Digital Forensics and Incident Response电子书

Title Page

Copyright

Digital Forensics and Incident Response

Credits

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Incident Response

The incident response process

The role of digital forensics

The incident response framework

The incident response charter

CSIRT

CSIRT core team

Technical support personnel

Organizational support personnel

External resources

The incident response plan

Incident classification

The incident response playbook

Escalation procedures

Maintaining the incident response capability

Summary

Forensic Fundamentals

Legal aspects

Laws and regulations

Rules of evidence

Digital forensic fundamentals

A brief history

The digital forensic process

Identification

Preservation

Collection

Proper evidence handling

Chain of custody

Examination

Analysis

Presentation

Digital forensic lab

Physical security

Tools

Hardware

Software

Jump kit

Summary

Network Evidence Collection

Preparation

Network diagram

Configuration

Logs and log management

Network device evidence

Security information and event management system

Security onion

Packet capture

tcpdump

WinPcap and RawCap

Wireshark

Evidence collection

Summary

Acquiring Host-Based Evidence

Preparation

Evidence volatility

Evidence acquisition

Evidence collection procedures

Memory acquisition

Local acquisition

FTK Imager

Winpmem

Remote acquisition

Winpmem

F-Response

Virtual machines

Non-volatile data

Summary

Understanding Forensic Imaging

Overview of forensic imaging

Preparing a stage drive

Imaging

Dead imaging

Live imaging

Imaging with Linux

Summary

Network Evidence Analysis

Analyzing packet captures

Command-line tools

Wireshark

Xplico and CapAnalysis

Xplico

CapAnalysis

Analyzing network log files

DNS blacklists

SIEM

ELK Stack

Summary

Analyzing System Memory

Memory evidence overview

Memory analysis

Memory analysis methodology

SANS six-part methodology

Network connections methodology

Tools

Redline

Volatility

Installing Volatility

Identifying the image

pslist

psscan

pstree

DLLlist

Handles

svcscan

netscan and sockets

LDR modules

psxview

Dlldump

memdump

procdump

Rekall

imageinfo

pslist

Event logs

Sockets

Malfind

Summary

Analyzing System Storage

Forensic platforms

Autopsy

Installing Autopsy

Opening a case

Navigating Autopsy

Examining a Case

Web Artifacts

Email

Attached Devices

Deleted Files

Keyword Searches

Timeline Analysis

Registry analysis

Summary

Forensic Reporting

Documentation overview

What to document

Types of documentation

Sources

Audience

Incident tracking

Fast incident response

Written reports

Executive summary

Incident report

Forensic report

Summary

Malware Analysis

Malware overview

Malware analysis overview

Static analysis

Dynamic analysis

Analyzing malware

Static analysis

Pestudio

Remnux

Dynamic analysis

Process Explorer

Cuckoo sandbox

Summary

Threat Intelligence

Threat intelligence overview

Threat intelligence types

Threat intelligence methodology

Threat intelligence direction

Cyber kill chain

Diamond model

MITRE ATT&CK

Threat intelligence sources

Internally developed sources

Commercial sourcing

Open source

Threat intelligence platforms

MISP threat sharing

Using threat intelligence

Proactive threat intelligence

Reactive threat intelligence

Autopsy

Redline

Yara and Loki

Summary