Author(s): Gerard Johansen
Edition: 3
Publisher: Packt Publishing
Year: 2022
Language: English
Pages: 532
Tags: Digital Forensics, Incident Response
Cover
Title Page
Copyright
Contributors
Table of Contents
Preface
Part 1: Foundations of Incident Response and Digital Forensics
Chapter 1: Understanding Incident Response
The IR process
The role of digital forensics
The IR framework
The IR charter
CSIRT team
The IR plan
Incident classification
The IR playbook/handbook
Escalation process
Testing the IR framework
Summary
Questions
Further reading
Chapter 2: Managing Cyber Incidents
Engaging the incident response team
CSIRT engagement models
Investigating incidents
The CSIRT war room
Communications
Rotating staff
SOAR
Incorporating crisis communications
Internal communications
External communications
Public notification
Incorporating containment strategies
Getting back to normal – eradication, recovery, and post-incident activity
Summary
Questions
Further reading
Chapter 3: Fundamentals of Digital Forensics
An overview of forensic science
Locard’s exchange principle
Legal issues in digital forensics
Law and regulations
Rules of evidence
Forensic procedures in incident response
A brief history of digital forensics
The digital forensics process
The digital forensics lab
Summary
Questions
Further reading
Chapter 4: Investigation Methodology
An intrusion analysis case study: The Cuckoo’s Egg
Types of incident investigation analysis
Functional digital forensic investigation methodology
Identification and scoping
Collecting evidence
The initial event analysis
The preliminary correlation
Event normalization
Event deconfliction
The second correlation
The timeline
Kill chain analysis
Reporting
The cyber kill chain
The diamond model of intrusion analysis
Diamond model axioms
A combined diamond model and kill chain intrusion analysis
Attribution
Summary
Questions
Part 2: Evidence Acquisition
Chapter 5: Collecting Network Evidence
An overview of network evidence
Preparation
A network diagram
Configuration
Firewalls and proxy logs
Firewalls
Web application firewalls
Web proxy servers
NetFlow
Packet capture
tcpdump
WinPcap and RawCap
Wireshark
Evidence collection
Summary
Questions
Further reading
Chapter 6: Acquiring Host-Based Evidence
Preparation
Order of volatility
Evidence acquisition
Evidence collection procedures
Acquiring volatile memory
FTK Imager
WinPmem
RAM Capturer
Virtual systems
Acquiring non-volatile evidence
FTK obtaining protected files
The CyLR response tool
Kroll Artifact Parser and Extractor
Summary
Questions
Further reading
Chapter 7: Remote Evidence Collection
Enterprise incident response challenges
Endpoint detection and response
Velociraptor overview and deployment
Velociraptor server
Velociraptor Windows collector
Velociraptor scenarios
Velociraptor evidence collection
CyLR
WinPmem
Summary
Questions
Chapter 8: Forensic Imaging
Understanding forensic imaging
Image versus copy
Logical versus physical volumes
Types of image files
SSD versus HDD
Tools for imaging
Preparing a staging drive
Using write blockers
Imaging techniques
Dead imaging
Live imaging
Virtual systems
Linux imaging
Summary
Questions
Further reading
Part 3: Evidence Analysis
Chapter 9: Analyzing Network Evidence
Network evidence overview
Analyzing firewall and proxy logs
SIEM tools
The Elastic Stack
Analyzing NetFlow
Analyzing packet captures
Command-line tools
Real Intelligence Threat Analytics
NetworkMiner
Arkime
Wireshark
Summary
Questions
Further reading
Chapter 10: Analyzing System Memory
Memory analysis overview
Memory analysis methodology
SANS six-part methodology
Network connections methodology
Memory analysis tools
Memory analysis with Volatility
Volatility Workbench
Memory analysis with Strings
Installing Strings
Common Strings searches
Summary
Questions
Further reading
Chapter 11: Analyzing System Storage
Forensic platforms
Autopsy
Installing Autopsy
Starting a case
Adding evidence
Navigating Autopsy
Examining a case
Master File Table analysis
Prefetch analysis
Registry analysis
Summary
Questions
Further reading
Chapter 12: Analyzing Log Files
Logs and log management
Working with SIEMs
Splunk
Elastic Stack
Security Onion
Windows Logs
Windows Event Logs
Analyzing Windows Event Logs
Acquisition
Triage
Detailed Event Log analysis
Summary
Questions
Further reading
Chapter 13: Writing the Incident Report
Documentation overview
What to document
Types of documentation
Sources
Audience
Executive summary
Incident investigation report
Forensic report
Preparing the incident and forensic report
Note-taking
Report language
Summary
Questions
Further reading
Part 4: Ransomware Incident Response
Chapter 14: Ransomware Preparation and Response
History of ransomware
CryptoLocker
CryptoWall
CTB-Locker
TeslaCrypt
SamSam
Locky
WannaCry
Ryuk
Conti ransomware case study
Background
Operational disclosure
Tactics and techniques
Exfiltration
Impact
Proper ransomware preparation
Ransomware resiliency
Prepping the CSIRT
Eradication and recovery
Containment
Eradication
Recovery
Summary
Questions
Further reading
Chapter 15: Ransomware Investigations
Ransomware initial access and execution
Initial access
Execution
Discovering credential access and theft
ProcDump
Mimikatz
Investigating post-exploitation frameworks
Command and Control
Security Onion
RITA
Arkime
Investigating lateral movement techniques
Summary
Questions
Further reading
Part 5: Threat Intelligence and Hunting
Chapter 16: Malware Analysis for Incident Response
Malware analysis overview
Malware classification
Setting up a malware sandbox
Local sandbox
Cloud sandbox
Static analysis
Static properties analysis
Dynamic analysis
Process Explorer
Process Spawn Control
Automated analysis
ClamAV
YARA
YarGen
Summary
Questions
Further reading
Chapter 17: Leveraging Threat Intelligence
Threat intelligence overview
Threat intelligence types
The Pyramid of Pain
The threat intelligence methodology
Sourcing threat intelligence
Internally developed sources
Commercial sourcing
Open source intelligence
The MITRE ATT&CK framework
Working with IOCs and IOAs
Threat intelligence and incident response
Autopsy
Maltego
YARA and Loki
Summary
Questions
Further reading
Chapter 18: Threat Hunting
Threat hunting overview
Threat hunt cycle
Threat hunt reporting
Threat hunting maturity model
Crafting a hypothesis
MITRE ATT&CK
Planning a hunt
Digital forensic techniques for threat hunting
EDR for threat hunting
Summary
Questions
Further reading
Appendix
Assessments
Index
About Packt
Other Books You May Enjoy
