Home Page Icon
Home Page
Table of Contents for
Part II: Incident Detection and Characterization
Close
Part II: Incident Detection and Characterization
by Kevin Mandia, Matthew Pepe, Jason Luttgens
Incident Response & Computer Forensics, Third Edition, 3rd Edition
Cover
Title Page
Copyright Page
About the Authors
About the Contributors
About the Technical Editor
Contents
Foreword
Acknowledgments
Introduction
Part I: Preparing for the Inevitable Incident
Chapter 1: Real-World Incidents
What Constitutes an Incident?
What Is Incident Response?
Where We Are Now
Why Should You Care About Incident Response?
Case Studies
Case Study #1: Show Me the Money
Case Study #2: Certificate of Authenticity
Concept of the Attack Lifecycle
So What?
Questions
Chapter 2: IR Management Handbook
What Is a Computer Security Incident?
What Are the Goals of Incident Response?
Who Is Involved in the IR Process?
Finding IR Talent
The Incident Response Process
Initial Response
Investigation
Remediation
Tracking of Significant Investigative Information
Reporting
So What?
Questions
Chapter 3: Pre-Incident Preparation
Preparing the Organization for Incident Response
Identifying Risk
Policies That Promote a Successful IR
Working with Outsourced IT
Thoughts on Global Infrastructure Issues
Educating Users on Host-Based Security
Preparing the IR Team
Defining the Mission
Communication Procedures
Deliverables
Resources for the IR Team
Preparing the Infrastructure for Incident Response
Computing Device Configuration
Network Configuration
So What?
Questions
Part II: Incident Detection and Characterization
Chapter 4: Getting the Investigation Started on the Right Foot
Collecting Initial Facts
Checklists
Maintenance of Case Notes
Building an Attack Timeline
Understanding Investigative Priorities
What Are Elements of Proof?
Setting Expectations with Management
So What?
Questions
Chapter 5: Initial Development of Leads
Defining Leads of Value
Acting on Leads
Turning Leads into Indicators
The Lifecycle of Indicator Generation
Resolving Internal Leads
Resolving External Leads
So What?
Questions
Chapter 6: Discovering the Scope of the Incident
What Should I Do?
Examining Initial Data
Gathering and Reviewing Preliminary Evidence
Determining a Course of Action
Customer Data Loss Scenario
Customer Data Loss—Scoping Gone Wrong
Automated Clearing House (ACH) Fraud Scenario
ACH Fraud—Scoping Gone Wrong
So What?
Questions
Part III: Data Collection
Chapter 7: Live Data Collection
When to Perform a Live Response
Selecting a Live Response Tool
What to Collect
Collection Best Practices
Live Data Collection on Microsoft Windows Systems
Prebuilt Toolkits
Do It Yourself
Memory Collection
Live Data Collection on Unix-Based Systems
Live Response Toolkits
Memory Collection
So What?
Questions
Chapter 8: Forensic Duplication
Forensic Image Formats
Complete Disk Image
Partition Image
Logical Image
Image Integrity
Traditional Duplication
Hardware Write Blockers
Image Creation Tools
Live System Duplication
Duplication of Enterprise Assets
Duplication of Virtual Machines
So What?
Questions
Chapter 9: Network Evidence
The Case for Network Monitoring
Types of Network Monitoring
Event-Based Alert Monitoring
Header and Full Packet Logging
Statistical Modeling
Setting Up a Network Monitoring System
Choosing Appropriate Hardware
Installation of a Pre-built Distribution
Deploying the Network Sensor
Evaluating Your Network Monitor
Network Data Analysis
Data Theft Scenario
Webshell Reconnaissance Scenario
Other Network Analysis Tools
Collect Logs Generated from Network Events
So What?
Questions
Chapter 10: Enterprise Services
Network Infrastructure Services
DHCP
DNS
Enterprise Management Applications
LANDesk Software Management Suite
Symantec Altiris Client Management Suite
Antivirus Software
Antivirus Quarantine
Symantec Endpoint Protection
McAfee VirusScan
Trend Micro OfficeScan
Web Servers
Web Server Background
Apache HTTP Server
Microsoft Internet Information Services (IIS)
Database Servers
Microsoft SQL
MySQL
Oracle
So What?
Questions
Part IV: Data Analysis
Chapter 11: Analysis Methodology
Define Objectives
Know Your Data
Where Is Data Stored?
What’s Available?
Access Your Data
Analyze Your Data
Outline an Approach
Select Methods
Evaluate Results
So What?
Questions
Chapter 12: Investigating Windows Systems
NTFS and File System Analysis
The Master File Table
INDX Attributes
Change Logs
Volume Shadow Copies
File System Redirector
Prefetch
The Evidence
Analysis
Event Logs
The Evidence
Analysis
Scheduled Tasks
Creating Tasks with the “at” Command
Creating Tasks with the schtasks Command
The Evidence
Analysis
The Windows Registry
The Evidence
Analysis
Registry Analysis Tools
Other Artifacts of Interactive Sessions
LNK Files
Jump Lists
The Recycle Bin
Memory Forensics
The Evidence
Memory Analysis
Alternative Persistence Mechanisms
Startup Folders
Recurring Tasks
System Binary Modification
DLL Load-Order Hijacking
Review: Answering Common Investigative Questions
So What?
Questions
Chapter 13: Investigating Mac OS X Systems
HFS+ and File System Analysis
Volume Layout
File System Services
Core Operating System Data
File System Layout
User and Service Configuration
Trash and Deleted Files
System Auditing, Databases, and Logging
Scheduled Tasks and Services
Application Installers
A Review: Answering Common Investigative Questions
So What?
Questions
Chapter 14: Investigating Applications
What Is Application Data?
Where Is Application Data Stored?
Windows
OS X
Linux
General Investigation Methods
Web Browsers
Internet Explorer
Google Chrome
Mozilla Firefox
E-Mail Clients
Web E-Mail
Microsoft Outlook for Windows
Apple Mail
Microsoft Outlook for Mac
Instant Message Clients
Methodology
Instant Message
So What?
Questions
Chapter 15: Malware Triage
Malware Handling
Safety
Documentation
Distribution
Accessing Malicious Sites
Triage Environment
Setting Up a Virtual Environment
Static Analysis
What Is That File?
Portable Executable Files
Dynamic Analysis
Automated Dynamic Analysis: Sandboxes
Manual Dynamic Analysis
So What?
Questions
Chapter 16: Report Writing
Why Write Reports?
Reporting Standards
Report Style and Formatting
Report Content and Organization
Quality Assurance
So What?
Questions
Part V: Remediation
Chapter 17: Remediation Introduction
Basic Concepts
Remediation Pre-Checks
Form the Remediation Team
When to Create the Remediation Team
Assigning a Remediation Owner
Members of the Remediation Team
Determine the Timing of the Remediation
Develop and Implement Remediation Posturing Actions
Implications of Alerting the Attacker
Develop and Implement Incident Containment Actions
Develop the Eradication Action Plan
Determine Eradication Event Timing and Execute Eradication Plan
Develop Strategic Recommendations
Document the Lessons Learned
Putting It All Together
Common Mistakes That Lead to Remediation Failure
So What?
Questions
Chapter 18: Remediation Case Study
Remediation Plan for Case Study #1: Show Me the Money
Select the Team
Determine Remediation Timing
Contain the Incident
Posture the Environment
Eradicate the Attacker
Set the Strategic Direction
So What?
Questions
Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Chapter 3: Pre-Incident Preparation
Next
Next Chapter
Chapter 4: Getting the Investigation Started on the Right Foot
PART II
Incident Detection and Characterization
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset