Book Image

Digital Forensics and Incident Response - Third Edition

By : Gerard Johansen
5 (1)
Book Image

Digital Forensics and Incident Response - Third Edition

5 (1)
By: Gerard Johansen

Overview of this book

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization’s infrastructure from attacks. This updated third edition will help you perform cutting-edge digital forensic activities and incident response with a new focus on responding to ransomware attacks. After covering the fundamentals of incident response that are critical to any information security team, you’ll explore incident response frameworks. From understanding their importance to creating a swift and effective response to security incidents, the book will guide you using examples. Later, you’ll cover digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. You’ll be able to apply these techniques to the current threat of ransomware. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis and demonstrate how you can proactively use your digital forensic skills in threat hunting. By the end of this book, you’ll be able to investigate and report unwanted security breaches and incidents in your organization.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics and Incident Response - Third Edition
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Small book image
Incident Response Techniques for Ransomware Attacks
Oleg Skulkin
Apr, 2022 | 228 pages
Small book image
Digital Forensics with Kali Linux
Shiva V N Parasram
Apr, 2020 | 334 pages
Table of Contents (28 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share your thoughts
Download a free PDF copy of this book
1
Part 1: Foundations of Incident Response and Digital Forensics
Part 1: Foundations of Incident Response and Digital Forensics
Free Chapter
2
Chapter 1: Understanding Incident Response
Chapter 1: Understanding Incident Response
The IR process
The IR framework
The IR plan
The IR playbook/handbook
Testing the IR framework
Summary
Questions
Further reading
3
Chapter 2: Managing Cyber Incidents
Chapter 2: Managing Cyber Incidents
Engaging the incident response team
SOAR
Incorporating crisis communications
Incorporating containment strategies
Getting back to normal – eradication, recovery, and post-incident activity
Summary
Questions
Further reading
4
Chapter 3: Fundamentals of Digital Forensics
Chapter 3: Fundamentals of Digital Forensics
An overview of forensic science
Locard’s exchange principle
Legal issues in digital forensics
Forensic procedures in incident response
Summary
Questions
Further reading
5
Chapter 4: Investigation Methodology
Chapter 4: Investigation Methodology
An intrusion analysis case study: The Cuckoo’s Egg
Types of incident investigation analysis
Functional digital forensic investigation methodology
The cyber kill chain
The diamond model of intrusion analysis
Summary
Questions
6
Part 2: Evidence Acquisition
Part 2: Evidence Acquisition
7
Chapter 5: Collecting Network Evidence
Chapter 5: Collecting Network Evidence
An overview of network evidence
Firewalls and proxy logs
NetFlow
Packet capture
Wireshark
Evidence collection
Summary
Questions
Further reading
8
Chapter 6: Acquiring Host-Based Evidence
Chapter 6: Acquiring Host-Based Evidence
Preparation
Order of volatility
Evidence acquisition
Acquiring volatile memory
Acquiring non-volatile evidence
Summary
Questions
Further reading
9
Chapter 7: Remote Evidence Collection
Chapter 7: Remote Evidence Collection
Enterprise incident response challenges
Endpoint detection and response
Velociraptor overview and deployment
Velociraptor scenarios
Summary
Questions
10
Chapter 8: Forensic Imaging
Chapter 8: Forensic Imaging
Understanding forensic imaging
Tools for imaging
Preparing a staging drive
Using write blockers
Imaging techniques
Summary
Questions
Further reading
11
Part 3: Evidence Analysis
Part 3: Evidence Analysis
12
Chapter 9: Analyzing Network Evidence
Chapter 9: Analyzing Network Evidence
Network evidence overview
Analyzing firewall and proxy logs
Analyzing NetFlow
Analyzing packet captures
Summary
Questions
Further reading
13
Chapter 10: Analyzing System Memory
Chapter 10: Analyzing System Memory
Memory analysis overview
Memory analysis methodology
Memory analysis tools
Memory analysis with Strings
Summary
Questions
Further reading
14
Chapter 11: Analyzing System Storage
Chapter 11: Analyzing System Storage
Forensic platforms
Autopsy
Master File Table analysis
Prefetch analysis
Registry analysis
Summary
Questions
Further reading
15
Chapter 12: Analyzing Log Files
Chapter 12: Analyzing Log Files
Logs and log management
Working with SIEMs
Windows Logs
Analyzing Windows Event Logs
Summary
Questions
Further reading
16
Chapter 13: Writing the Incident Report
Chapter 13: Writing the Incident Report
Documentation overview
Executive summary
Incident investigation report
Forensic report
Preparing the incident and forensic report
Summary
Questions
Further reading
17
Part 4: Ransomware Incident Response
Part 4: Ransomware Incident Response
18
Chapter 14: Ransomware Preparation and Response
Chapter 14: Ransomware Preparation and Response
History of ransomware
Conti ransomware case study
Proper ransomware preparation
Eradication and recovery
Summary
Questions
Further reading
19
Chapter 15: Ransomware Investigations
Chapter 15: Ransomware Investigations
Ransomware initial access and execution
Discovering credential access and theft
Investigating post-exploitation frameworks
Command and Control
Investigating lateral movement techniques
Summary
Questions
Further reading
20
Part 5: Threat Intelligence and Hunting
Part 5: Threat Intelligence and Hunting
21
Chapter 16: Malware Analysis for Incident Response
Chapter 16: Malware Analysis for Incident Response
Malware analysis overview
Setting up a malware sandbox
Static analysis
Dynamic analysis
ClamAV
YARA
Summary
Questions
Further reading
22
Chapter 17: Leveraging Threat Intelligence
Chapter 17: Leveraging Threat Intelligence
Threat intelligence overview
Sourcing threat intelligence
The MITRE ATT&CK framework
Working with IOCs and IOAs
Threat intelligence and incident response
Summary
Questions
Further reading
23
Chapter 18: Threat Hunting
Chapter 18: Threat Hunting
Threat hunting overview
Crafting a hypothesis
Planning a hunt
Digital forensic techniques for threat hunting
EDR for threat hunting
Summary
Questions
Further reading
24
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Chapter 18
25
Index
Index
Why subscribe?
26
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts
Download a free PDF copy of this book
Appendix
Appendix

Understanding Incident Response

When examining threats to today’s information technology (IT), it seems overwhelming. From simple script kiddies using off-the-shelf code to nation-state adversary tools, it is critical to be prepared. For example, an internal employee can download a single instance of ransomware and that can have a significant impact on an organization. More complex attacks, such as a network exploitation attempt or a targeted data breach, increase the chaos that a security incident causes. Technical personnel will have their hands full attempting to determine which systems have been impacted and how they are being manipulated. They will also have to contend with addressing the possible loss of data through compromised systems. Adding to this chaotic situation are senior managers haranguing them for updates and an answer to the all-important questions: How did this happen? Was this a web server vulnerability or a phishing email that led to lateral movement? Management also wants to know: How bad is it? Is the damage limited to the web server or is a large portion of the network compromised?

Having the ability to properly respond to security incidents in an orderly and efficient manner allows organizations to both limit the damage of a potential cyber attack and also recover from the associated damage that is caused. To facilitate this orderly response, organizations of all sizes have looked at adding an incident response (IR) capability to their existing policies, procedures, and processes.

In order to build this capability within the organization, several key components must be addressed. First, organizations need to have a working knowledge of the IR process. This process outlines the general flow of an incident and general actions that are taken at each stage. Second, organizations need to have access to personnel who form the nucleus of any IR capability. Once a team is organized, a formalized plan and associated processes need to be created. This written plan and processes form an orderly structure that an organization can follow during an incident. Finally, with this framework in place, the plan must be continually evaluated, tested, and improved as new threats emerge. Utilizing this framework will position organizations to be prepared for the unfortunate reality that many organizations have already faced, an incident that compromises their security.

We will be covering the following topics in this chapter:

  • The IR process
  • The IR framework
  • The IR plan
  • The IR playbook/handbook
  • Testing the IR framework
Previous Section
End of Section 1
Next Section