Book Image

Digital Forensics and Incident Response

By : Gerard Johansen
Book Image

Digital Forensics and Incident Response

By: Gerard Johansen

Overview of this book

Digital Forensics and Incident Response will guide you through the entire spectrum of tasks associated with incident response, starting with preparatory activities associated with creating an incident response plan and creating a digital forensics capability within your own organization. You will then begin a detailed examination of digital forensic techniques including acquiring evidence, examining volatile memory, hard drive assessment, and network-based evidence. You will also explore the role that threat intelligence plays in the incident response process. Finally, a detailed section on preparing reports will help you prepare a written report for use either internally or in a courtroom. By the end of the book, you will have mastered forensic techniques and incident response and you will have a solid foundation on which to increase your ability to investigate such incidents in your organization.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics and Incident Response
Gerard Johansen
Jul, 2017 | 324 pages
No titles found
Table of Contents (18 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Incident Response
Incident Response
The incident response process
The incident response framework
The incident response plan
The incident response playbook
Summary
2
Forensic Fundamentals
Forensic Fundamentals
Legal aspects
Digital forensic fundamentals
Summary
3
Network Evidence Collection
Network Evidence Collection
Preparation
Network device evidence
Packet capture
Evidence collection
Summary
4
Acquiring Host-Based Evidence
Acquiring Host-Based Evidence
Preparation
Evidence volatility
Evidence acquisition
Evidence collection procedures
Non-volatile data
Summary
5
Understanding Forensic Imaging
Understanding Forensic Imaging
Overview of forensic imaging
Preparing a stage drive
Imaging
Summary
6
Network Evidence Analysis
Network Evidence Analysis
Analyzing packet captures
Analyzing network log files
Summary
7
Analyzing System Memory
Analyzing System Memory
Memory evidence overview
Memory analysis
Summary
8
Analyzing System Storage
Analyzing System Storage
Forensic platforms
Summary
9
Forensic Reporting
Forensic Reporting
Documentation overview
Incident tracking
Written reports
Summary
10
Malware Analysis
Malware Analysis
Malware overview
Malware analysis overview
Analyzing malware
Dynamic analysis
Summary
11
Threat Intelligence
Threat Intelligence
Threat intelligence overview
Threat intelligence methodology
Threat intelligence direction
Threat intelligence sources
Threat intelligence platforms
Using threat intelligence
Summary

Chapter 3. Network Evidence Collection

The traditional focus of digital forensics has been to locate evidence on the host hard drive. Law enforcement officers interested in criminal activity such as fraud or child exploitation can find the vast majority of evidence required for prosecution on a single hard drive. In the realm of incident response though, it is critical that the focus goes far beyond a suspected compromised system. For example, there is a wealth of information to be obtained within the points along the flow of traffic from a compromised host to an external C2 server.

This chapter focuses on the preparation, identification, and collection of evidence that is commonly found among network devices and along the traffic routes within an internal network. This collection is critical during an incident where an external threat source is in the process of commanding internal systems or is in the process of pilfering data out of the network. Network-based evidence is also useful when...

Previous Section
End of Section 1
Next Section