Digital Forensics and Incident Response

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Contributors

Next Chapter

Preface

Part 1: Foundations of Incident Response and Digital Forensics

1 Understanding Incident Response

The IR process

The role of digital forensics

The IR framework

The IR charter

CSIRT team

The IR plan

Incident classification

The IR playbook/handbook

Escalation process

Testing the IR framework

Summary

Questions

2 Managing Cyber Incidents

Engaging the incident response team

CSIRT engagement models

Investigating incidents

The CSIRT war room

Communications

Rotating staff

SOAR

Incorporating crisis communications

Internal communications

External communications

Public notification

Incorporating containment strategies

Getting back to normal – eradication, recovery, and post-incident activity

Summary

Questions

3 Fundamentals of Digital Forensics

An overview of forensic science

Locard’s exchange principle

Legal issues in digital forensics

Law and regulations

Rules of evidence

Forensic procedures in incident response

A brief history of digital forensics

The digital forensics process

The digital forensics lab

Summary

Questions

4 Investigation Methodology

An intrusion analysis case study: The Cuckoo’s Egg

Types of incident investigation analysis

Functional digital forensic investigation methodology

Identification and scoping

Collecting evidence

The initial event analysis

The preliminary correlation

Event normalization

Event deconfliction

The second correlation

The timeline

Kill chain analysis

Reporting

The cyber kill chain

The diamond model of intrusion analysis

Diamond model axioms

A combined diamond model and kill chain intrusion analysis

Attribution

Summary

Questions

Part 2: Evidence Acquisition

5 Collecting Network Evidence

An overview of network evidence

Preparation

A network diagram

Configuration

Firewalls and proxy logs

Firewalls

Web application firewalls

Web proxy servers

NetFlow

Packet capture

tcpdump

WinPcap and RawCap

Wireshark

Evidence collection

Summary

Questions

6 Acquiring Host-Based Evidence

Preparation

Order of volatility

Evidence acquisition

Evidence collection procedures

Acquiring volatile memory

FTK Imager

WinPmem

RAM Capturer

Virtual systems

Acquiring non-volatile evidence

FTK obtaining protected files

The CyLR response tool

Kroll Artifact Parser and Extractor

Summary

Questions

7 Remote Evidence Collection

Enterprise incident response challenges

Endpoint detection and response

Velociraptor overview and deployment

Velociraptor server

Velociraptor Windows collector

Velociraptor scenarios

Velociraptor evidence collection

CyLR

WinPmem

Summary

Questions

8 Forensic Imaging

Understanding forensic imaging

Image versus copy

Logical versus physical volumes

Types of image files

SSD versus HDD

Tools for imaging

Preparing a staging drive

Using write blockers

Imaging techniques

Dead imaging

Live imaging

Virtual systems

Linux imaging

Summary

Questions

Part 3: Evidence Analysis

9 Analyzing Network Evidence

Network evidence overview

Analyzing firewall and proxy logs

SIEM tools

The Elastic Stack

Analyzing NetFlow

Analyzing packet captures

Command-line tools

Real Intelligence Threat Analytics

NetworkMiner

Arkime

Wireshark

Summary

Questions

10 Analyzing System Memory

Memory analysis overview

Memory analysis methodology

SANS six-part methodology

Network connections methodology

Memory analysis tools

Memory analysis with Volatility

Volatility Workbench

Memory analysis with Strings

Installing Strings

Common Strings searches

Summary

Questions

11 Analyzing System Storage

Forensic platforms

Autopsy

Installing Autopsy

Starting a case

Adding evidence

Navigating Autopsy

Examining a case

Master File Table analysis

Prefetch analysis

Registry analysis

Summary

Questions

12 Analyzing Log Files

Logs and log management

Working with SIEMs

Splunk

Elastic Stack

Security Onion

Windows Logs

Windows Event Logs

Analyzing Windows Event Logs

Acquisition

Triage

Detailed Event Log analysis

Summary

Questions

13 Writing the Incident Report

Documentation overview

What to document

Types of documentation

Sources

Audience

Executive summary

Incident investigation report

Forensic report

Preparing the incident and forensic report

Note-taking

Report language

Summary

Questions

Part 4: Ransomware Incident Response

14 Ransomware Preparation and Response

History of ransomware

CryptoLocker

CryptoWall

CTB-Locker

TeslaCrypt

SamSam

Locky

WannaCry

Ryuk

Conti ransomware case study

Background

Operational disclosure

Tactics and techniques

Exfiltration

Impact

Proper ransomware preparation

Ransomware resiliency

Prepping the CSIRT

Eradication and recovery

Containment

Eradication

Recovery

Summary

Questions

15 Ransomware Investigations

Ransomware initial access and execution

Initial access

Execution

Discovering credential access and theft

ProcDump

Mimikatz

Investigating post-exploitation frameworks

Command and Control

Security Onion

RITA

Arkime

Investigating lateral movement techniques

Summary

Questions

Part 5: Threat Intelligence and Hunting

16 Malware Analysis for Incident Response

Malware analysis overview

Malware classification

Setting up a malware sandbox

Local sandbox

Cloud sandbox

Static analysis

Static properties analysis

Dynamic analysis

Process Explorer

Process Spawn Control

Automated analysis

ClamAV

YARA

YarGen

Summary

Questions

17 Leveraging Threat Intelligence

Threat intelligence overview

Threat intelligence types

The Pyramid of Pain

The threat intelligence methodology

Sourcing threat intelligence

Internally developed sources

Commercial sourcing

Open source intelligence

The MITRE ATT&CK framework

Working with IOCs and IOAs

Threat intelligence and incident response

Autopsy

Maltego

YARA and Loki

Summary

Questions

18 Threat Hunting

Threat hunting overview

Threat hunt cycle

Threat hunt reporting

Threat hunting maturity model

Crafting a hypothesis

MITRE ATT&CK

Planning a hunt

Digital forensic techniques for threat hunting

EDR for threat hunting

Summary

Questions

Appendix

Assessments

Index

Other Books You May Enjoy

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Digital Forensics and Incident Response - Third Edition

Create new playlist

Sign In

Sign Up

Table of Contents

Table of Contents for
Digital Forensics and Incident Response - Third Edition