Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Digital Forensics and Incident Response

You're reading from   Digital Forensics and Incident Response Incident response techniques and procedures to respond to modern cyber threats

Arrow left icon
Product type Paperback
Published in Jan 2020
Publisher
ISBN-13 9781838649005
Length 448 pages
Edition 2nd Edition
Languages
Concepts
Arrow right icon
Author (1):
Arrow left icon
Gerard Johansen Gerard Johansen
Author Profile Icon Gerard Johansen
Gerard Johansen
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Section 1: Foundations of Incident Response and Digital Forensics
2. Understanding Incident Response FREE CHAPTER 3. Managing Cyber Incidents 4. Fundamentals of Digital Forensics 5. Section 2: Evidence Acquisition
6. Collecting Network Evidence 7. Acquiring Host-Based Evidence 8. Forensic Imaging 9. Section 3: Analyzing Evidence
10. Analyzing Network Evidence 11. Analyzing System Memory 12. Analyzing System Storage 13. Analyzing Log Files 14. Writing the Incident Report 15. Section 4: Specialist Topics
16. Malware Analysis for Incident Response 17. Leveraging Threat Intelligence 18. Hunting for Threats 19. Assessment 20. Other Books You May Enjoy Appendix

What this book covers

Chapter 1, Understanding Incident Response, addresses the incident response process at a high level and explains how to craft an incident response framework within an enterprise. This framework allows the detailed and orderly investigation of an incident's root cause, the containment of the incident to lessen the impact, and finally, the remediation of damage to bring the enterprise back to a normal state.

Chapter 2, Managing Cyber Incidents, discusses the incident management framework, which provides a strategic construct for incident response. In this chapter, you will be guided through managing the incident. This includes tactical-level issues such as incident escalation, configuring an incident war room, crisis communication, and the technical aspects of bringing an organization back to normal.

Chapter 3, Fundamentals of Digital Forensics, focuses on the fundamental aspects of digital forensics. This includes an examination of the history of digital forensics, the basic elements of forensic science, and how these techniques are integrated into the incident response framework.

Chapter 4, Collecting Network Evidence, focuses on the acquisition of network-based evidence. This includes log files from network devices such as firewalls, routers, switches, proxy servers, and other network-layer devices. Other types of evidence such as packet captures will also be explored.

Chapter 5, Acquiring Host-Based Evidence, explains that compromised hosts are often the target of attacks, either as the direct target or as a pivot point into other areas of the network. Evidence from these systems is critical in determining root causes. This chapter focuses on the tools and techniques used to capture the volatile memory, log files, and other pertinent evidence.

Chapter 6, Forensic Imaging, explains that physical disk drives from compromised systems are a significant source of evidence. In order to ensure that this evidence is sound, it has to be acquired properly. This chapter focuses on the proper methods to image suspect hard disk drives (HDDs).

Chapter 7, Analyzing Network Evidence, shows how to use open source tools such as tcpdump, Wireshark, and Moloch. You will be guided through the analysis of network evidence to identify command and control channels or data exfiltration. This evidence will be further correlated with other network evidence, such as a network proxy or firewall logs and packet captures.

Chapter 8, Analyzing System Memory, through the use of several industry-standard tools, shows various methods for identifying malicious activity contained within the system memory. These include methods for identifying malicious processes, network connections, and other indicators associated with malware running on an infected system.

Chapter 9, Analyzing System Storage, is an overview of the tools and techniques available for extracting evidence from previously imaged HDDs. An overview of some of the methods available to examine a system's storage is explored, but it should be noted that due to the depth of this topic, this chapter will only highlight certain aspects.

Chapter 10, Analyzing Log Files, explores the various Windows OS logs that are created during legitimate and adversarial behavior. You will be shown methods to analyze log files with open source tools to examine security, system or application event logs, and to identify potential indicators of compromise.

Chapter 11, Writing the Incident Report, discusses crafting a written document that captures the actions of responders and their analysis, which is as critical as the investigation itself. This chapter focuses on preparing reports for key internal and external stakeholders, including potential legal entities. The end goal is to prepare a report that stands up to the scrutiny of a court of law.

Chapter 12, Malware Analysis for Incident Response, provides an overview of some of the tools and techniques that are deployed when examining malicious code. This includes static analysis techniques to identify key indicators, as well as dynamic analysis where the behavior of the malware is explored.

Chapter 13, Leveraging Threat Intelligence, explains that threat intelligence has become more and more important to incident response by providing details of the wider context of adversarial tactics, techniques, and procedures. This chapter will give you an understanding of threat intelligence and how it can be applied to the incident response process.

Chapter 14, Hunting for Threats, introduces a methodology that integrates digital forensics tools and techniques with threat intelligence to determine whether a network has been compromised. This chapter explores the methodology of threat hunting and how threat intelligence can facilitate hunting through the crafting of a threat hunt hypothesis and indicators to hunt for.

Chapter 15, Appendix, includes the most critical events that pertain to security and incident investigations and have been provided as a reference. There is a significant number of Windows Event Log types available to IT and security professionals.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image