Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Title Page Copyright and Credits
Digital Forensics and Incident Response Second Edition
About Packt
Why subscribe?
Contributors
About the author About the reviewer Packt is searching for authors like you
Preface
Who this book is for What this book covers To get the most out of this book
Download the color images Conventions used
Get in touch
Reviews
Section 1: Foundations of Incident Response and Digital Forensics Understanding Incident Response
The incident response process
The role of digital forensics
The incident response framework
The incident response charter CSIRT
CSIRT core team Technical support personnel Organizational support personnel External resources
The incident response plan
Incident classification
The incident response playbook
Escalation procedures
Testing the incident response framework Summary Questions Further reading
Managing Cyber Incidents
Engaging the incident response team
CSIRT models
Security Operations Center escalation SOC and CSIRT combined CSIRT fusion center
The war room Communications Staff rotation
Incorporating crisis communications
Internal communications External communications Public notification
Investigating incidents Incorporating containment strategies Getting back to normal – eradication and recovery
Eradication strategies Recovery strategies
Summary Questions Further reading
Fundamentals of Digital Forensics
Legal aspects
Laws and regulations
Rules of evidence
Digital forensics fundamentals
A brief history The digital forensics process
Identification Preservation Collection
Proper evidence handling Chain of custody
Examination Analysis Presentation
Digital forensics lab
Physical security Tools
Hardware Software Linux forensic tools Jump kits
Summary Questions Further reading
Section 2: Evidence Acquisition Collecting Network Evidence
An overview of network evidence
Preparation Network diagram Configuration
Firewalls and proxy logs
Firewalls Web proxy server
NetFlow Packet captures
tcpdump WinPcap and RawCap
Wireshark Evidence collection Summary Questions Further reading
Acquiring Host-Based Evidence
Preparation Order of Volatility Evidence acquisition
Evidence collection procedures
Acquiring volatile memory
Local acquisition
FTK Imager WinPmem RAM Capturer
Remote acquisition
WinPmem Virtual machines
Acquiring non-volatile evidence
CyLR.exe Checking for encryption
Summary Questions Further reading
Forensic Imaging
Understanding forensic imaging Imaging tools Preparing a stage drive Using write blockers Imaging techniques
Dead imaging
Imaging using FTK Imager
Live imaging Remote memory acquisition
WinPmem F-Response
Virtual machines
Linux imaging
Summary Questions Further reading
Section 3: Analyzing Evidence Analyzing Network Evidence
Network evidence overview Analyzing firewall and proxy logs
DNS blacklists SIEM tools The Elastic Stack
Analyzing NetFlow Analyzing packet captures
Command-line tools Moloch Wireshark
Summary Questions Further reading
Analyzing System Memory
Memory analysis overview Memory analysis methodology
SANS six-part methodology Network connections methodology Memory analysis tools
Memory analysis with Redline
Redline analysis process Redline process analysis
Memory analysis with Volatility
Installing Volatility Working with Volatility Volatility image information Volatility process analysis
Process list Process scan Process tree DLL list The handles plugin LDR modules Process xview
Volatility network analysis
connscan
Volatility evidence extraction
Memory dump DLL file dump Executable dump
Memory analysis with strings
Installing Strings IP address search HTTP search
Summary Questions Further reading
Analyzing System Storage
Forensic platforms Autopsy
Installing Autopsy Opening a case Navigating Autopsy Examining a case
Web artifacts Email Attached devices Deleted files Keyword searches Timeline analysis
MFT analysis Registry analysis Summary Questions Further reading
Analyzing Log Files
Logging and log management Working with event management systems
Security Onion The Elastic Stack
Understanding Windows logs Analyzing Windows event logs
Acquisition Triage Analysis
Event Log Explorer Analyzing logs with Skadi
Summary Questions Further reading
Writing the Incident Report
Documentation overview
What to document Types of documentation Sources Audience
Incident tracking
Fast Incident Response
Written reports
Executive summary Incident report Forensic report
Summary Questions Further reading
Section 4: Specialist Topics Malware Analysis for Incident Response
Malware classifications Malware analysis overview
Static analysis Dynamic analysis
Analyzing malware
Static analysis
ClamAV PeStudio REMnux YARA
Dynamic analysis
Malware sandbox Process Explorer
Process Spawn Control
Cuckoo Sandbox
Summary Questions Further reading
Leveraging Threat Intelligence
Understanding threat intelligence
Threat intelligence types Pyramid of pain
Threat intelligence methodology
Threat intelligence direction
Cyber kill chain Diamond model
Threat intelligence sources
Internally developed sources Commercial sourcing Open source
Threat intelligence platforms
MISP threat sharing
Using threat intelligence
Proactive threat intelligence Reactive threat intelligence
Autopsy Adding IOCs to Redline Yara and Loki
Summary Questions Further reading
Hunting for Threats
The threat hunting maturity model Threat hunt cycle
Initiating event Creating a working hypothesis Leveraging threat intelligence Applying forensic techniques Identifying new indicators Enriching the existing hypothesis
MITRE ATT&CK Threat hunt planning Threat hunt reporting Summary Questions Further reading
Appendix Assessment
Chapter 1: Understanding Incident Response Chapter 2: Managing Cyber Incidents Chapter 3: Fundamentals of Digital Forensics Chapter 4: Collecting Network Evidence Chapter 5: Acquiring Host-Based Evidence Chapter 6: Forensic Imaging Chapter 7: Analyzing Network Evidence Chapter 8: Analyzing System Memory Chapter 9: Analyzing System Storage Chapter 10: Analyzing Log Files Chapter 11: Writing the Incident Report Chapter 12: Malware Analysis for Incident Response Chapter 13: Leveraging Threat Intelligence Chapter 14: Hunting for Threats
Other Books You May Enjoy
Leave a review - let other readers know what you think
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion