Chapter 1, Incident Response, addresses the incident response process and how to create an incident response framework for use within an enterprise, which allows for an orderly investigation and remediation of a cyber security incident.

Chapter 2 , Forensics Fundamentals,focuses on the fundamental aspects of digital forensics. This includes a brief history of digital forensics, the basic elements of forensic science, and integrating these techniques into the incident response framework.

Chapter 3 , Network Evidence Collection, focuses on the network-based evidence. This includes logs from network devices such as firewalls, routers, proxy servers, and other layer 2 and 3 devices. The chapter also focuses on acquiring network-based evidence from these sources.

Chapter 4, Host-Based Evidence, compromised hosts contain a good deal of forensically valuable information. In this chapter, the reader guided through the process of using free tools to acquire the running volatile memory, log files, and other evidence on a running system.

Chapter 5, Understanding Forensics Imaging, hard disk drives from compromised systems may contain a great deal of evidence.Furthermore, in cases of fraud or other cybercrimes, most of the evidence that is valuable is obtained from the HDD. As a result, the proper acquisition of this evidence is critical. To do this requires a forensically sound process. This chapter details the steps necessary to properly image a suspect HDD.

Chapter 6, Network Evidence Analysis, using free tools such as tcpdump and Wireshark, the reader is guided through the analysis process to identify evidence such as command and control traffic or data exfiltration. Readers are also be guided through correlating firewall and proxy logs with packet captures.

Chapter 7, Analyzing System Memory,explores the methods for identifying potential malicious code present within the memory of a compromised system. This includes using commonly available tools and methods to identify processes, network connections, and registry key settings associated with potentially malicious software.

Chapter 8, Analyzing System Storage,consists of an overview of several tools and methods available for extracting potential evidence from previously imaged HDDs. An examination of tools and methods is undertaken, but it should be noted that, due to the complexity and depth of digital forensic examination, this will serve only to highlight specific areas.

Chapter 9, Forensic Reporting, reporting the findings from an incident is a critical step that is often overlooked. In this chapter, the reader is guided through preparing a report for use by internal stakeholders and potential external legal entities. The end goal is to have a report prepared that can stand the scrutiny of a court of law.

Chapter 10, Malware Analysis,will provide an overview of the methods that can be deployed for examining malware in a sandbox environment. This provides incident responders with reverse engineering skills an environment to deploy a suspected piece of malware for investigation.

Chapter 11, Threat Intelligence, threat intelligence is a relatively new concept in the information security space, and in particular to the incident response field. In this chapter, the reader will be guided through a review of threat intelligence and how to incorporate that into their incident response framework and processes.

The following software is required for this book:

The hardware and system requirements for these can be found at there respective websites. Most of this softwares are free, but F-Response is paid.

This book is targeted at information security professionals, forensics practitioners, and students with knowledge of and experience in the use of software applications and basic command-line experience. It will also help professionals who are new to the incident response/digital forensics role within their organization.

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: The constituency can be defined either as a domain such as local.example.com or an organization name such as Acme Inc. and associated subsidiary organizations.

A block of code is set as follows:

        rule PoisonIvy_Generic_3 { 
                meta: 
                   description = "PoisonIvy RAT Generic Rule" 
                   author = "Florian Roth" 
                   date = "2015-05-14" 
                   hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"  
                 strings: 
                   $k1 = "Tiger324{" fullword ascii 

Any command-line input or output is written as follows:

caine@caine~$ tcpdump -D
caine@caine~$ sudotcpdump -i ens33 -v

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "In order for F-Response to be able to acquire the necessary evidence, an agent has to be installed.by right-clicking on the system and choosing Install/Start F-Response"

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply e-mail[email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide atwww.packtpub.com/authors.

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.