You're reading from Digital Forensics and Incident Response Incident response tools and techniques for effective cyber threat response

Product type Paperback

Published in Dec 2022

Publisher Packt

ISBN-13 9781803238678

Length 532 pages

Edition 3rd Edition

Concepts

Forensics

Author (1):

Gerard Johansen

View More author details

Table of Contents (28) Chapters

Preface

1. Part 1: Foundations of Incident Response and Digital Forensics

2. Chapter 1: Understanding Incident Response FREE CHAPTER

3. Chapter 2: Managing Cyber Incidents

4. Chapter 3: Fundamentals of Digital Forensics

5. Chapter 4: Investigation Methodology

6. Part 2: Evidence Acquisition

7. Chapter 5: Collecting Network Evidence

8. Chapter 6: Acquiring Host-Based Evidence

9. Chapter 7: Remote Evidence Collection

10. Chapter 8: Forensic Imaging

11. Part 3: Evidence Analysis

12. Chapter 9: Analyzing Network Evidence

13. Chapter 10: Analyzing System Memory

14. Chapter 11: Analyzing System Storage

15. Chapter 12: Analyzing Log Files

16. Chapter 13: Writing the Incident Report

17. Part 4: Ransomware Incident Response

18. Chapter 14: Ransomware Preparation and Response

19. Chapter 15: Ransomware Investigations

20. Part 5: Threat Intelligence and Hunting

21. Chapter 16: Malware Analysis for Incident Response

22. Chapter 17: Leveraging Threat Intelligence

23. Chapter 18: Threat Hunting

24. Assessments

25. Index

Why subscribe?

26. Other Books You May Enjoy

Appendix

Evidence collection

In order to conduct a proper examination of log files and other network data such as packet captures, they often have to be moved from the log source and examined offline. As with any source of evidence, log files or packet captures have to be handled with due care to ensure that they are not corrupted or modified during the transfer. One simple solution is to transfer the evidence immediately to a USB drive or similar removable medium. From there, a hash can be created for the evidence prior to any examination.

The acquisition of network evidence such as a packet capture or a log file should be thoroughly documented. Incident response personnel may be acquiring log files and packet captures from several sources over the entire network. As a result, they should ensure that they can trace back every separate piece of evidence to its source, as well as the date and time that the evidence was collected. This can be recorded on a network evidence log sheet and entries...