INDEX
180 day rule 112
violations of 14
access control, re-establishing after system compromised 58
AccessData
AD eDiscovery 126
Enterprise 168
FTK Imager 164
memory analysis with Enterprise 167
Mobile Phone Examiner+ 126, 186
acquisition
report of findings 192
agile software development 45
AlienVault
Open Threat Exchange 49
allocation units see clusters
‘always on,’ 148
Amazon Web Services (AWS) 170, 174–5
S3 (Simple Storage Service) 172
American Academy of Forensic Sciences 115
relevant items 145
analysis of evidence 104
software suites 125
Android
JTAG port 184
OS 179
physical acquisition 185
Software Development Kit 183
appendices, report of findings 194
Apple
APFS (Apple file system) 137–8, 188
iCloud platform for mobile devices 183
iOS 124, 126, 137, 141, 179, 186, 187–8
Association of Chief Police Officers (ACPO) 109–10
attribution of crime across borders 105–7
audit, security incident detection 25
Autopsy (open source software) 127
backups 58
Baker, Bill 174
baseline of normal activity 44–5
Belkasoft RAM Capturer 164
blacklisting, virtual patch development 55
Blu-ray disc (BD) 135
Border Gateway Protocol (BGP) 54
borders, attribution of crimes across 105–7
Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability 55
Brighton and Sussex University Hospitals NHS Trust 74
British Airways 33
‘bug bounty programme,’ 85
business, security breaches bad for 81
business pressures
driver of live acquisition 148–9
interfering with digital forensics 57–8
reason for security incident 26
cables, grab bag contents 120
CAN-SPAM Act 2003 (US) 113
Cb Response (Carbon Black) 64, 65 (fig.)
CDs
live 120
non-volatile storage 155
securing crime scene 103
cellular networks 180
forms 118
report of findings 192
transportation of evidence 103
chief information security officer (CISO) 32
Child Protection and Obscenity Enforcement Act 1988 (US) 113
China, attribution of cybercrime 105
chip off, mobile device data recovery 184
civil investigations 100
cloud computing
eDiscovery tools 126
live acquisition 175
mobile device backups 183
service provider cooperation in investigation 103
cloud storage services
data handling mistakes 13
reason for security incident 26
Cloudflare/Cloudbleed 85
clusters 131
command injection vulnerabilty 18
Comprehensive Crime Control Act 1984 (US) 110–11
Computer Fraud and Abuse Act (US) 110–11
Computer Misuse Act 1990 (UK) 107–8
Computer Security Incident Handling Guide 11
conclusions and opinions formed, report of findings 193–4
consultants, use of 38
containment, incident response phase 52–7
customer data leak 56
network device infected with malware 52–3
phishing email 56
web application critical vulnerability 54–6
web site defaced 53
content management system (CMS) vulnerability in 53
corporate
communications 33
investigations 100
Corvil, wire data tool 21
cost, incident response service providers 89
courier services 103
CPU registers and cache volatility of 153
crash dump, memory capturing 165
credentials compromised, re-establishing access control 58
credit cards
hacking and 15
stealing malaware 30
crime scene
difference between physical/digital 101
criminal investigations 100, 108–9
Criminal Justice and Public Order Act 1994 (UK) 109
critical business processes 30–1
cryptographic hashes 49, 51, 119, 123–4, 143, 146
containment of leak 56
customers
availability of playbook to 28–9
contractual requirements 84
cyber liability insurance policy 76
Data Breach Investigations Report (Verizon) 41
data flow diagram 31, 32 (fig.)
Data Protection Act 1998 (UK) 13
database query logs 48
dd command line utility (Linux) 165
decryption, software suites 125, 145–6
Delta Airlines 33
denial of service (DoS) attacks 16–17
Computer Misuse Act 1990 (UK) 108
tracking changes 68
deployment times, security tools 64
development team, working with 47
digital camera, grab bag contents 119
digital versatile disk (DVD) 135
securing crime scene 103
disk duplication equipment 118–19, 123
distributed denial of service (DDoS) attacks 16
Computer Misuse Act 1990 (UK) 108
DNS (Domain Name System) 17, 47, 158
denial of service attack against records 53–4
chain of custody 96
DoD 5220-22.2.M media sterilization standard 124
door badges/access 49
double-blind penetration tests 36–7
duplicates, working on 97
Dyn 17
Dynamic Host Configuration Protocol (DHCP) 158
eDiscovery suites 126
Elasticsearch, log aggregation tool 20–1
Electronic Communications Privacy Act (US) 111–12
Email Privacy Act (US proposed) 112
emails
CAN-SPAM Act 2003 (US) 113
Stored Communications Act (US) 112
employees
anonymous reviews 86
containment after termination 56–7
culture of trust with 41
reports of security incidents 52
empowerment of security team 71
EnCase 98
evidence file format 123–4, 125, 164
investigative software suite 125
driver of live acquisition 149–50
network traffic and memory 163
ransomware and 16
removable storage media without 13
Endpoint Protection (Symantec) 51
ephemeral see containers
eradication
Europe, laws applicable to forensics 106–7, 114–15
event, different to incident 83–4
evidence
analysis 104
eradication and preservation 61–7
exculpatory 193
inculpatory 193
log files valuable as 21
preservation compared to eradication 57–8
report of findings 193
secure storage of 79
software suites for collection of 125
storage 103
transporting 103
executive summary, report of findings 191–2
existing security policies, review of 29
denial of service attack 16–17
hacking attack 15
phishing 15
ExtraHop, wire data tool 21, 22 (fig.) 158
failure to test, reason for security incident 26
Falcon Insight (CrowdStrike) 64
false positive/negatives 18–19, 51, 52
Faraday bags see RF-shielded bags
FAT (File Allocation Table) 137
file formats, capturing volatile memory 164
file integrity monitoring (FIM) 51–2
acquisition tools and 138
carving 144
cryptographic hashing of 143
known file filters 143
finance, quantifying cost of incident 76–9
firewall 48
firewall rules
customer data leak 56
site-to-site VPN 87
first responder, role of 95
Fmem (Linux) 165
Forensic Card Reader (UltraBlock) 135
forensic developer, role of 95
documentation 98
tools and techniques 98
working on duplicates 97
in-house 38
law enforcement involvement 38–9
use of consultants 38
Forensic Toolkit (AccessData) 98, 125
FTK Imager 164
forensic tools
networks 127
forensic workstations 121
forensics laptop, grab bag contents 119–20
forensics-ready environment 61–3
fraud
Computer Fraud and Abuse Act (US) 110–11
Computer Misuse Act 1990 (UK) 108
Identity Theft Penalty Enhancement Act (US) 112
Freedom Act (US) 113
funding for control improvements 75
General Data Protection Regulation (GDPR) 13, 37–8, 106, 114–15
investigator as data processor 115
Glassdoor 86
Good Practice Guide for Digital Evidence 109–10
Google Cloud Platform 170, 175
grep Linux command line utility 63
hacking
Computer Misuse Act 1990 (UK) 107–8
hacktivism 15
law in US 111
solid-state drives 130
hardware security module (HSM) 31
hashing see cryptographic hashes
‘Heartbleed’ software vulnerability 17–18
HFS+ file system 138
hibernation files, memory capture from 165–6
HTTP requests 20, 48, 54, 55, 62, 156
human resources
involvement of teams in post mortem meeting 73–4
security incident detection 25
hybrid cloud 170
identification, incident response phase 41–52
antivirus software 51
employee reports of incidents 52
file integrity monitoring (FIM) 51–2
network traffic monitoring 47–8
open-source intelligence (OSINT) 52
SIEM tool 49
threat intelligence 49
identity theft 200
Identity Theft Penalty Enhancement Act (US) 112
incident
awareness from social media 84–5
definition of 82
timeline 72
incident responder
cost of 77
role in preserving evidence 57–8
incident response, things to avoid 60–70
eradication and preservation 61–7
incident from an incident 67–9
incident response process 40–59
containment (see containment, incident response phase)
identification (see identification, incident response phase)
recovery 59
incident response service providers 88–90
three primary factors 89
indicator of compromise (IoC) 49
Information Commissioners Office (ICO) 74
infrastructure as a service (IaaS) 47, 170
intelligence services 109, 112–13
acceptable use policy violations 14
inappropriate data handling 12–13
mishandling security credentials 13–14
unauthorised access 14
International Association of Computer Investigative Specialists (IACIS) 115
International Mobile Equipment Identity (IMEI) 181–2
International Mobile Subscriber Identity (IMSI) 181
internet
accidental exposure to 26
browsers 144
IoT devices denial of service attack 17
internet service providers (ISPs) Regulation of Investigatory Powers Act 2000, 109
intrusion detection system 18–20
analysis 104
media 103
mobile devices 102
non-physical scenes 103
powered-off devices 102
powered-on devices 102
reporting 104
scoping 101
storage of evidence 103
transporting evidence 103
investigative software suites 124–5
investigator
roles 95
skills required 94
stresses and strains of work 203–4
IP address, denial of service attack against 53–4
iPhone, FBI encryption case 99
ISO 27001, 37
ISO, variations on incident response phases 40–1
isolation of infected network device 52–3
IT asset management (ITAM) 42–4
jailbreaking 187
Jamf 43
Joint Test Action Group (JTAG) 184
journaling 138
Kaspersky Lab, analysis of memory images 166
kernel statistics 154
law enforcement, forensic readiness involvement 38–9
lead investigator, role of 95
legislation 107–15 see also entries for individual laws
Lencioni, Patrick 30
Linux
dd command line utility 165
log files 143
memory 161
memory grabber 165
process table 154
routing table 153
temporary file system 154
technique 152
load balancer pool 53
Locard’s exchange principle 101
lockout, mobile device 181
log aggregation tools 20–1, 48
network traffic 158
retention of 63
logical acquisition, mobile devices 185
Long-Term Evolution (LTE) 180
machine learning, security incident detection 21
fileless and live acquisition 151
network device infected with 52–3
phishing email and 56
USB sticks and 49
manual acquisition, mobile devices 184–5
marketing emails 113
media storage devices, securing crime scene 103
medical records 200
memory
Linux 161
Microsoft Windows 161
real-time 168
crash dumps and hibernation files 165–6
file formats 164
memory cards 135
Memory Grabber (Linux) 165
mergers and acquisitions 87
micro SD card, mobile devices 185
micro-services architecture 177
Microsoft Azure 170
Microsoft Windows
file system 137
physical memory 161
WannaCry ransomware attack 16
Mirai botnet 17
misinformation 57
mistakes, made during incident response process 60–9
forensic hardware kits 124
forensic software suites 126
securing crime scene 102
damaged 184
powered off 183
powered on and locked 183
Mobile Phone Examiner+ (AccessData) 126, 186
National Health Service (NHS) ransomware attack 16
netstat command-line utility 48, 153, 163
Netwitness 23
finding evidence 155
traffic logs 158
wireless 158
Network Mapper 43
Network Time Protocol (NTP) 46
networks
connection information in memory 162–3
device infected with malware 52–3
forensic tools 127
restoring connectivity 59
wire data 21
definitions of incident/events 82, 83–4
incident response process phases 40
Nmap 43
non-physical crime scene 103
non-technical incident detection 23–5
‘normal,’ identification of security incident 44–5
North Korea, attribution of cybercrime 106
NTFS (New Technology File System) 137, 139
open-source forensic tools 127–8
open-source intelligence (OSINT) 52, 86–7
Open Threat Exchange (Alienvault) 49
open windows, contents in memory 162
network connection tools 48
OSSEC 52
OSXPMem utility (Rekall) 164
overly restrictive security controls 25
PACE see Police and Criminal Evidence Act 1984 (UK)
page tables 167
Paraben
PAP 8000 camera 185
passcode removal, mobile devices 183
found in memory 162
‘Heartbleed’ vulnerabity 17
payment card data 12
Payment Card Industry Data Security Standard (PCI DSS) 12, 37
peer review, playbook testing 34–5
penetration test, security incident detection 25
double-blind 36
pens and paper, grab bag contents 118
alerting to an incident 34
incident response test 73
reason for security incident 26
security professional learning about business 87–8
Peripheral Component Interconnect (PCI) Express bus 164
personal data, rights of individuals in Europe 114–15
personal unblocking key (PUK) 181
phishing 15
Computer Misuse Act 1990 (UK) 107
containment of 56
photographs, chain of custody 96
PIN code (SIM cards) 181
platform as a service (PaaS) 170
playbook
cloud computing and 170
tweaks and changes following post mortem meeting 74–5
data flow diagrams 31, 32 (fig.)
outline process 34
‘regular’ incident management 29–30
review existing policies 29
third party contacts 34
double-blind penetration tests 36–7
table-top exercise 35
police, security incident detection 23
Police and Criminal Evidence Act 1984 (UK) 108–9
control improvements 75
incident response playbook and 74–5
incident response test 73
incident timeline 72
time between incident and 71–2
vendors 74
post-traumatic stress disorder (PTSD) 204
powered-off devices, securing crime scene 102, 183
powered-on devices, securing crime scene 102
private cloud 170
process table 154
processing
evidence with software suites 125
productive time, cost of losses 77–8
professional bodies 115
protected computers under CFAA in US 110–11
Protection of Children Act 1978 (UK) 109
public cloud 170
containment after incident 57
recovery process 59
QRadar 23
quantifying cost of incident
incident responders 77
quarantine, antivirus software 51
RAID configuration, driver of live acquisition 150–1
ransomware 16
recovery of files from 59
real-time memory analysis 168
recovery, incident response phase 59
recovery of compromised data 58
reducing security to fix problem 68–9
‘regular’ incident management 29–30
Regulation of Investigatory Powers Act 2000 (UK) 109
reimaging of compromised systems 58
Rekall framework, memory analysis 167
remote workers
detecting abnormal usage 47
logging platforms and 62
memory cards 135
non-volatile storage 155
USB 134
report, investigative process 104
reporting of evidence, software suites 125
reports
audience 194
retention of logs 63
risk
double-blind penetration tests 36–7
mergers and acquisitions 87
reducing security to fix problem 68–9
role of investigator 190
rooting, Android smartphones 186–7
rootkit-style viruses 51
routing table 153
RSA, spear phishing emails case 79
running process information, physical memory artefacts 162
Russia, attribution of cybercrime 105
safety deposit box 97
Samanage 43
SATA disk interface 132
scenario-based testing, playbook 35–6
scoping 101
screwdrivers, grab bag contents 118
scrubbing centre 54
SD cards, securing crime scene 103
sectors 131
security assessment questionnaire 82
security credentials, mishandling 13–14
security incident and event management (SIEM) 21–3, 49
security incidents
definition 11
Security Monkey 175
security policy, different organisations 11–12
security tools, cost of 64
security updates, malware attack and 15
service accounts, passwords and 13
ServiceNow Asset Management 43
sexting 199
Sexual Offences Act 2003 (UK) 109
signatures, IDS & IPS systems 20
SIM cards 181
acquisition of data 186
Simple Network Management Protocol (SNMP) 53
mobile device acquisition 185
Sleuth Kit 127
monitoring tools 52
software as a service (SaaS) 171
solid-state drives 130
Sony Pictures incident, attribution of cybercrime case 106
Sophos 51
spam 113
spear-phishing 15
RSA case 79
speed, incident response service providers 89
Splunk, log aggregation tool 20
standards, compliance with 37–8
standards, incident response phases 40–1
storage, security of evidence 96–7, 103
Stored Communications Act (US) 112
subcontractors 74
Sumologic, log aggregation tool 20
surveillance, enhanced in US 112–13
table-top exercise, playbook testing 35
Talk Talk 86
Target, credit card phishing attack 72
tcpdump 127
technical controls, incident detection 19–23
IDS & IPS 20
machine learning 21
wire data tools 21
templates for reports 191
Temporary Mobile Subscriber Identity (TMSI) 181, 186
third-party contacts 34
Threat Exchange (Facebook) 49
threat hunting 64
threat intelligence feeds 49
tools and techniques
proven 98
torch, grab bag contents 119
traffic filtering see scrubbing centre
training
first responder/forensic readiness 64–7
in-house forensic readiness 38
lack of 26
Transport Layer Security (TLS) 157, 163
Tripwire 52
trust
culture within organisation 23
cybercrime and 199
incident response service providers 89
Twitter, open source intelligence 52
UFED suite (Cellbrite) 185
United Kingdom, laws applicable to forensics 107–10
United States, laws applicable to forensics 110–14
Universal Mobile Telecommunications System (UMTS) 180
US Secret Service 110
guidelines on seizing electronic evidence 113–14
usability, mobile devices 179–80
USB debugging 183
USB/flash drives 134, 137, 138, 140, 141
user credentials, containment of phishing email attack 56
User Datagram Protocol (UDP) packets 46
user-reported security incidents 23
vendors, legal counsel involvement 74
Veritas, eDiscovery platform 126
Verizon, Data Breach Investigation Report 41
virtual local area network (VLAN) remediation 53
virtual machines, driver of live acquisition 151–2
virtual memory 167
removal of 59
viruses, Computer Misuse Act 1990 (UK) 108
volatile data/evidence 127
volatile memory/evidence 97, 160
securing crime scene 102
Volatility Framework, memory forensics suite 165, 167
VPN, site-to-site 87
walkthrough test see table-top exercise, playbook testing
WannaCry 16
‘waterfall’ software development 45
web application
firewall (WAF) 54
log files 63
websites
containment of defaced 53
fake versions of 15
whitelisting, virtual patch development 55
Windump 127
WinHex (X-Ways) 126
Sony Pictures incident 106
Wiretap Act 1968 (US) 111
witnesses, technical/expert 190
memory cards 135
mobile phone physical acquisition 185
smartphone cable 182
solid-state drives 130
USB 134
XFS file system 138
Yahoo 42
youths, victims of cybercrime 199–200
zgrep 63
zipgrep 63
zombies 16