book

Incident Response & Computer Forensics, Third Edition, 3rd Edition

by Jason Luttgens, Matthew Pepe, Kevin Mandia

August 2014

Intermediate to advanced

544 pages

18h 21m

English

McGraw-Hill

Read now

Unlock full access

Cover
Title Page
Copyright Page
About the Authors
About the Contributors
About the Technical Editor
Contents
Foreword
Acknowledgments
Introduction

Part I: Preparing for the Inevitable Incident
Chapter 1: Real-World Incidents
What Constitutes an Incident?What Is Incident Response?Where We Are NowWhy Should You Care About Incident Response?Case StudiesCase Study #1: Show Me the MoneyCase Study #2: Certificate of AuthenticityConcept of the Attack LifecycleSo What?Questions
Chapter 2: IR Management Handbook
What Is a Computer Security Incident?What Are the Goals of Incident Response?Who Is Involved in the IR Process?Finding IR TalentThe Incident Response ProcessInitial ResponseInvestigationRemediationTracking of Significant Investigative InformationReportingSo What?Questions
Chapter 3: Pre-Incident Preparation
Preparing the Organization for Incident ResponseIdentifying RiskPolicies That Promote a Successful IRWorking with Outsourced ITThoughts on Global Infrastructure IssuesEducating Users on Host-Based SecurityPreparing the IR TeamDefining the MissionCommunication ProceduresDeliverablesResources for the IR TeamPreparing the Infrastructure for Incident ResponseComputing Device ConfigurationNetwork ConfigurationSo What?Questions
Part II: Incident Detection and Characterization
Chapter 4: Getting the Investigation Started on the Right Foot
Collecting Initial FactsChecklistsMaintenance of Case NotesBuilding an Attack TimelineUnderstanding Investigative PrioritiesWhat Are Elements of Proof?Setting Expectations with ManagementSo What?Questions
Chapter 5: Initial Development of Leads
Defining Leads of ValueActing on LeadsTurning Leads into IndicatorsThe Lifecycle of Indicator GenerationResolving Internal LeadsResolving External LeadsSo What?Questions
Chapter 6: Discovering the Scope of the Incident
What Should I Do?Examining Initial DataGathering and Reviewing Preliminary EvidenceDetermining a Course of ActionCustomer Data Loss ScenarioCustomer Data Loss—Scoping Gone WrongAutomated Clearing House (ACH) Fraud ScenarioACH Fraud—Scoping Gone WrongSo What?Questions
Part III: Data Collection
Chapter 7: Live Data Collection
When to Perform a Live ResponseSelecting a Live Response ToolWhat to CollectCollection Best PracticesLive Data Collection on Microsoft Windows SystemsPrebuilt ToolkitsDo It YourselfMemory CollectionLive Data Collection on Unix-Based SystemsLive Response ToolkitsMemory CollectionSo What?Questions
Chapter 8: Forensic Duplication
Forensic Image FormatsComplete Disk ImagePartition ImageLogical ImageImage IntegrityTraditional DuplicationHardware Write BlockersImage Creation ToolsLive System DuplicationDuplication of Enterprise AssetsDuplication of Virtual MachinesSo What?Questions
Chapter 9: Network Evidence
The Case for Network MonitoringTypes of Network MonitoringEvent-Based Alert MonitoringHeader and Full Packet LoggingStatistical ModelingSetting Up a Network Monitoring SystemChoosing Appropriate HardwareInstallation of a Pre-built DistributionDeploying the Network SensorEvaluating Your Network MonitorNetwork Data AnalysisData Theft ScenarioWebshell Reconnaissance ScenarioOther Network Analysis ToolsCollect Logs Generated from Network EventsSo What?Questions
Chapter 10: Enterprise Services
Network Infrastructure ServicesDHCPDNSEnterprise Management ApplicationsLANDesk Software Management SuiteSymantec Altiris Client Management SuiteAntivirus SoftwareAntivirus QuarantineSymantec Endpoint ProtectionMcAfee VirusScanTrend Micro OfficeScanWeb ServersWeb Server BackgroundApache HTTP ServerMicrosoft Internet Information Services (IIS)Database ServersMicrosoft SQLMySQLOracleSo What?Questions
Part IV: Data Analysis
Chapter 11: Analysis Methodology
Define ObjectivesKnow Your DataWhere Is Data Stored?What’s Available?Access Your DataAnalyze Your DataOutline an ApproachSelect MethodsEvaluate ResultsSo What?Questions
Chapter 12: Investigating Windows Systems
NTFS and File System AnalysisThe Master File TableINDX AttributesChange LogsVolume Shadow CopiesFile System RedirectorPrefetchThe EvidenceAnalysisEvent LogsThe EvidenceAnalysisScheduled TasksCreating Tasks with the “at” CommandCreating Tasks with the schtasks CommandThe EvidenceAnalysisThe Windows RegistryThe EvidenceAnalysisRegistry Analysis ToolsOther Artifacts of Interactive SessionsLNK FilesJump ListsThe Recycle BinMemory ForensicsThe EvidenceMemory AnalysisAlternative Persistence MechanismsStartup FoldersRecurring TasksSystem Binary ModificationDLL Load-Order HijackingReview: Answering Common Investigative QuestionsSo What?Questions
Chapter 13: Investigating Mac OS X Systems
HFS+ and File System AnalysisVolume LayoutFile System ServicesCore Operating System DataFile System LayoutUser and Service ConfigurationTrash and Deleted FilesSystem Auditing, Databases, and LoggingScheduled Tasks and ServicesApplication InstallersA Review: Answering Common Investigative QuestionsSo What?Questions
Chapter 14: Investigating Applications
What Is Application Data?Where Is Application Data Stored?WindowsOS XLinuxGeneral Investigation MethodsWeb BrowsersInternet ExplorerGoogle ChromeMozilla FirefoxE-Mail ClientsWeb E-MailMicrosoft Outlook for WindowsApple MailMicrosoft Outlook for MacInstant Message ClientsMethodologyInstant MessageSo What?Questions
Chapter 15: Malware Triage
Malware HandlingSafetyDocumentationDistributionAccessing Malicious SitesTriage EnvironmentSetting Up a Virtual EnvironmentStatic AnalysisWhat Is That File?Portable Executable FilesDynamic AnalysisAutomated Dynamic Analysis: SandboxesManual Dynamic AnalysisSo What?Questions
Chapter 16: Report Writing
Why Write Reports?Reporting StandardsReport Style and FormattingReport Content and OrganizationQuality AssuranceSo What?Questions
Part V: Remediation
Chapter 17: Remediation Introduction
Basic ConceptsRemediation Pre-ChecksForm the Remediation TeamWhen to Create the Remediation TeamAssigning a Remediation OwnerMembers of the Remediation TeamDetermine the Timing of the RemediationDevelop and Implement Remediation Posturing ActionsImplications of Alerting the AttackerDevelop and Implement Incident Containment ActionsDevelop the Eradication Action PlanDetermine Eradication Event Timing and Execute Eradication PlanDevelop Strategic RecommendationsDocument the Lessons LearnedPutting It All TogetherCommon Mistakes That Lead to Remediation FailureSo What?Questions
Chapter 18: Remediation Case Study
Remediation Plan for Case Study #1: Show Me the MoneySelect the TeamDetermine Remediation TimingContain the IncidentPosture the EnvironmentEradicate the AttackerSet the Strategic DirectionSo What?Questions
Index

Content preview from Incident Response & Computer Forensics, Third Edition, 3rd Edition

CHAPTER 15

Malware Triage

We find malicious software, or malware, during many incidents that we investigate. Most people call any program that an attacker uses to their advantage, including publicly available tools, “malware.” However, calling all programs an attacker uses “malware” is not really a good idea because the term is too generic. We always seek to further categorize the malware, based on its high-level functionality. We use terms such as “backdoor,” “password hash dumper,” “privilege escalator,” and “port redirector.” Understanding ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Digital Forensics and Incident Response - Second Edition

Publisher Resources

ISBN: 9780071798686

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Incident Response & Computer Forensics, Third Edition, 3rd Edition

by Jason Luttgens, Matthew Pepe, Kevin Mandia

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.