Digital Forensics and Incident Response (English)

Overview

Below is an outline of the eBook "Digital Forensics and Incident Response" by Gerard Johansen. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Digital Forensics and Incident Response

If you are having issues logging in, please check the following help guide, HERE.

 

Outline

Preface
Chapter 1: Incident Response
The incident response process
1. The role of digital forensics
The incident response framework
1. The incident response charter
2. CSIRT
a. CSIRT core team
b. Technical support personnel
c. Organizational support personnel
d. External resources
The incident response plan
1. Incident classification

The incident response playbook
1. Escalation procedures
2. Maintaining the incident response capability
Summary

Chapter 2: Forensic Fundamentals
Legal aspects
1. Laws and regulations
2. Rules of evidence
Digital forensic fundamentals
1. A brief history
2. The digital forensic process
a. Identification
b. Preservation
c. Collection
i. Proper evidence handling
ii. Chain of custody
d. Examination
e. Analysis
f. Presentation
3. Digital forensic lab
4. Physical security
5. Tools
6. Hardware
7. Software
8. Jump kit
Summary

Chapter 3: Network Evidence Collection
Preparation
1. Network diagram
2. Configuration
3. Logs and log management
Network device evidence
1. Security information and event management system
2. Security onion
Packet capture
1. tcpdump
2. WinPcap and RawCap
3. Wireshark
Evidence collection
Summary

Chapter 4: Acquiring Host-Based Evidence
Preparation
Evidence volatility
Evidence acquisition
Evidence collection procedures
1. Memory acquisition
a. Local acquisition
i. FTK Imager
ii. Winpmem
2. Remote acquisition
a. Winpmem
b. F-Response
3. Virtual machines
Non-volatile data
Summary


Chapter 5: Understanding Forensic Imaging
Overview of forensic imaging
Preparing a stage drive
Imaging
1. Dead imaging
2. Live imaging
3. Imaging with Linux
Summary

Chapter 6: Network Evidence Analysis
Analyzing packet captures
1. Command-line tools
2. Wireshark
3. Xplico and CapAnalysis
a. Xplico
b. CapAnalysis
Analyzing network log files
1. DNS blacklists
2. SIEM
3. ELK Stack
Summary

Chapter 7: Analyzing System Memory
Memory evidence overview
Memory analysis
1. Memory analysis methodology
a. SANS six-part methodology
2. Network connections methodology
3. Tools
4. Redline
5. Volatility
a. Installing Volatility
b. Identifying the image
c. pslist
d. psscan
e. pstree
f. DLLlist
g. Handles
h. svcscan
i. netscan and sockets
j. LDR modules
k. psxview
l. Dlldump
m. memdump
n. procdump
o. Rekall
p. imageinfo
q. pslist
r. Event logs
s. Sockets
t. Malfind
Summary

Chapter 8: Analyzing System Storage
Forensic platforms
1. Autopsy
a. Installing Autopsy
b. Opening a case
c. Navigating Autopsy
d. Examining a Case
i. Web Artifacts
e. Email
f. Attached Devices
g. Deleted Files
h. Keyword Searches
i. Timeline Analysis
j. Registry analysis
Summary

Chapter 9: Forensic Reporting
Documentation overview
1. What to document
2. Types of documentation
3. Sources
4. Audience
Incident tracking
1. Fast incident response
Written reports
1. Executive summary
2. Incident report
3. Forensic report
Summary

Chapter 10: Malware Analysis
Malware overview
Malware analysis overview
1. Static analysis
2. Dynamic analysis
Analyzing malware
1. Static analysis
2. Pestudio
3. Remnux
Dynamic analysis
1. Process Explorer
2. Cuckoo sandbox
Summary

Chapter 11: Threat Intelligence
Threat intelligence overview
1. Threat intelligence types
Threat intelligence methodology
Threat intelligence direction
1. Cyber kill chain
2. Diamond model
Threat intelligence sources
1. Internally developed sources
2. Commercial sourcing
3. Open source
Threat intelligence platforms
1. MISP threat sharing
Using threat intelligence
1. Proactive threat intelligence
2. Reactive threat intelligence
a. Autopsy
b. Redline
c. Yara and Loki
Summary

-----

Next steps:

This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA. 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.