O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer, First Edition

Book Description

Investigating the Cyber Breach

The Digital Forensics Guide for the Network Engineer

  • Understand the realities of cybercrime and today’s attacks
  • Build a digital forensics lab to test tools and methods, and gain expertise
  • Take the right actions as soon as you discover a breach
  • Determine the full scope of an investigation and the role you’ll play
  • Properly collect, document, and preserve evidence and data
  • Collect and analyze data from PCs, Macs, IoT devices, and other endpoints
  • Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence
  • Analyze iOS and Android devices, and understand encryption-related obstacles to investigation
  • Investigate and trace email, and identify fraud or abuse
  • Use social media to investigate individuals or online identities
  • Gather, extract, and analyze breach data with Cisco tools and techniques
  • Walk through common breaches and responses from start to finish
  • Choose the right tool for each task, and explore alternatives that might also be helpful

The professional’s go-to digital forensics resource for countering attacks right now

Today, cybersecurity and networking professionals know they can’t possibly prevent every breach, but they can substantially reduce risk by quickly identifying and blocking breaches as they occur. Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer is the first comprehensive guide to doing just that.

Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.

Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.

This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About This E-Book
  5. About the Author
  6. About the Technical Reviewers
  7. Dedication
  8. Acknowledgments
  9. Reader Services
  10. Command Syntax Conventions
  11. Introduction
  12. Who Should Read This Book?
  13. How This Book Is Organized
  14. Chapter 1 Digital Forensics
    1. Defining Digital Forensics
    2. Engaging Forensics Services
    3. Reporting Crime
    4. Search Warrant and Law
    5. Forensic Roles
    6. Forensic Job Market
    7. Forensic Training
    8. Summary
    9. References
  15. Chapter 2 Cybercrime and Defenses
    1. Crime in a Digital Age
    2. Exploitation
    3. Adversaries
    4. Cyber Law
    5. Summary
    6. Reference
  16. Chapter 3 Building a Digital Forensics Lab
    1. Desktop Virtualization
      1. VMware Fusion
      2. VirtualBox
    2. Installing Kali Linux
    3. Attack Virtual Machines
    4. Cuckoo Sandbox
      1. Virtualization Software for Cuckoo
      2. Installing TCPdump
      3. Creating a User on VirtualBox for Cuckoo
    5. Binwalk
    6. The Sleuth Kit
    7. Cisco Snort
    8. Windows Tools
    9. Physical Access Controls
    10. Storing Your Forensics Evidence
      1. Network Access Controls
    11. Jump Bag
    12. Summary
    13. References
  17. Chapter 4 Responding to a Breach
    1. Why Organizations Fail at Incident Response
    2. Preparing for a Cyber Incident
    3. Defining Incident Response
    4. Incident Response Plan
    5. Assembling Your Incident Response Team
      1. When to Engage the Incident Response Team
      2. Outstanding Items that Often Get Missed with Incident Response
      3. Phone Tree and Contact List
      4. Facilities
    6. Responding to an Incident
    7. Assessing Incident Severity
    8. Following Notification Procedures
    9. Employing Post-Incident Actions and Procedures
    10. Identifying Software Used to Assist in Responding to a Breach
      1. Trend Analysis Software
      2. Security Analytics Reference Architectures
      3. Other Software Categories
    11. Summary
    12. References
  18. Chapter 5 Investigations
    1. Pre-Investigation
    2. Opening a Case
    3. First Responder
    4. Device Power State
    5. Search and Seizure
    6. Chain of Custody
    7. Network Investigations
    8. Forensic Reports
      1. Case Summary
        1. Example
      2. Acquisition and Exam Preparation
        1. Example
      3. Findings
        1. Example
      4. Conclusion
        1. Example
      5. List of Authors
        1. Example
    9. Closing the Case
    10. Critiquing the Case
    11. Summary
    12. References
  19. Chapter 6 Collecting and Preserving Evidence
    1. First Responder
    2. Evidence
      1. Autopsy
      2. Authorization
    3. Hard Drives
      1. Connections and Devices
      2. RAID
    4. Volatile Data
      1. DumpIt
      2. LiME
      3. Volatility
    5. Duplication
      1. dd
      2. dcfldd
      3. ddrescue
      4. Netcat
      5. Guymager
      6. Compression and Splitting
    6. Hashing
      1. MD5 and SHA Hashing
      2. Hashing Challenges
    7. Data Preservation
    8. Summary
    9. References
  20. Chapter 7 Endpoint Forensics
    1. File Systems
      1. Locating Data
      2. Unknown Files
    2. Windows Registry
      1. Deleted Files
      2. Windows Recycle Bin
      3. Shortcuts
    3. Printer Spools
      1. Slack Space and Corrupt Clusters
      2. Alternate Data Streams
      3. Mac OS X
      4. OS X Artifacts
    4. Log Analysis
    5. IoT Forensics
    6. Summary
    7. References
  21. Chapter 8 Network Forensics
    1. Network Protocols
    2. Security Tools
      1. Firewall
      2. Intrusion Detection and Prevention System
      3. Content Filter
      4. Network Access Control
      5. Packet Capturing
      6. NetFlow
      7. Sandbox
      8. Honeypot
      9. Security Information and Event Manager (SIEM)
      10. Threat Analytics and Feeds
      11. Security Tool Summary
    3. Security Logs
    4. Network Baselines
    5. Symptoms of Threats
      1. Reconnaissance
      2. Exploitation
      3. Malicious Behavior
      4. Beaconing
      5. Brute Force
      6. Exfiltration
      7. Other Indicators
    6. Summary
    7. References
  22. Chapter 9 Mobile Forensics
    1. Mobile Devices
      1. Investigation Challenges
    2. iOS Architecture
    3. iTunes Forensics
    4. iOS Snapshots
    5. How to Jailbreak the iPhone
    6. Android
    7. PIN Bypass
      1. How to Brute Force Passcodes on the Lock Screen
    8. Forensics with Commercial Tools
    9. Call Logs and SMS Spoofing
    10. Voicemail Bypass
    11. How to Find Burner Phones
    12. SIM Card Cloning
    13. Summary
    14. Reference
  23. Chapter 10 Email and Social Media
    1. A Message in a Bottle
    2. Email Header
    3. Social Media
    4. People Search
    5. Google Search
    6. Facebook Search
    7. Summary
    8. References
  24. Chapter 11 Cisco Forensic Capabilities
    1. Cisco Security Architecture
    2. Cisco Open Source
    3. Cisco Firepower
    4. Cisco Advanced Malware Protection (AMP)
    5. Cisco Threat Grid
    6. Cisco Web Security Appliance
    7. Cisco CTA
    8. Meraki
    9. Email Security Appliance
    10. Cisco Identity Services Engine
    11. Cisco Stealthwatch
    12. Cisco Tetration
    13. Cisco Umbrella
    14. Cisco Cloudlock
    15. Cisco Network Technology
    16. Summary
    17. Reference
  25. Chapter 12 Forensic Case Studies
    1. Scenario 1: Investigating Network Communication
      1. Pre-engagement
      2. Investigation Strategy for Network Data
      3. Investigation
      4. Closing the Investigation
    2. Scenario 2: Using Endpoint Forensics
      1. Pre-engagement
      2. Investigation Strategy for Endpoints
      3. Investigation
      4. Potential Steps to Take
      5. Closing the Investigation
    3. Scenario 3: Investigating Malware
      1. Pre-engagement
      2. Investigation Strategy for Rogue Files
      3. Investigation
      4. Closing the Investigation
    4. Scenario 4: Investigating Volatile Data
      1. Pre-engagement
      2. Investigation Strategy for Volatile Data
      3. Investigation
      4. Closing the Investigation
    5. Scenario 5: Acting as First Responder
      1. Pre-engagement
      2. First Responder Strategy
      3. Closing the Investigation
    6. Summary
    7. References
  26. Chapter 13 Forensic Tools
    1. Tools
      1. Slowloris DDOS Tool: Chapter 2
      2. Low Orbit Ion Cannon
      3. VMware Fusion: Chapter 3
      4. VirtualBox: Chapter 3
      5. Metasploit: Chapter 3
      6. Cuckoo Sandbox: Chapter 3
      7. Cisco Snort: Chapter 3
      8. FTK Imager: Chapters 3, 9
      9. FireEye Redline: Chapter 3
      10. P2 eXplorer: Chapter 3
      11. PlainSight: Chapter 3
      12. Sysmon: Chapter 3
      13. WebUtil: Chapter 3
      14. ProDiscover Basics: Chapter 3
      15. Solarwinds Trend Analysis Module: Chapter 4
      16. Splunk: Chapter 4
      17. RSA Security Analytics: Chapter 4
      18. IBM’s QRadar: Chapter 4
      19. HawkeyeAP: Chapter 4
      20. WinHex: Chapters 6, 7
      21. OSForensics: Chapter 6
      22. Mount Image Pro: Chapter 6
      23. DumpIt: Chapter 6
      24. LiME: Chapter 6
      25. TrIDENT: Chapter 7
      26. PEiD: Chapter 7
      27. Lnkanalyser: Chapter 7
      28. Windows File Analyzer: Chapter 7
      29. LECmd: Chapter 7
      30. SplViewer: Chapter 7
      31. PhotoRec: Chapter 7
      32. Windows Event Log: Chapter 7
      33. Log Parser Studio: Chapter 7
      34. LogRhythm: Chapter 8
    2. Mobile Devices
      1. Elcomsoft: Chapter 9
      2. Cellebrite: Chapter 9
      3. iPhone Backup Extractor: Chapter 9
      4. iPhone Backup Browser: Chapter 9
      5. Pangu: Chapter 9
      6. KingoRoot Application: Chapter 9
    3. Kali Linux Tools
      1. Fierce: Chapter 8
      2. TCPdump: Chapter 3
      3. Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6
      4. Wireshark: Chapter 8
      5. Exiftool: Chapter 7
      6. DD: Chapter 6
      7. Dcfldd: Chapter 6
      8. Ddrescue: Chapter 6
      9. Netcat: Chapter 6
      10. Volatility: Chapter 6
    4. Cisco Tools
      1. Cisco AMP
      2. Stealthwatch: Chapter 8
      3. Cisco WebEx: Chapter 4
      4. Snort: Chapter 11
      5. ClamAV: Chapter 10
      6. Razorback: Chapter 10
      7. Daemonlogger: Chapter 10
      8. Moflow Framework: Chapter 10
      9. Firepower: Chapter 10
      10. Threat Grid: Chapter 10
      11. WSA: Chapter 10
      12. Meraki: Chapter 10
      13. Email Security: Chapter 10
      14. ISE: Chapter 10
      15. Cisco Tetration: Chapter 10
      16. Umbrella: Chapter 10
      17. Norton ConnectSafe: No Chapter
      18. Cloudlock: Chapter 10
    5. Forensic Software Packages
      1. FTK Toolkit: Chapter 3
      2. X-Ways Forensics: Chapter 3
      3. OSforensics: Chapter 6
      4. EnCase: Chapter 7
      5. Digital Forensics Framework (DFF): Chapter 7
    6. Useful Websites
      1. Shodan: Chapter 1
      2. Wayback Machine: Chapter 3
      3. Robot.txt files: Chapter 2
      4. Hidden Wiki: Chapter 2
      5. NIST: Chapter 4
      6. CVE: Chapter 4
      7. Exploit-DB: Chapter 4
      8. Pastebin: Chapters 4, 10
      9. University of Pennsylvania Chain of Custody Form: Chapter 6
      10. List of File Signatures: Chapter 9
      11. Windows Registry Forensics Wiki: Chapter 7
      12. Mac OS Forensics Wiki: Chapter 7
    7. Miscellaneous Sites
      1. Searchable FCC ID Database
      2. Service Name and Transport Protocol Port Number Registry
      3. NetFlow Version 9 Flow-Record Format
      4. NMAP
      5. Pwnable
      6. Embedded Security CTF
      7. CTF Learn
      8. Reversing.Kr
      9. Hax Tor
      10. W3Challs
      11. RingZer0 Team Online CTF
      12. Hellbound Hackers
      13. Over the Wire
      14. Hack This Site
      15. VulnHub
      16. Application Security Challenge
      17. iOS Technology Overview
    8. Summary
  27. Index