Digital Forensics and Incident Response - Second Edition

By : Gerard Johansen

Digital Forensics and Incident Response - Second Edition

By: Gerard Johansen

Overview of this book

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization's infrastructure from attacks. This updated second edition will help you perform cutting-edge digital forensic activities and incident response. After focusing on the fundamentals of incident response that are critical to any information security team, you’ll move on to exploring the incident response framework. From understanding its importance to creating a swift and effective response to security incidents, the book will guide you with the help of useful examples. You’ll later get up to speed with digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting. By the end of this book, you’ll have learned how to efficiently investigate and report unwanted security breaches and incidents in your organization.

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Section 1: Foundations of Incident Response and Digital Forensics

Free Chapter

Understanding Incident Response

The incident response process

The incident response framework

The incident response plan

The incident response playbook

Testing the incident response framework

Summary

Questions

Further reading

Managing Cyber Incidents

Engaging the incident response team

Incorporating crisis communications

Investigating incidents

Incorporating containment strategies

Getting back to normal – eradication and recovery

Summary

Questions

Further reading

Fundamentals of Digital Forensics

Legal aspects

Digital forensics fundamentals

Summary

Questions

Further reading

Section 2: Evidence Acquisition

Collecting Network Evidence

An overview of network evidence

Firewalls and proxy logs

NetFlow

Summary

Acquiring Host-Based Evidence

Preparation

Order of Volatility

Evidence acquisition

Acquiring volatile memory

Acquiring non-volatile evidence

Summary

Questions

Further reading

Forensic Imaging

Understanding forensic imaging

Imaging tools

Preparing a stage drive

Summary

Section 3: Analyzing Evidence

Analyzing Network Evidence

Network evidence overview

Analyzing firewall and proxy logs

Analyzing NetFlow

Analyzing packet captures

Summary

Questions

Further reading

Analyzing System Memory

Memory analysis overview

Memory analysis methodology

Memory analysis with Redline

Memory analysis with Volatility

Memory analysis with strings

Summary

Questions

Further reading

Analyzing System Storage

Autopsy

Summary

Analyzing Log Files

Logging and log management

Working with event management systems

Understanding Windows logs

Analyzing Windows event logs

Summary

Questions

Further reading

Writing the Incident Report

Documentation overview

Summary

Section 4: Specialist Topics

Malware Analysis for Incident Response

Malware classifications

Malware analysis overview

Summary

Leveraging Threat Intelligence

Understanding threat intelligence

Threat intelligence methodology

Threat intelligence sources

Threat intelligence platforms

Using threat intelligence

Summary

Questions

Further reading

Hunting for Threats

The threat hunting maturity model

Threat hunt cycle

MITRE ATT&CK

Threat hunt planning

Threat hunt reporting

Summary

Questions

Further reading

Assessment

Chapter 1: Understanding Incident Response

Chapter 2: Managing Cyber Incidents

Chapter 3: Fundamentals of Digital Forensics

Chapter 4: Collecting Network Evidence

Chapter 5: Acquiring Host-Based Evidence

Chapter 6: Forensic Imaging

Chapter 7: Analyzing Network Evidence

Chapter 8: Analyzing System Memory

Chapter 9: Analyzing System Storage

Chapter 10: Analyzing Log Files

Chapter 11: Writing the Incident Report

Chapter 12: Malware Analysis for Incident Response

Chapter 13: Leveraging Threat Intelligence

Chapter 14: Hunting for Threats

Other Books You May Enjoy

Leave a review - let other readers know what you think

Appendix

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Analyzing Network Evidence

Chapter 4, Collecting Network Evidence, explored how incident responders and security analysts are able to acquire network-based evidence for later evaluation. That chapter focused on two primary sources of that evidence, network log files and network packet captures. This chapter will show which tools and techniques are available to examine the evidence acquired. Incorporating these techniques into an incident response investigation can provide incident response analysts with insight into the network activity of possible threats. In this chapter, the following main topics will be addressed:

Network evidence overview: Adversaries are bound to the same network protocols that govern normal network traffic. Adversarial techniques that can be identified with the proper analysis of network data are addressed.
Analyzing firewall and proxy logs: Adversaries...

Digital Forensics and Incident Response - Second Edition

By : Gerard Johansen

Digital Forensics and Incident Response - Second Edition

By: Gerard Johansen

Overview of this book

Related Content you might be interested in

Current Title:

Digital Forensics and Incident Response - Second Edition