You're reading from Digital Forensics and Incident Response Incident response tools and techniques for effective cyber threat response

Product type Paperback

Published in Dec 2022

Publisher Packt

ISBN-13 9781803238678

Length 532 pages

Edition 3rd Edition

Concepts

Forensics

Author (1):

Gerard Johansen

View More author details

Table of Contents (28) Chapters

Preface

1. Part 1: Foundations of Incident Response and Digital Forensics

2. Chapter 1: Understanding Incident Response FREE CHAPTER

3. Chapter 2: Managing Cyber Incidents

4. Chapter 3: Fundamentals of Digital Forensics

5. Chapter 4: Investigation Methodology

6. Part 2: Evidence Acquisition

7. Chapter 5: Collecting Network Evidence

8. Chapter 6: Acquiring Host-Based Evidence

9. Chapter 7: Remote Evidence Collection

10. Chapter 8: Forensic Imaging

11. Part 3: Evidence Analysis

12. Chapter 9: Analyzing Network Evidence

13. Chapter 10: Analyzing System Memory

14. Chapter 11: Analyzing System Storage

15. Chapter 12: Analyzing Log Files

16. Chapter 13: Writing the Incident Report

17. Part 4: Ransomware Incident Response

18. Chapter 14: Ransomware Preparation and Response

19. Chapter 15: Ransomware Investigations

20. Part 5: Threat Intelligence and Hunting

21. Chapter 16: Malware Analysis for Incident Response

22. Chapter 17: Leveraging Threat Intelligence

23. Chapter 18: Threat Hunting

24. Assessments

25. Index

Why subscribe?

26. Other Books You May Enjoy

Appendix

Wireshark

Wireshark is a Unix or Windows packet capture and analysis tool. Unlike tcpdump or tools such as RawCap, Wireshark is a GUI-based tool and includes not only packet capture but also analysis features. As a result, Wireshark may be difficult to deploy rapidly during an incident, as the program has to be installed. Furthermore, the tool is only supported on Windows or macOS. Installing Wireshark on a Linux system requires a bit more effort. The one distinct advantage that Wireshark has over command-line options is that incident response analysts can perform a detailed inspection of the traffic as it is being captured. Wireshark can be run on the system itself or on a USB drive. Once installed, it must be run as an administrator. To perform a packet capture with Wireshark, the following process is used: