Digital forensics and incident response : incident response techniques and procedures to respond to modern cyber threats

Cover
Title Page
Copyright and Credits
About Packt
Contributors
Table of Contents
Preface
Section 1: Foundations of Incident Response and Digital Forensics
Chapter 1: Understanding Incident Response
	The incident response process
		The role of digital forensics
	The incident response framework
		The incident response charter
		CSIRT
			CSIRT core team
			Technical support personnel
			Organizational support personnel
			External resources
	The incident response plan
		Incident classification
	The incident response playbook
		Escalation procedures
	Testing the incident response framework
	Summary
	Questions
	Further reading
Chapter 2: Managing Cyber Incidents
	Engaging the incident response team
		CSIRT models
			Security Operations Center escalation
			SOC and CSIRT combined
			CSIRT fusion center
		The war room
		Communications
		Staff rotation
	Incorporating crisis communications
		Internal communications
		External communications
		Public notification
	Investigating incidents
	Incorporating containment strategies
	Getting back to normal – eradication and recovery
		Eradication strategies
		Recovery strategies
	Summary
	Questions
	Further reading
Chapter 3: Fundamentals of Digital Forensics
	Legal aspects
		Laws and regulations
			Rules of evidence
	Digital forensics fundamentals
		A brief history
		The digital forensics process
			Identification
			Preservation
			Collection
				Proper evidence handling
				Chain of custody
			Examination
			Analysis
			Presentation
		Digital forensic lab
			Physical security
			Tools
				Hardware
				Software
				Linux forensic tools
				Jump kits
	Summary
	Questions
	Further reading
Section 2: Evidence Acquisition
Chapter 4: Collecting Network Evidence
	An overview of network evidence
		Preparation
		Network diagram
		Configuration
	Firewalls and proxy logs
		Firewalls
		Web proxy server
	NetFlow
	Packet captures
		tcpdump
		WinPcap and RawCap
	Wireshark
	Evidence collection
	Summary
	Questions
	Further reading
Chapter 5: Acquiring Host-Based Evidence
	Preparation
	Order of volatility
	Evidence acquisition
		Evidence collection procedures
	Acquiring volatile memory
		Local acquisition
			FTK Imager
			Winpmem
			RAM Capturer
		Remote acquisition
			Winpmem
			Virtual machines
	Acquiring non-volatile evidence
		CyLR.exe
		Checking for encryption
	Summary
	Questions
	Further reading
Chapter 6: Forensic Imaging
	Understanding forensic imaging
	Imaging tools
	Preparing a stage drive
	Using write blockers
	Imaging techniques
		Dead imaging
			Imaging using FTK Imager
		Live imaging
		Remote memory acquisition
			WinPmem
			F-Response
		Virtual machines
			Linux imaging
	Summary
	Questions
	Further reading
Section 3: Analyzing Evidence
Chapter 7: Analyzing Network Evidence
	Network evidence overview
	Analyzing firewall and proxy logs
		DNS blacklists
		SIEM tools
		The Elastic Stack
	Analyzing NetFlow
	Analyzing packet captures
		Command-line tools
		Moloch
		Wireshark
	Summary
	Questions
	Further reading
Chapter 8: Analyzing System Memory
	Memory analysis overview
	Memory analysis methodology
		SANS six-part methodology
		Network connections methodology
		Memory analysis tools
	Memory analysis with Redline
		Redline analysis process
		Redline process analysis
	Memory analysis with Volatility
		Installing Volatility
		Working with Volatility
		Volatility image information
		Volatility process analysis
			Process list
			Process scan
			Process tree
			DLL list
			Handles plugin
			LDR modules
			Process xview
		Volatility network analysis
			connscan
		Volatility evidence extraction
			Memory dump
			DLL file dump
			Executable dump
	Memory analysis with strings
		Installing Strings
		IP address search
		HTTP Search
	Summary
	Questions
	Further reading
Chapter 9: Analyzing System Storage
	Forensic platforms
	Autopsy
		Installing Autopsy
		Opening a case
		Navigating Autopsy
		Examining a case
			Web artifacts
			Email
			Attached devices
			Deleted files
			Keyword searches
			Timeline analysis
	MFT analysis
	Registry analysis
	Summary
	Questions
	Further reading
Chapter 10: Analyzing Log Files
	Logging and log management
	Working with event management systems
		Security Onion
		Elastic Stack
	Understanding Windows logs
	Analyzing Windows event logs
		Acquisition
		Triage
		Analysis
			Event Log Explorer
			Analyzing logs with Skadi
	Summary
	Questions
	Further reading
Chapter 11: Writing the Incident Report
	Documentation overview
		What to document
		Types of documentation
		Sources
		Audience
	Incident tracking
		Fast Incident Response
	Written reports
		Executive summary
		Incident report
		Forensic report
	Summary
	Questions
	Further reading
Section 4: Specialist Topics
Chapter 12: Malware Analysis for Incident Response
	Malware classifications
	Malware analysis overview
		Static analysis
		Dynamic analysis
	Analyzing malware
		Static analysis
			ClamAV
			PeStudio
			REMnux
			YARA
	Dynamic analysis
		Malware sandbox
		Process Explorer
			Process Spawn Control
		Cuckoo Sandbox
	Summary
	Questions
	Further reading
Chapter 13: Leveraging Threat Intelligence
	Understanding threat intelligence
		Threat intelligence types
		Pyramid of pain
	Threat intelligence methodology
		Threat intelligence direction
			Cyber kill chain
			Diamond model
	Threat intelligence sources
		Internally developed sources
		Commercial sourcing
		Open source
	Threat intelligence platforms
		MISP threat sharing
	Using threat intelligence
		Proactive threat intelligence
		Reactive threat intelligence
			Autopsy
			Adding IOCs to Redline
			Yara and Loki
	Summary
	Questions
	Further reading
Chapter 14: Hunting for Threats
	The threat hunting maturity model
	Threat hunt cycle
		Initiating event
		Creating a working hypothesis
		Leveraging threat intelligence
		Applying forensic techniques
		Identifying new indicators
		Enriching the existing hypothesis
	MITRE ATT&CK
	Threat hunt planning
	Threat hunt reporting
	Summary
	Questions
	Further reading
Appendix
Assessment
Other Books You May Enjoy
Index