book

Incident Response & Computer Forensics, Third Edition, 3rd Edition

by Jason Luttgens, Matthew Pepe, Kevin Mandia

August 2014

Intermediate to advanced

544 pages

18h 21m

English

McGraw-Hill

Read now

Unlock full access

What Constitutes an Incident?What Is Incident Response?Where We Are NowWhy Should You Care About Incident Response?Case StudiesCase Study #1: Show Me the MoneyCase Study #2: Certificate of AuthenticityConcept of the Attack LifecycleSo What?Questions
What Is a Computer Security Incident?What Are the Goals of Incident Response?Who Is Involved in the IR Process?Finding IR TalentThe Incident Response ProcessInitial ResponseInvestigationRemediationTracking of Significant Investigative InformationReportingSo What?Questions
Preparing the Organization for Incident ResponseIdentifying RiskPolicies That Promote a Successful IRWorking with Outsourced ITThoughts on Global Infrastructure IssuesEducating Users on Host-Based SecurityPreparing the IR TeamDefining the MissionCommunication ProceduresDeliverablesResources for the IR TeamPreparing the Infrastructure for Incident ResponseComputing Device ConfigurationNetwork ConfigurationSo What?Questions
Collecting Initial FactsChecklistsMaintenance of Case NotesBuilding an Attack TimelineUnderstanding Investigative PrioritiesWhat Are Elements of Proof?Setting Expectations with ManagementSo What?Questions
Defining Leads of ValueActing on LeadsTurning Leads into IndicatorsThe Lifecycle of Indicator GenerationResolving Internal LeadsResolving External LeadsSo What?Questions
What Should I Do?Examining Initial DataGathering and Reviewing Preliminary EvidenceDetermining a Course of ActionCustomer Data Loss ScenarioCustomer Data Loss—Scoping Gone WrongAutomated Clearing House (ACH) Fraud ScenarioACH Fraud—Scoping Gone WrongSo What?Questions
When to Perform a Live ResponseSelecting a Live Response ToolWhat to CollectCollection Best PracticesLive Data Collection on Microsoft Windows SystemsPrebuilt ToolkitsDo It YourselfMemory CollectionLive Data Collection on Unix-Based SystemsLive Response ToolkitsMemory CollectionSo What?Questions
Forensic Image FormatsComplete Disk ImagePartition ImageLogical ImageImage IntegrityTraditional DuplicationHardware Write BlockersImage Creation ToolsLive System DuplicationDuplication of Enterprise AssetsDuplication of Virtual MachinesSo What?Questions
The Case for Network MonitoringTypes of Network MonitoringEvent-Based Alert MonitoringHeader and Full Packet LoggingStatistical ModelingSetting Up a Network Monitoring SystemChoosing Appropriate HardwareInstallation of a Pre-built DistributionDeploying the Network SensorEvaluating Your Network MonitorNetwork Data AnalysisData Theft ScenarioWebshell Reconnaissance ScenarioOther Network Analysis ToolsCollect Logs Generated from Network EventsSo What?Questions
Network Infrastructure ServicesDHCPDNSEnterprise Management ApplicationsLANDesk Software Management SuiteSymantec Altiris Client Management SuiteAntivirus SoftwareAntivirus QuarantineSymantec Endpoint ProtectionMcAfee VirusScanTrend Micro OfficeScanWeb ServersWeb Server BackgroundApache HTTP ServerMicrosoft Internet Information Services (IIS)Database ServersMicrosoft SQLMySQLOracleSo What?Questions
Define ObjectivesKnow Your DataWhere Is Data Stored?What’s Available?Access Your DataAnalyze Your DataOutline an ApproachSelect MethodsEvaluate ResultsSo What?Questions
NTFS and File System AnalysisThe Master File TableINDX AttributesChange LogsVolume Shadow CopiesFile System RedirectorPrefetchThe EvidenceAnalysisEvent LogsThe EvidenceAnalysisScheduled TasksCreating Tasks with the “at” CommandCreating Tasks with the schtasks CommandThe EvidenceAnalysisThe Windows RegistryThe EvidenceAnalysisRegistry Analysis ToolsOther Artifacts of Interactive SessionsLNK FilesJump ListsThe Recycle BinMemory ForensicsThe EvidenceMemory AnalysisAlternative Persistence MechanismsStartup FoldersRecurring TasksSystem Binary ModificationDLL Load-Order HijackingReview: Answering Common Investigative QuestionsSo What?Questions
HFS+ and File System AnalysisVolume LayoutFile System ServicesCore Operating System DataFile System LayoutUser and Service ConfigurationTrash and Deleted FilesSystem Auditing, Databases, and LoggingScheduled Tasks and ServicesApplication InstallersA Review: Answering Common Investigative QuestionsSo What?Questions
What Is Application Data?Where Is Application Data Stored?WindowsOS XLinuxGeneral Investigation MethodsWeb BrowsersInternet ExplorerGoogle ChromeMozilla FirefoxE-Mail ClientsWeb E-MailMicrosoft Outlook for WindowsApple MailMicrosoft Outlook for MacInstant Message ClientsMethodologyInstant MessageSo What?Questions
Malware HandlingSafetyDocumentationDistributionAccessing Malicious SitesTriage EnvironmentSetting Up a Virtual EnvironmentStatic AnalysisWhat Is That File?Portable Executable FilesDynamic AnalysisAutomated Dynamic Analysis: SandboxesManual Dynamic AnalysisSo What?Questions
Why Write Reports?Reporting StandardsReport Style and FormattingReport Content and OrganizationQuality AssuranceSo What?Questions
Basic ConceptsRemediation Pre-ChecksForm the Remediation TeamWhen to Create the Remediation TeamAssigning a Remediation OwnerMembers of the Remediation TeamDetermine the Timing of the RemediationDevelop and Implement Remediation Posturing ActionsImplications of Alerting the AttackerDevelop and Implement Incident Containment ActionsDevelop the Eradication Action PlanDetermine Eradication Event Timing and Execute Eradication PlanDevelop Strategic RecommendationsDocument the Lessons LearnedPutting It All TogetherCommon Mistakes That Lead to Remediation FailureSo What?Questions
Remediation Plan for Case Study #1: Show Me the MoneySelect the TeamDetermine Remediation TimingContain the IncidentPosture the EnvironmentEradicate the AttackerSet the Strategic DirectionSo What?Questions

Overview

The definitive guide to incident response--updated for the first time in a decade!

Thoroughly revised to cover the latest and most effective tools and techniques, Incident Response & Computer Forensics, Third Edition arms you with the information you need to get your organization out of trouble when data breaches occur. This practical resource covers the entire lifecycle of incident response, including preparation, data collection, data analysis, and remediation. Real-world case studies reveal the methods behind--and remediation strategies for--today's most insidious attacks.

Architect an infrastructure that allows for methodical investigation and remediation
Develop leads, identify indicators of compromise, and determine incident scope
Collect and preserve live data
Perform forensic duplication
Analyze data from networks, enterprise services, and applications
Investigate Windows and Mac OS X systems
Perform malware triage
Write detailed incident response reports
Create and implement comprehensive remediation plans

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Digital Forensics and Incident Response - Third Edition

Publisher Resources

ISBN: 9780071798686

Incident Response & Computer Forensics, Third Edition, 3rd Edition

by Jason Luttgens, Matthew Pepe, Kevin Mandia

Overview

The definitive guide to incident response--updated for the first time in a decade!

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Digital Forensics and Incident Response - Third Edition

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Cyber Security and Digital Forensics

Publisher Resources

Overview

The definitive guide to incident response--updated for the first time in a decade!

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Digital Forensics and Incident Response - Third Edition

Digital Forensics and Incident Response - Fourth Edition

Digital Forensics and Incident Response - Second Edition

Cyber Security and Digital Forensics

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.