Digital Forensics and Incident Response - Third Edition

Book description

Incident response tools and techniques for effective cyber threat response

Key Features

  • Create a solid incident response framework and manage cyber incidents effectively
  • Learn to apply digital forensics tools and techniques to investigate cyber threats
  • Explore the real-world threat of ransomware and apply proper incident response techniques for investigation and recovery

Book Description

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization’s infrastructure from attacks. This updated third edition will help you perform cutting-edge digital forensic activities and incident response with a new focus on responding to ransomware attacks.

After covering the fundamentals of incident response that are critical to any information security team, you’ll explore incident response frameworks. From understanding their importance to creating a swift and effective response to security incidents, the book will guide you using examples. Later, you’ll cover digital forensic techniques, from acquiring evidence and examining volatile memory through to hard drive examination and network-based evidence. You’ll be able to apply these techniques to the current threat of ransomware. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis and demonstrate how you can proactively use your digital forensic skills in threat hunting.

By the end of this book, you’ll be able to investigate and report unwanted security breaches and incidents in your organization.

What you will learn

  • Create and deploy an incident response capability within your own organization
  • Perform proper evidence acquisition and handling
  • Analyze the evidence collected and determine the root cause of a security incident
  • Integrate digital forensic techniques and procedures into the overall incident response process
  • Understand different techniques for threat hunting
  • Write incident reports that document the key findings of your analysis
  • Apply incident response practices to ransomware attacks
  • Leverage cyber threat intelligence to augment digital forensics findings

Who this book is for

This book is for cybersecurity and information security professionals who want to implement digital forensics and incident response in their organizations. You’ll also find the book helpful if you’re new to the concept of digital forensics and looking to get started with the fundamentals. A basic understanding of operating systems and some knowledge of networking fundamentals are required to get started with this book.

Table of contents

  1. Contributors
    1. About the author
    2. About the reviewer
  2. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
    8. Download a free PDF copy of this book
  3. Part 1: Foundations of Incident Response and Digital Forensics
  4. Chapter 1: Understanding Incident Response
    1. The IR process
      1. The role of digital forensics
    2. The IR framework
      1. The IR charter
      2. CSIRT team
    3. The IR plan
      1. Incident classification
    4. The IR playbook/handbook
      1. Escalation process
    5. Testing the IR framework
    6. Summary
    7. Questions
    8. Further reading
  5. Chapter 2: Managing Cyber Incidents
    1. Engaging the incident response team
      1. CSIRT engagement models
      2. Investigating incidents
      3. The CSIRT war room
      4. Communications
      5. Rotating staff
    2. SOAR
    3. Incorporating crisis communications
      1. Internal communications
      2. External communications
      3. Public notification
    4. Incorporating containment strategies
    5. Getting back to normal – eradication, recovery, and post-incident activity
    6. Summary
    7. Questions
    8. Further reading
  6. Chapter 3: Fundamentals of Digital Forensics
    1. An overview of forensic science
    2. Locard’s exchange principle
    3. Legal issues in digital forensics
      1. Law and regulations
      2. Rules of evidence
    4. Forensic procedures in incident response
      1. A brief history of digital forensics
      2. The digital forensics process
      3. The digital forensics lab
    5. Summary
    6. Questions
    7. Further reading
  7. Chapter 4: Investigation Methodology
    1. An intrusion analysis case study: The Cuckoo’s Egg
    2. Types of incident investigation analysis
    3. Functional digital forensic investigation methodology
      1. Identification and scoping
      2. Collecting evidence
      3. The initial event analysis
      4. The preliminary correlation
      5. Event normalization
      6. Event deconfliction
      7. The second correlation
      8. The timeline
      9. Kill chain analysis
      10. Reporting
    4. The cyber kill chain
    5. The diamond model of intrusion analysis
      1. Diamond model axioms
      2. A combined diamond model and kill chain intrusion analysis
      3. Attribution
    6. Summary
    7. Questions
  8. Part 2: Evidence Acquisition
  9. Chapter 5: Collecting Network Evidence
    1. An overview of network evidence
      1. Preparation
      2. A network diagram
      3. Configuration
    2. Firewalls and proxy logs
      1. Firewalls
      2. Web application firewalls
      3. Web proxy servers
    3. NetFlow
    4. Packet capture
      1. tcpdump
      2. WinPcap and RawCap
    5. Wireshark
    6. Evidence collection
    7. Summary
    8. Questions
    9. Further reading
  10. Chapter 6: Acquiring Host-Based Evidence
    1. Preparation
    2. Order of volatility
    3. Evidence acquisition
      1. Evidence collection procedures
    4. Acquiring volatile memory
      1. FTK Imager
      2. WinPmem
      3. RAM Capturer
      4. Virtual systems
    5. Acquiring non-volatile evidence
      1. FTK obtaining protected files
      2. The CyLR response tool
      3. Kroll Artifact Parser and Extractor
    6. Summary
    7. Questions
    8. Further reading
  11. Chapter 7: Remote Evidence Collection
    1. Enterprise incident response challenges
    2. Endpoint detection and response
    3. Velociraptor overview and deployment
      1. Velociraptor server
      2. Velociraptor Windows collector
    4. Velociraptor scenarios
      1. Velociraptor evidence collection
      2. CyLR
      3. WinPmem
    5. Summary
    6. Questions
  12. Chapter 8: Forensic Imaging
    1. Understanding forensic imaging
      1. Image versus copy
      2. Logical versus physical volumes
      3. Types of image files
      4. SSD versus HDD
    2. Tools for imaging
    3. Preparing a staging drive
    4. Using write blockers
    5. Imaging techniques
      1. Dead imaging
      2. Live imaging
      3. Virtual systems
      4. Linux imaging
    6. Summary
    7. Questions
    8. Further reading
  13. Part 3: Evidence Analysis
  14. Chapter 9: Analyzing Network Evidence
    1. Network evidence overview
    2. Analyzing firewall and proxy logs
      1. SIEM tools
      2. The Elastic Stack
    3. Analyzing NetFlow
    4. Analyzing packet captures
      1. Command-line tools
      2. Real Intelligence Threat Analytics
      3. NetworkMiner
      4. Arkime
      5. Wireshark
    5. Summary
    6. Questions
    7. Further reading
  15. Chapter 10: Analyzing System Memory
    1. Memory analysis overview
    2. Memory analysis methodology
      1. SANS six-part methodology
      2. Network connections methodology
    3. Memory analysis tools
      1. Memory analysis with Volatility
      2. Volatility Workbench
    4. Memory analysis with Strings
      1. Installing Strings
      2. Common Strings searches
    5. Summary
    6. Questions
    7. Further reading
  16. Chapter 11: Analyzing System Storage
    1. Forensic platforms
    2. Autopsy
      1. Installing Autopsy
      2. Starting a case
      3. Adding evidence
      4. Navigating Autopsy
      5. Examining a case
    3. Master File Table analysis
    4. Prefetch analysis
    5. Registry analysis
    6. Summary
    7. Questions
    8. Further reading
  17. Chapter 12: Analyzing Log Files
    1. Logs and log management
    2. Working with SIEMs
      1. Splunk
      2. Elastic Stack
      3. Security Onion
    3. Windows Logs
      1. Windows Event Logs
    4. Analyzing Windows Event Logs
      1. Acquisition
      2. Triage
      3. Detailed Event Log analysis
    5. Summary
    6. Questions
    7. Further reading
  18. Chapter 13: Writing the Incident Report
    1. Documentation overview
      1. What to document
      2. Types of documentation
      3. Sources
      4. Audience
    2. Executive summary
    3. Incident investigation report
    4. Forensic report
    5. Preparing the incident and forensic report
      1. Note-taking
      2. Report language
    6. Summary
    7. Questions
    8. Further reading
  19. Part 4: Ransomware Incident Response
  20. Chapter 14: Ransomware Preparation and Response
    1. History of ransomware
      1. CryptoLocker
      2. CryptoWall
      3. CTB-Locker
      4. TeslaCrypt
      5. SamSam
      6. Locky
      7. WannaCry
      8. Ryuk
    2. Conti ransomware case study
      1. Background
      2. Operational disclosure
      3. Tactics and techniques
      4. Exfiltration
      5. Impact
    3. Proper ransomware preparation
      1. Ransomware resiliency
      2. Prepping the CSIRT
    4. Eradication and recovery
      1. Containment
      2. Eradication
      3. Recovery
    5. Summary
    6. Questions
    7. Further reading
  21. Chapter 15: Ransomware Investigations
    1. Ransomware initial access and execution
      1. Initial access
      2. Execution
    2. Discovering credential access and theft
      1. ProcDump
      2. Mimikatz
    3. Investigating post-exploitation frameworks
    4. Command and Control
      1. Security Onion
      2. RITA
      3. Arkime
    5. Investigating lateral movement techniques
    6. Summary
    7. Questions
    8. Further reading
  22. Part 5: Threat Intelligence and Hunting
  23. Chapter 16: Malware Analysis for Incident Response
    1. Malware analysis overview
      1. Malware classification
    2. Setting up a malware sandbox
      1. Local sandbox
      2. Cloud sandbox
    3. Static analysis
      1. Static properties analysis
    4. Dynamic analysis
      1. Process Explorer
      2. Process Spawn Control
      3. Automated analysis
    5. ClamAV
    6. YARA
      1. YarGen
    7. Summary
    8. Questions
    9. Further reading
  24. Chapter 17: Leveraging Threat Intelligence
    1. Threat intelligence overview
      1. Threat intelligence types
      2. The Pyramid of Pain
      3. The threat intelligence methodology
    2. Sourcing threat intelligence
      1. Internally developed sources
      2. Commercial sourcing
      3. Open source intelligence
    3. The MITRE ATT&CK framework
    4. Working with IOCs and IOAs
    5. Threat intelligence and incident response
      1. Autopsy
      2. Maltego
      3. YARA and Loki
    6. Summary
    7. Questions
    8. Further reading
  25. Chapter 18: Threat Hunting
    1. Threat hunting overview
      1. Threat hunt cycle
      2. Threat hunt reporting
      3. Threat hunting maturity model
    2. Crafting a hypothesis
      1. MITRE ATT&CK
    3. Planning a hunt
    4. Digital forensic techniques for threat hunting
    5. EDR for threat hunting
    6. Summary
    7. Questions
    8. Further reading
  26. Appendix
  27. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
    17. Chapter 17
    18. Chapter 18
  28. Index
    1. Why subscribe?
  29. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Digital Forensics and Incident Response - Third Edition
  • Author(s): Gerard Johansen
  • Release date: December 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781803238678