs with Skadi
    5. Summary
    6. Questions
    7. Further reading
  19. Writing the Incident Report
    1. Documentation overview
      1. What to document
      2. Types of documentation
      3. Sources
      4. Audience
    2. Incident tracking
      1. Fast Incident Response
    3. Written reports
      1. Executive summary
      2. Incident report
      3. Forensic report
    4. Summary
    5. Questions
    6. Further reading
  20. Section 4: Specialist Topics
  21. Malware Analysis for Incident Response
    1. Malware classifications
    2. Malware analysis overview
      1. Static analysis
      2. Dynamic analysis
    3. Analyzing malware
      1. Static analysis
        1. ClamAV
        2. PeStudio
        3. REMnux
        4. YARA
    4. Dynamic analysis
      1. Malware sandbox
      2. Process Explorer
        1. Process Spawn Control
      3. Cuckoo Sandbox
    5. Summary
    6. Questions
    7. Further reading
  22. Leveraging Threat Intelligence
    1. Understanding threat intelligence
      1. Threat intelligence types
      2. Pyramid of pain
    2. Threat intelligence methodology
      1. Threat intelligence direction
        1. Cyber kill chain
        2. Diamond model
    3. Threat intelligence sources
      1. Internally developed sources
      2. Commercial sourcing
      3. Open source
    4. Threat intelligence platforms
      1. MISP threat sharing
    5. Using threat intelligence
      1. Proactive threat intelligence
      2. Reactive threat intelligence
        1. Autopsy
        2. Adding IOCs to Redline
        3. Yara and Loki
    6. Summary
    7. Questions
    8. Further reading
  23. Hunting for Threats
    1. The threat hunting maturity model
    2. Threat hunt cycle
      1. Initiating event
      2. Creating a working hypothesis
      3. Leveraging threat intelligence
      4. Applying forensic techniques
      5. Identifying new indicators
      6. Enriching the existing hypothesis
    3. MITRE ATT&CK
    4. Threat hunt planning
    5. Threat hunt reporting
    6. Summary
    7. Questions
    8. Further reading
  24. Appendix
  25. Assessment
    1. Chapter 1: Understanding Incident Response
    2. Chapter 2: Managing Cyber Incidents
    3. Chapter 3: Fundamentals of Digital Forensics
    4. Chapter 4: Collecting Network Evidence
    5. Chapter 5: Acquiring Host-Based Evidence
    6. Chapter 6: Forensic Imaging
    7. Chapter 7: Analyzing Network Evidence
    8. Chapter 8: Analyzing System Memory
    9. Chapter 9: Analyzing System Storage
    10. Chapter 10: Analyzing Log Files
    11. Chapter 11: Writing the Incident Report
    12. Chapter 12: Malware Analysis for Incident Response
    13. Chapter 13: Leveraging Threat Intelligence
    14. Chapter 14: Hunting for Threats
  26. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Digital Forensics and Incident Response - Second Edition
  • Author(s): Gerard Johansen
  • Release date: January 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838649005