Chapter 1, Understanding Incident Response, addresses the incident response process at a high level and explains how to craft an incident response framework within an enterprise. This framework allows the detailed and orderly investigation of an incident's root cause, the containment of the incident to lessen the impact, and finally, the remediation of damage to bring the enterprise back to a normal state.
Chapter 2, Managing Cyber Incidents, discusses the incident management framework, which provides a strategic construct for incident response. In this chapter, you will be guided through managing the incident. This includes tactical-level issues such as incident escalation, configuring an incident war room, crisis communication, and the technical aspects of bringing an organization back to normal.
Chapter 3, Fundamentals of Digital Forensics, focuses on the fundamental aspects of digital forensics. This includes an examination of the history of digital forensics, the basic elements of forensic science, and how these techniques are integrated into the incident response framework.
Chapter 4, Collecting Network Evidence, focuses on the acquisition of network-based evidence. This includes log files from network devices such as firewalls, routers, switches, proxy servers, and other network-layer devices. Other types of evidence such as packet captures will also be explored.
Chapter 5, Acquiring Host-Based Evidence, explains that compromised hosts are often the target of attacks, either as the direct target or as a pivot point into other areas of the network. Evidence from these systems is critical in determining root causes. This chapter focuses on the tools and techniques used to capture the volatile memory, log files, and other pertinent evidence.
Chapter 6, Forensic Imaging, explains that physical disk drives from compromised systems are a significant source of evidence. In order to ensure that this evidence is sound, it has to be acquired properly. This chapter focuses on the proper methods to image suspect hard disk drives (HDDs).
Chapter 7, Analyzing Network Evidence, shows how to use open source tools such as tcpdump, Wireshark, and Moloch. You will be guided through the analysis of network evidence to identify command and control channels or data exfiltration. This evidence will be further correlated with other network evidence, such as a network proxy or firewall logs and packet captures.
Chapter 8, Analyzing System Memory, through the use of several industry-standard tools, shows various methods for identifying malicious activity contained within the system memory. These include methods for identifying malicious processes, network connections, and other indicators associated with malware running on an infected system.
Chapter 9, Analyzing System Storage, is an overview of the tools and techniques available for extracting evidence from previously imaged HDDs. An overview of some of the methods available to examine a system's storage is explored, but it should be noted that due to the depth of this topic, this chapter will only highlight certain aspects.
Chapter 10, Analyzing Log Files, explores the various Windows OS logs that are created during legitimate and adversarial behavior. You will be shown methods to analyze log files with open source tools to examine security, system or application event logs, and to identify potential indicators of compromise.
Chapter 11, Writing the Incident Report, discusses crafting a written document that captures the actions of responders and their analysis, which is as critical as the investigation itself. This chapter focuses on preparing reports for key internal and external stakeholders, including potential legal entities. The end goal is to prepare a report that stands up to the scrutiny of a court of law.
Chapter 12, Malware Analysis for Incident Response, provides an overview of some of the tools and techniques that are deployed when examining malicious code. This includes static analysis techniques to identify key indicators, as well as dynamic analysis where the behavior of the malware is explored.
Chapter 13, Leveraging Threat Intelligence, explains that threat intelligence has become more and more important to incident response by providing details of the wider context of adversarial tactics, techniques, and procedures. This chapter will give you an understanding of threat intelligence and how it can be applied to the incident response process.
Chapter 14, Hunting for Threats, introduces a methodology that integrates digital forensics tools and techniques with threat intelligence to determine whether a network has been compromised. This chapter explores the methodology of threat hunting and how threat intelligence can facilitate hunting through the crafting of a threat hunt hypothesis and indicators to hunt for.
Chapter 15, Appendix, includes the most critical events that pertain to security and incident investigations and have been provided as a reference. There is a significant number of Windows Event Log types available to IT and security professionals.