You are previewing Incident Response & Computer Forensics, Third Edition, 3rd Edition.
O'Reilly logo
Incident Response & Computer Forensics, Third Edition, 3rd Edition

Book Description

The definitive guide to incident response--updated for the first time in a decade!

Thoroughly revised to cover the latest and most effective tools and techniques, Incident Response & Computer Forensics, Third Edition arms you with the information you need to get your organization out of trouble when data breaches occur. This practical resource covers the entire lifecycle of incident response, including preparation, data collection, data analysis, and remediation. Real-world case studies reveal the methods behind--and remediation strategies for--today's most insidious attacks.

  • Architect an infrastructure that allows for methodical investigation and remediation
  • Develop leads, identify indicators of compromise, and determine incident scope
  • Collect and preserve live data
  • Perform forensic duplication
  • Analyze data from networks, enterprise services, and applications
  • Investigate Windows and Mac OS X systems
  • Perform malware triage
  • Write detailed incident response reports
  • Create and implement comprehensive remediation plans

Table of Contents

  1. Cover 
  2. Title Page
  3. Copyright Page
  4. About the Authors
    1. About the Contributors
    2. About the Technical Editor
  5. Contents 
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Part I: Preparing for the Inevitable Incident
    1. Chapter 1: Real-World Incidents
      1. What Constitutes an Incident?
      2. What Is Incident Response?
      3. Where We Are Now
      4. Why Should You Care About Incident Response?
      5. Case Studies
        1. Case Study #1: Show Me the Money
        2. Case Study #2: Certificate of Authenticity
      6. Concept of the Attack Lifecycle
      7. So What?
      8. Questions
    2. Chapter 2: IR Management Handbook
      1. What Is a Computer Security Incident?
      2. What Are the Goals of Incident Response?
      3. Who Is Involved in the IR Process?
        1. Finding IR Talent
      4. The Incident Response Process
        1. Initial Response
        2. Investigation
        3. Remediation
        4. Tracking of Significant Investigative Information
        5. Reporting
      5. So What?
      6. Questions
    3. Chapter 3: Pre-Incident Preparation
      1. Preparing the Organization for Incident Response
        1. Identifying Risk
        2. Policies That Promote a Successful IR
        3. Working with Outsourced IT
        4. Thoughts on Global Infrastructure Issues
        5. Educating Users on Host-Based Security
      2. Preparing the IR Team
        1. Defining the Mission
        2. Communication Procedures
        3. Deliverables
        4. Resources for the IR Team
      3. Preparing the Infrastructure for Incident Response
        1. Computing Device Configuration
        2. Network Configuration
      4. So What?
      5. Questions
  10. Part II: Incident Detection and Characterization
    1. Chapter 4: Getting the Investigation Started on the Right Foot
      1. Collecting Initial Facts
        1. Checklists
      2. Maintenance of Case Notes
        1. Building an Attack Timeline
      3. Understanding Investigative Priorities
        1. What Are Elements of Proof?
        2. Setting Expectations with Management
      4. So What?
      5. Questions
    2. Chapter 5: Initial Development of Leads
      1. Defining Leads of Value
      2. Acting on Leads
        1. Turning Leads into Indicators
        2. The Lifecycle of Indicator Generation
        3. Resolving Internal Leads
        4. Resolving External Leads
      3. So What?
      4. Questions
    3. Chapter 6: Discovering the Scope of the Incident
      1. What Should I Do?
        1. Examining Initial Data
        2. Gathering and Reviewing Preliminary Evidence
        3. Determining a Course of Action
      2. Customer Data Loss Scenario
        1. Customer Data Loss—Scoping Gone Wrong
      3. Automated Clearing House (ACH) Fraud Scenario
        1. ACH Fraud—Scoping Gone Wrong
      4. So What?
      5. Questions
  11. Part III: Data Collection
    1. Chapter 7: Live Data Collection
      1. When to Perform a Live Response
      2. Selecting a Live Response Tool
      3. What to Collect
      4. Collection Best Practices
      5. Live Data Collection on Microsoft Windows Systems
        1. Prebuilt Toolkits
        2. Do It Yourself
        3. Memory Collection
      6. Live Data Collection on Unix-Based Systems
        1. Live Response Toolkits
        2. Memory Collection
      7. So What?
      8. Questions
    2. Chapter 8: Forensic Duplication
      1. Forensic Image Formats
        1. Complete Disk Image
        2. Partition Image
        3. Logical Image
        4. Image Integrity
      2. Traditional Duplication
        1. Hardware Write Blockers
        2. Image Creation Tools
      3. Live System Duplication
      4. Duplication of Enterprise Assets
        1. Duplication of Virtual Machines
      5. So What?
      6. Questions
    3. Chapter 9: Network Evidence
      1. The Case for Network Monitoring
      2. Types of Network Monitoring
        1. Event-Based Alert Monitoring
        2. Header and Full Packet Logging
        3. Statistical Modeling
      3. Setting Up a Network Monitoring System
        1. Choosing Appropriate Hardware
        2. Installation of a Pre-built Distribution
        3. Deploying the Network Sensor
        4. Evaluating Your Network Monitor
      4. Network Data Analysis
        1. Data Theft Scenario
        2. Webshell Reconnaissance Scenario
        3. Other Network Analysis Tools
      5. Collect Logs Generated from Network Events
      6. So What?
      7. Questions
    4. Chapter 10: Enterprise Services
      1. Network Infrastructure Services
        1. DHCP
        2. DNS
      2. Enterprise Management Applications
        1. LANDesk Software Management Suite
        2. Symantec Altiris Client Management Suite
      3. Antivirus Software
        1. Antivirus Quarantine
        2. Symantec Endpoint Protection
        3. McAfee VirusScan
        4. Trend Micro OfficeScan
      4. Web Servers
        1. Web Server Background
        2. Apache HTTP Server
        3. Microsoft Internet Information Services (IIS)
      5. Database Servers
        1. Microsoft SQL
        2. MySQL
        3. Oracle
      6. So What?
      7. Questions
  12. Part IV: Data Analysis
    1. Chapter 11: Analysis Methodology
      1. Define Objectives
      2. Know Your Data
        1. Where Is Data Stored?
        2. What’s Available?
      3. Access Your Data
      4. Analyze Your Data
        1. Outline an Approach
        2. Select Methods
      5. Evaluate Results
      6. So What?
      7. Questions
    2. Chapter 12: Investigating Windows Systems
      1. NTFS and File System Analysis
        1. The Master File Table
        2. INDX Attributes
        3. Change Logs
        4. Volume Shadow Copies
        5. File System Redirector
      2. Prefetch
        1. The Evidence
        2. Analysis
      3. Event Logs
        1. The Evidence
        2. Analysis
      4. Scheduled Tasks
        1. Creating Tasks with the “at” Command
        2. Creating Tasks with the schtasks Command
        3. The Evidence
        4. Analysis
      5. The Windows Registry
        1. The Evidence
        2. Analysis
        3. Registry Analysis Tools
      6. Other Artifacts of Interactive Sessions
        1. LNK Files
        2. Jump Lists
        3. The Recycle Bin
      7. Memory Forensics
        1. The Evidence
        2. Memory Analysis
      8. Alternative Persistence Mechanisms
        1. Startup Folders
        2. Recurring Tasks
        3. System Binary Modification
        4. DLL Load-Order Hijacking
      9. Review: Answering Common Investigative Questions
      10. So What?
      11. Questions
    3. Chapter 13: Investigating Mac OS X Systems
      1. HFS+ and File System Analysis
        1. Volume Layout
        2. File System Services
      2. Core Operating System Data
        1. File System Layout
        2. User and Service Configuration
        3. Trash and Deleted Files
        4. System Auditing, Databases, and Logging
        5. Scheduled Tasks and Services
        6. Application Installers
      3. A Review: Answering Common Investigative Questions
      4. So What?
      5. Questions
    4. Chapter 14: Investigating Applications
      1. What Is Application Data?
      2. Where Is Application Data Stored?
        1. Windows
        2. OS X
        3. Linux
      3. General Investigation Methods
      4. Web Browsers
        1. Internet Explorer
        2. Google Chrome
        3. Mozilla Firefox
      5. E-Mail Clients
        1. Web E-Mail
        2. Microsoft Outlook for Windows
        3. Apple Mail
        4. Microsoft Outlook for Mac
      6. Instant Message Clients
        1. Methodology
        2. Instant Message
      7. So What?
      8. Questions
    5. Chapter 15: Malware Triage
      1. Malware Handling
        1. Safety
        2. Documentation
        3. Distribution
        4. Accessing Malicious Sites
      2. Triage Environment
        1. Setting Up a Virtual Environment
      3. Static Analysis
        1. What Is That File?
        2. Portable Executable Files
      4. Dynamic Analysis
        1. Automated Dynamic Analysis: Sandboxes
        2. Manual Dynamic Analysis
      5. So What?
      6. Questions
    6. Chapter 16: Report Writing
      1. Why Write Reports?
      2. Reporting Standards
        1. Report Style and Formatting
        2. Report Content and Organization
      3. Quality Assurance
      4. So What?
      5. Questions
  13. Part V: Remediation
    1. Chapter 17: Remediation Introduction
      1. Basic Concepts
      2. Remediation Pre-Checks
      3. Form the Remediation Team
        1. When to Create the Remediation Team
        2. Assigning a Remediation Owner
        3. Members of the Remediation Team
      4. Determine the Timing of the Remediation
      5. Develop and Implement Remediation Posturing Actions
        1. Implications of Alerting the Attacker
      6. Develop and Implement Incident Containment Actions
      7. Develop the Eradication Action Plan
      8. Determine Eradication Event Timing and Execute Eradication Plan
      9. Develop Strategic Recommendations
      10. Document the Lessons Learned
      11. Putting It All Together
      12. Common Mistakes That Lead to Remediation Failure
      13. So What?
      14. Questions
    2. Chapter 18: Remediation Case Study
      1. Remediation Plan for Case Study #1: Show Me the Money
        1. Select the Team
        2. Determine Remediation Timing
        3. Contain the Incident
        4. Posture the Environment
        5. Eradicate the Attacker
        6. Set the Strategic Direction
      2. So What?
      3. Questions
  14. Index