Digital Forensics and Incident Response (English)


Below is an outline of the eBook "Digital Forensics and Incident Response" by Gerard Johansen. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Digital Forensics and Incident Response

If you are having issues logging in, please check the following help guide, HERE.



Chapter 1: Incident Response
The incident response process
1. The role of digital forensics
The incident response framework
1. The incident response charter
a. CSIRT core team
b. Technical support personnel
c. Organizational support personnel
d. External resources
The incident response plan
1. Incident classification

The incident response playbook
1. Escalation procedures
2. Maintaining the incident response capability

Chapter 2: Forensic Fundamentals
Legal aspects
1. Laws and regulations
2. Rules of evidence
Digital forensic fundamentals
1. A brief history
2. The digital forensic process
a. Identification
b. Preservation
c. Collection
i. Proper evidence handling
ii. Chain of custody
d. Examination
e. Analysis
f. Presentation
3. Digital forensic lab
4. Physical security
5. Tools
6. Hardware
7. Software
8. Jump kit

Chapter 3: Network Evidence Collection
1. Network diagram
2. Configuration
3. Logs and log management
Network device evidence
1. Security information and event management system
2. Security onion
Packet capture
1. tcpdump
2. WinPcap and RawCap
3. Wireshark
Evidence collection

Chapter 4: Acquiring Host-Based Evidence
Evidence volatility
Evidence acquisition
Evidence collection procedures
1. Memory acquisition
a. Local acquisition
i. FTK Imager
ii. Winpmem
2. Remote acquisition
a. Winpmem
b. F-Response
3. Virtual machines
Non-volatile data

Chapter 5: Understanding Forensic Imaging
Overview of forensic imaging
Preparing a stage drive
1. Dead imaging
2. Live imaging
3. Imaging with Linux

Chapter 6: Network Evidence Analysis
Analyzing packet captures
1. Command-line tools
2. Wireshark
3. Xplico and CapAnalysis
a. Xplico
b. CapAnalysis
Analyzing network log files
1. DNS blacklists
3. ELK Stack

Chapter 7: Analyzing System Memory
Memory evidence overview
Memory analysis
1. Memory analysis methodology
a. SANS six-part methodology
2. Network connections methodology
3. Tools
4. Redline
5. Volatility
a. Installing Volatility
b. Identifying the image
c. pslist
d. psscan
e. pstree
f. DLLlist
g. Handles
h. svcscan
i. netscan and sockets
j. LDR modules
k. psxview
l. Dlldump
m. memdump
n. procdump
o. Rekall
p. imageinfo
q. pslist
r. Event logs
s. Sockets
t. Malfind

Chapter 8: Analyzing System Storage
Forensic platforms
1. Autopsy
a. Installing Autopsy
b. Opening a case
c. Navigating Autopsy
d. Examining a Case
i. Web Artifacts
e. Email
f. Attached Devices
g. Deleted Files
h. Keyword Searches
i. Timeline Analysis
j. Registry analysis

Chapter 9: Forensic Reporting
Documentation overview
1. What to document
2. Types of documentation
3. Sources
4. Audience
Incident tracking
1. Fast incident response
Written reports
1. Executive summary
2. Incident report
3. Forensic report

Chapter 10: Malware Analysis
Malware overview
Malware analysis overview
1. Static analysis
2. Dynamic analysis
Analyzing malware
1. Static analysis
2. Pestudio
3. Remnux
Dynamic analysis
1. Process Explorer
2. Cuckoo sandbox

Chapter 11: Threat Intelligence
Threat intelligence overview
1. Threat intelligence types
Threat intelligence methodology
Threat intelligence direction
1. Cyber kill chain
2. Diamond model
Threat intelligence sources
1. Internally developed sources
2. Commercial sourcing
3. Open source
Threat intelligence platforms
1. MISP threat sharing
Using threat intelligence
1. Proactive threat intelligence
2. Reactive threat intelligence
a. Autopsy
b. Redline
c. Yara and Loki


Next steps:

This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA. 


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.