Preface
The idea to write this book came as a result of developing curriculum at the Defense Cyber Investigations Training Academy. It occurred to us that there were not any published books on Intrusion Investigations. There are plenty of great books about Computer Forensics, Registry Analysis, Penetration Testing, Network Security and Hacking. A reader could read a majority of these books and have a good idea of what an intrusion investigation would entail. There are courses that one could take on intrusion investigations as well. The intent of this book is to introduce the reader to the core principals and steps of an intrusion investigation. Our hope is that the reader will take the material provided and continue to build upon it. We really only scratched the surface and there is a lot more to learn. One book could never cover every tool, application, technique or type of intrusion. What we did cover is a solid foundation and methodology that can be built upon and adapted to the reader’s needs. One thing that this book will not do is provide a “check list” of steps to take. Throughout both our careers, we have often been asked to produce such a list. Throughout our careers we have vehemently refused to produce such a list. Why? Although having a list of potential tools to use and procedures to run can help remind you of your options, following a list is never advised. An investigator needs to be able to adapt to the situation. Not every intrusion, network and incident will be the same. There is no cookie cutter step by step process that you can use. To be effective and successful at this job, you must have a large variety of tools, tricks and techniques at your disposal. You will need to remain competent in their use. If you decide to create your own list, that is your decision.
Intended Audience
This book is intended for anyone with an interest in network intrusion investigations. A new investigator can take the techniques and build upon them. A network administrator, security professional can gain insight into what an incident responder and/or intrusion investigator will need from them when an intrusion does occur. A computer forensic analyst can expand their own skillset in order to provide more services to their clients or advance their career. This book could also prove valuable for anyone who is responsible for any aspect of a networks security.
Organization of this book
This book is organized by each stage of an investigation. The thing to remember is that even though we cover each stage in a particular order that does not mean that every investigation will flow in that order. An investigation can be initiated at any one of these stages. The evidence you find will lead to one stage or another. You will simply have to again, be flexible enough to be able to adapt. Often times, you will find that you need to revisit a stage that you had previously analyzed. As an example, you may have to go back to a host machine and locate registry keys that were discovered as a result of the malware analysis.
The process begins in Chapter 2 were we will walk through a simple intrusion. We will monitor the network traffic for later analysis.
In Chapter 3, we focus on Incident Response and the related considerations. We discuss creating your own toolset. We also take a look at two commercial products.
Chapter 4 discusses analyzing the volatile data that would have been collected in Chapter 3. This includes memory analysis. Again, numerous tools are explored.
In Chapter 5 we explore the network analysis techniques, tools and considerations Chapter 6 provides an overview of a host analysis. We look at a number of tools that provide the ability to analyze a portion of the host. We also discuss the all-inclusive common commercial tools.
Chapter 7 introduces the reader to basic malware analysis. This chapter is meant as an introduction to a very complex subject.
Chapter 8 will provide some guidance in regards to report writing. We will discuss certain things that you want to ensure are included in a report. We will also focus on how to tie all the pieces together and paint as clear a picture of the vent as you can.