Book Image

Digital Forensics and Incident Response - Second Edition

By : Gerard Johansen
Book Image

Digital Forensics and Incident Response - Second Edition

By: Gerard Johansen

Overview of this book

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization's infrastructure from attacks. This updated second edition will help you perform cutting-edge digital forensic activities and incident response. After focusing on the fundamentals of incident response that are critical to any information security team, you’ll move on to exploring the incident response framework. From understanding its importance to creating a swift and effective response to security incidents, the book will guide you with the help of useful examples. You’ll later get up to speed with digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting. By the end of this book, you’ll have learned how to efficiently investigate and report unwanted security breaches and incidents in your organization.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics and Incident Response - Second Edition
Gerard Johansen
Jan, 2020 | 448 pages
No titles found
Table of Contents (22 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Foundations of Incident Response and Digital Forensics
Section 1: Foundations of Incident Response and Digital Forensics
Free Chapter
2
Understanding Incident Response
Understanding Incident Response
The incident response process
The incident response framework
The incident response plan
The incident response playbook
Testing the incident response framework
Summary
Questions
Further reading
3
Managing Cyber Incidents
Managing Cyber Incidents
Engaging the incident response team
Incorporating crisis communications
Investigating incidents
Incorporating containment strategies
Getting back to normal – eradication and recovery
Summary
Questions
Further reading
4
Fundamentals of Digital Forensics
Fundamentals of Digital Forensics
Legal aspects
Digital forensics fundamentals
Summary
Questions
Further reading
5
Section 2: Evidence Acquisition
Section 2: Evidence Acquisition
6
Collecting Network Evidence
Collecting Network Evidence
An overview of network evidence
Firewalls and proxy logs
NetFlow
Packet captures
Wireshark
Evidence collection
Summary
Questions
Further reading
7
Acquiring Host-Based Evidence
Acquiring Host-Based Evidence
Preparation
Order of Volatility
Evidence acquisition
Acquiring volatile memory
Acquiring non-volatile evidence
Summary
Questions
Further reading
8
Forensic Imaging
Forensic Imaging
Understanding forensic imaging
Imaging tools
Preparing a stage drive
Using write blockers
Imaging techniques
Summary
Questions
Further reading
9
Section 3: Analyzing Evidence
Section 3: Analyzing Evidence
10
Analyzing Network Evidence
Analyzing Network Evidence
Network evidence overview
Analyzing firewall and proxy logs
Analyzing NetFlow
Analyzing packet captures
Summary
Questions
Further reading
11
Analyzing System Memory
Analyzing System Memory
Memory analysis overview
Memory analysis methodology
Memory analysis with Redline
Memory analysis with Volatility
Memory analysis with strings
Summary
Questions
Further reading
12
Analyzing System Storage
Analyzing System Storage
Forensic platforms
Autopsy
MFT analysis
Registry analysis
Summary
Questions
Further reading
13
Analyzing Log Files
Analyzing Log Files
Logging and log management
Working with event management systems
Understanding Windows logs
Analyzing Windows event logs
Summary
Questions
Further reading
14
Writing the Incident Report
Writing the Incident Report
Documentation overview
Incident tracking
Written reports
Summary
Questions
Further reading
15
Section 4: Specialist Topics
Section 4: Specialist Topics
16
Malware Analysis for Incident Response
Malware Analysis for Incident Response
Malware classifications
Malware analysis overview
Analyzing malware
Dynamic analysis
Summary
Questions
Further reading
17
Leveraging Threat Intelligence
Leveraging Threat Intelligence
Understanding threat intelligence
Threat intelligence methodology
Threat intelligence sources
Threat intelligence platforms
Using threat intelligence
Summary
Questions
Further reading
18
Hunting for Threats
Hunting for Threats
The threat hunting maturity model
Threat hunt cycle
MITRE ATT&CK
Threat hunt planning
Threat hunt reporting
Summary
Questions
Further reading
19
Assessment
Assessment
Chapter 1: Understanding Incident Response
Chapter 2: Managing Cyber Incidents
Chapter 3: Fundamentals of Digital Forensics
Chapter 4: Collecting Network Evidence
Chapter 5: Acquiring Host-Based Evidence
Chapter 6: Forensic Imaging
Chapter 7: Analyzing Network Evidence
Chapter 8: Analyzing System Memory
Chapter 9: Analyzing System Storage
Chapter 10: Analyzing Log Files
Chapter 11: Writing the Incident Report
Chapter 12: Malware Analysis for Incident Response
Chapter 13: Leveraging Threat Intelligence
Chapter 14: Hunting for Threats
20
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Appendix
Appendix

Evidence collection

In order to conduct a proper examination of log files and other network data such as packet captures, they often have to be moved from the log source and examined offline. As with any source of evidence, log files or packet captures have to be handled with due care to ensure that they are not corrupted or modified during the transfer. One simple solution is to transfer the evidence immediately to a USB drive or similar removable medium. From there, a hash can be created for the evidence prior to any examination.

The acquisition of network evidence such as a packet capture or log file should be thoroughly documented. Incident response personnel may be acquiring log files and packet captures from a number of sources over the entire network. As a result, they should ensure that they can trace back every separate piece of evidence to its source as well as the...

Previous Section
End of Section 7
Next Section