Additional Information
Book Details
Abstract
Incident response and digital forensics require a balancing act to get right, but both are essential when an information security incident occurs.
In this practical guide, the relationship between incident response and digital forensics is explored and you will learn how to undertake each and balance them to meet the needs of an organisation in the event of an information security incident. Best practice tips and real-life examples are included throughout.
Incident response is the method by which organisations take steps to identify and recover from an information security incident, with as little impact as possible on business as usual. Digital forensics is what follows - a scientific investigation into the causes of an incident with the aim of bringing the perpetrators to justice. These two disciplines have a close but complex relationship and require a balancing act to get right, but both are essential when an incident occurs.
In this practical guide, the relationship between incident response and digital forensics is explored and you will learn how to undertake each and balance them to meet the needs of an organisation in the event of an information security incident. Best practice tips and real-life examples are included throughout.
Mike Sheward is the Director of Information Security at Accolade Inc and runs a digital investigation consultancy, Secure Being LLC. He has worked in information security, primarily in Incident Response and Digital Forensics, in the UK and USA. In 2017, Mike published a book based on his own adventures in digital forensics, 'Digital Forensic Diaries.'
‘A great book which I could see on the shelf of any investigator or included in the book lists of digital forensic and cyber security students at university’.
Dale McGleenon
'A fantastic summary of cyber incident response and digital forensics for existing practitioners and managers which covers the all-important impact on people! This a great book to whet the appetite of those aspiring to get into the field.'
Martin Heyde
Table of Contents
| Section Title | Page | Action | Price |
|---|---|---|---|
| Cover | Cover | ||
| Copyright Page | iv | ||
| CONTENTS | v | ||
| LIST OF FIGURES | viii | ||
| AUTHOR | ix | ||
| FOREWORD | x | ||
| ACKNOWLEDGEMENTS | xi | ||
| GLOSSARY | xii | ||
| USEFUL WEBSITES | xvi | ||
| PREFACE | xviii | ||
| INTRODUCTION | 1 | ||
| INCIDENT RESPONSE | 2 | ||
| DIGITAL FORENSICS | 4 | ||
| WHY BOTH? | 6 | ||
| HANDS-ON | 6 | ||
| HOW THIS BOOK FITS IN | 7 | ||
| PART 1\rINCIDENT RESPONSE | 9 | ||
| 1 UNDERSTANDING INFORMATION SECURITY INCIDENTS | 11 | ||
| WHAT IS AN INFORMATION SECURITY INCIDENT? | 11 | ||
| TYPES OF INCIDENT | 12 | ||
| DETECTING SECURITY INCIDENTS | 19 | ||
| WHY DO SECURITY INCIDENTS HAPPEN? | 25 | ||
| SUMMARY | 27 | ||
| 2 BEFORE THE INCIDENT | 28 | ||
| BUILDING THE INCIDENT RESPONSE PLAYBOOK | 28 | ||
| TESTING THE PLAYBOOK | 34 | ||
| INCIDENT PLANNING AND COMPLIANCE | 37 | ||
| FORENSIC READINESS | 38 | ||
| SUMMARY | 39 | ||
| 3 THE INCIDENT RESPONSE PROCESS | 40 | ||
| IDENTIFICATION | 41 | ||
| CONTAINMENT | 52 | ||
| ERADICATION | 57 | ||
| RECOVERY | 59 | ||
| SUMMARY | 59 | ||
| 4 THINGS TO AVOID DURING INCIDENT RESPONSE | 60 | ||
| ERADICATION AND PRESERVATION | 61 | ||
| AN INCIDENT FROM AN INCIDENT | 67 | ||
| THE BLAME GAME | 69 | ||
| IT’S NOT OVER UNTIL IT’S OVER | 70 | ||
| SUMMARY | 70 | ||
| 5 AFTER THE INCIDENT | 71 | ||
| POST MORTEM | 71 | ||
| QUANTIFY THE IMPACT | 76 | ||
| FORENSICS | 79 | ||
| SUMMARY\r | 79 | ||
| 6 THE BUSINESS OF INCIDENT RESPONSE | 81 | ||
| REQUEST FOR PROPOSAL | 81 | ||
| THE POWER OF PR | 84 | ||
| MERGERS AND ACQUISITIONS | 87 | ||
| ESCAPE THE TECHNICAL BUBBLE | 87 | ||
| INCIDENT RESPONSE SERVICE PROVIDERS | 88 | ||
| SUMMARY | 90 | ||
| PART 2\rDIGITAL FORENSICS | 91 | ||
| 7 INTRODUCING THE DIGITAL FORENSICS INVESTIGATION | 93 | ||
| THE INVESTIGATOR | 94 | ||
| FORENSICS FUNDAMENTALS | 96 | ||
| ARRIVING AT AN INVESTIGATION | 100 | ||
| INVESTIGATIVE PROCESS | 100 | ||
| SUMMARY | 104 | ||
| 8 THE LAWS AND ETHICS OF DIGITAL FORENSICS | 105 | ||
| CRIMES WITHOUT BORDERS | 105 | ||
| LAWS APPLICABLE TO FORENSICS | 107 | ||
| ETHICAL CONSIDERATIONS | 115 | ||
| SUMMARY | 116 | ||
| 9 DIGITAL FORENSICS TOOLS | 117 | ||
| GRAB BAG | 117 | ||
| FORENSIC HARDWARE | 120 | ||
| FORENSIC SOFTWARE | 124 | ||
| SUMMARY | 128 | ||
| 10 EVIDENCE ACQUISITION BASICS | 129 | ||
| THE HARD DISK DRIVE | 129 | ||
| REMOVABLE MEDIA | 134 | ||
| PROCESSING DISK IMAGES | 135 | ||
| FILE SYSTEMS | 136 | ||
| OPERATING SYSTEMS | 139 | ||
| FILES | 143 | ||
| ANALYSIS OF ARTEFACTS | 144 | ||
| SUMMARY | 146 | ||
| 11 CAPTURING A MOVING TARGET\r | 147 | ||
| INCIDENT RESPONSE AND DIGITAL FORENSICS | 147 | ||
| LIVE ACQUISITION DRIVERS | 148 | ||
| LIVE ACQUISITION TECHNIQUE | 152 | ||
| ORDER OF VOLATILITY | 152 | ||
| NETWORK FORENSICS | 155 | ||
| SUMMARY | 158 | ||
| 12 MEMORY FORENSICS | 160 | ||
| UNDERSTANDING MEMORY DEVICES | 160 | ||
| CAPTURING | 164 | ||
| ANALYSIS | 166 | ||
| SUMMARY | 168 | ||
| 13 CLOUD FORENSICS | 169 | ||
| CLOUD COMPUTING TERMINOLOGY | 169 | ||
| ACQUISITION IN THE CLOUD | 171 | ||
| CONTAINER FORENSICS | 177 | ||
| FORENSICS IN THE CLOUD? | 178 | ||
| SUMMARY | 178 | ||
| 14 MOBILE DEVICE FORENSICS | 179 | ||
| MOBILE PHONE TERMINOLOGY | 179 | ||
| SEIZING MOBILE DEVICES | 182 | ||
| ACQUISITION TYPES AND TOOLS | 184 | ||
| SMARTPHONES | 186 | ||
| SUMMARY | 188 | ||
| 15 REPORTING AND PRESENTING YOUR FINDINGS | 189 | ||
| LAYOUT AND CONTENT | 190 | ||
| AUDIENCE | 194 | ||
| SUMMARY | 195 | ||
| 16 THE HUMAN ELEMENTS OF AN INVESTIGATION | 196 | ||
| VICTIMS | 196 | ||
| PERPETRATORS | 201 | ||
| INVESTIGATORS | 203 | ||
| SUMMARY | 204 | ||
| INDEX | 205 | ||
| Back Cover | 213 |