Book Image

Digital Forensics and Incident Response

By : Gerard Johansen
Book Image

Digital Forensics and Incident Response

By: Gerard Johansen

Overview of this book

Digital Forensics and Incident Response will guide you through the entire spectrum of tasks associated with incident response, starting with preparatory activities associated with creating an incident response plan and creating a digital forensics capability within your own organization. You will then begin a detailed examination of digital forensic techniques including acquiring evidence, examining volatile memory, hard drive assessment, and network-based evidence. You will also explore the role that threat intelligence plays in the incident response process. Finally, a detailed section on preparing reports will help you prepare a written report for use either internally or in a courtroom. By the end of the book, you will have mastered forensic techniques and incident response and you will have a solid foundation on which to increase your ability to investigate such incidents in your organization.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics and Incident Response
Gerard Johansen
Jul, 2017 | 324 pages
No titles found
Table of Contents (18 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Incident Response
Incident Response
The incident response process
The incident response framework
The incident response plan
The incident response playbook
Summary
2
Forensic Fundamentals
Forensic Fundamentals
Legal aspects
Digital forensic fundamentals
Summary
3
Network Evidence Collection
Network Evidence Collection
Preparation
Network device evidence
Packet capture
Evidence collection
Summary
4
Acquiring Host-Based Evidence
Acquiring Host-Based Evidence
Preparation
Evidence volatility
Evidence acquisition
Evidence collection procedures
Non-volatile data
Summary
5
Understanding Forensic Imaging
Understanding Forensic Imaging
Overview of forensic imaging
Preparing a stage drive
Imaging
Summary
6
Network Evidence Analysis
Network Evidence Analysis
Analyzing packet captures
Analyzing network log files
Summary
7
Analyzing System Memory
Analyzing System Memory
Memory evidence overview
Memory analysis
Summary
8
Analyzing System Storage
Analyzing System Storage
Forensic platforms
Summary
9
Forensic Reporting
Forensic Reporting
Documentation overview
Incident tracking
Written reports
Summary
10
Malware Analysis
Malware Analysis
Malware overview
Malware analysis overview
Analyzing malware
Dynamic analysis
Summary
11
Threat Intelligence
Threat Intelligence
Threat intelligence overview
Threat intelligence methodology
Threat intelligence direction
Threat intelligence sources
Threat intelligence platforms
Using threat intelligence
Summary

Evidence volatility

Not all evidence on a host system is the same. Volatility is used to describe how data on a host system is maintained after changes such as log-offs or power shutdowns. Data that will be lost if the system is powered down is referred to as volatile data. Volatile data can be data in the CPU, routing table, or ARP cache. One of the most critical pieces of volatile evidence is the memory currently running on the system. When investigating such incidents as malware infections, the memory in a live system is of critical importance. Malware leaves a number of key pieces of evidence within the memory of a system and, if lost, can leave the incident response analyst with little or no avenue to investigate.

Non-volatile data is the data that is stored on a hard drive and will usually persist after shut down. Non-volatile data includes Master File Table (MFT) entries, registry information, and the actual files on the hard drive. While malware creates evidence in memory, there are...

Previous Section
End of Section 3
Next Section