Digital Forensics and Incident Response - Second Edition

By : Gerard Johansen

Digital Forensics and Incident Response - Second Edition

By: Gerard Johansen

Overview of this book

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization's infrastructure from attacks. This updated second edition will help you perform cutting-edge digital forensic activities and incident response. After focusing on the fundamentals of incident response that are critical to any information security team, you’ll move on to exploring the incident response framework. From understanding its importance to creating a swift and effective response to security incidents, the book will guide you with the help of useful examples. You’ll later get up to speed with digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting. By the end of this book, you’ll have learned how to efficiently investigate and report unwanted security breaches and incidents in your organization.

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Section 1: Foundations of Incident Response and Digital Forensics

Free Chapter

Understanding Incident Response

The incident response process

The incident response framework

The incident response plan

The incident response playbook

Testing the incident response framework

Summary

Questions

Further reading

Managing Cyber Incidents

Engaging the incident response team

Incorporating crisis communications

Investigating incidents

Incorporating containment strategies

Getting back to normal – eradication and recovery

Summary

Questions

Further reading

Fundamentals of Digital Forensics

Legal aspects

Digital forensics fundamentals

Summary

Questions

Further reading

Section 2: Evidence Acquisition

Collecting Network Evidence

An overview of network evidence

Firewalls and proxy logs

NetFlow

Summary

Acquiring Host-Based Evidence

Preparation

Order of Volatility

Evidence acquisition

Acquiring volatile memory

Acquiring non-volatile evidence

Summary

Questions

Further reading

Forensic Imaging

Understanding forensic imaging

Imaging tools

Preparing a stage drive

Summary

Section 3: Analyzing Evidence

Analyzing Network Evidence

Network evidence overview

Analyzing firewall and proxy logs

Analyzing NetFlow

Analyzing packet captures

Summary

Questions

Further reading

Analyzing System Memory

Memory analysis overview

Memory analysis methodology

Memory analysis with Redline

Memory analysis with Volatility

Memory analysis with strings

Summary

Questions

Further reading

Analyzing System Storage

Autopsy

Summary

Analyzing Log Files

Logging and log management

Working with event management systems

Understanding Windows logs

Analyzing Windows event logs

Summary

Questions

Further reading

Writing the Incident Report

Documentation overview

Summary

Section 4: Specialist Topics

Malware Analysis for Incident Response

Malware classifications

Malware analysis overview

Summary

Leveraging Threat Intelligence

Understanding threat intelligence

Threat intelligence methodology

Threat intelligence sources

Threat intelligence platforms

Using threat intelligence

Summary

Questions

Further reading

Hunting for Threats

The threat hunting maturity model

Threat hunt cycle

MITRE ATT&CK

Threat hunt planning

Threat hunt reporting

Summary

Questions

Further reading

Assessment

Chapter 1: Understanding Incident Response

Chapter 2: Managing Cyber Incidents

Chapter 3: Fundamentals of Digital Forensics

Chapter 4: Collecting Network Evidence

Chapter 5: Acquiring Host-Based Evidence

Chapter 6: Forensic Imaging

Chapter 7: Analyzing Network Evidence

Chapter 8: Analyzing System Memory

Chapter 9: Analyzing System Storage

Chapter 10: Analyzing Log Files

Chapter 11: Writing the Incident Report

Chapter 12: Malware Analysis for Incident Response

Chapter 13: Leveraging Threat Intelligence

Chapter 14: Hunting for Threats

Other Books You May Enjoy

Leave a review - let other readers know what you think

Appendix

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Investigating incidents

The lion's share of this volume addresses the various methods that can be leveraged when investigating an incident. The primary goal of the CSIRT is to utilize methods that follow a systems analysis to address the following key facets of an incident:

Identifying the scope: In some incidents, the actual scope may not be clearly defined at the initial detection stage. For example, an organization may be contacted by a law enforcement agency that has indicated a C2 server has been taken down. During an analysis of that system, the external IP address of the organization has been identified. From this data point, the scope is first defined as the entire network. From here, the CSIRT would analyze data from the firewall or web proxy, to identify the internal systems that were found to be communicating with the C2 server. From this data, they would narrow...

Digital Forensics and Incident Response - Second Edition

By : Gerard Johansen

Digital Forensics and Incident Response - Second Edition

By: Gerard Johansen

Overview of this book

Related Content you might be interested in

Current Title:

Digital Forensics and Incident Response - Second Edition