Menu Expand
Hands-on Incident Response and Digital Forensics

Hands-on Incident Response and Digital Forensics

Mike Sheward

(2018)

Abstract

Incident response and digital forensics require a balancing act to get right, but both are essential when an information security incident occurs. In this practical guide, the relationship between incident response and digital forensics is explored and you will learn how to undertake each and balance them to meet the needs of an organisation in the event of an information security incident. Best practice tips and real-life examples are included throughout.
Incident response is the method by which organisations take steps to identify and recover from an information security incident, with as little impact as possible on business as usual. Digital forensics is what follows - a scientific investigation into the causes of an incident with the aim of bringing the perpetrators to justice. These two disciplines have a close but complex relationship and require a balancing act to get right, but both are essential when an incident occurs. In this practical guide, the relationship between incident response and digital forensics is explored and you will learn how to undertake each and balance them to meet the needs of an organisation in the event of an information security incident. Best practice tips and real-life examples are included throughout.
Mike Sheward is the Director of Information Security at Accolade Inc and runs a digital investigation consultancy, Secure Being LLC. He has worked in information security, primarily in Incident Response and Digital Forensics, in the UK and USA. In 2017, Mike published a book based on his own adventures in digital forensics, 'Digital Forensic Diaries.'
‘A great book which I could see on the shelf of any investigator or included in the book lists of digital forensic and cyber security students at university’.
Dale McGleenon
'A fantastic summary of cyber incident response and digital forensics for existing practitioners and managers which covers the all-important impact on people! This a great book to whet the appetite of those aspiring to get into the field.'
Martin Heyde

Table of Contents

Section Title Page Action Price
Cover Cover
Copyright Page iv
CONTENTS v
LIST OF FIGURES viii
AUTHOR ix
FOREWORD x
ACKNOWLEDGEMENTS xi
GLOSSARY xii
USEFUL WEBSITES xvi
PREFACE xviii
INTRODUCTION 1
INCIDENT RESPONSE 2
DIGITAL FORENSICS 4
WHY BOTH? 6
HANDS-ON 6
HOW THIS BOOK FITS IN 7
PART 1\rINCIDENT RESPONSE 9
1 UNDERSTANDING INFORMATION SECURITY INCIDENTS 11
WHAT IS AN INFORMATION SECURITY INCIDENT? 11
TYPES OF INCIDENT 12
DETECTING SECURITY INCIDENTS 19
WHY DO SECURITY INCIDENTS HAPPEN? 25
SUMMARY 27
2 BEFORE THE INCIDENT 28
BUILDING THE INCIDENT RESPONSE PLAYBOOK 28
TESTING THE PLAYBOOK 34
INCIDENT PLANNING AND COMPLIANCE 37
FORENSIC READINESS 38
SUMMARY 39
3 THE INCIDENT RESPONSE PROCESS 40
IDENTIFICATION 41
CONTAINMENT 52
ERADICATION 57
RECOVERY 59
SUMMARY 59
4 THINGS TO AVOID DURING INCIDENT RESPONSE 60
ERADICATION AND PRESERVATION 61
AN INCIDENT FROM AN INCIDENT 67
THE BLAME GAME 69
IT’S NOT OVER UNTIL IT’S OVER 70
SUMMARY 70
5 AFTER THE INCIDENT 71
POST MORTEM 71
QUANTIFY THE IMPACT 76
FORENSICS 79
SUMMARY\r 79
6 THE BUSINESS OF INCIDENT RESPONSE 81
REQUEST FOR PROPOSAL 81
THE POWER OF PR 84
MERGERS AND ACQUISITIONS 87
ESCAPE THE TECHNICAL BUBBLE 87
INCIDENT RESPONSE SERVICE PROVIDERS 88
SUMMARY 90
PART 2\rDIGITAL FORENSICS 91
7 INTRODUCING THE DIGITAL FORENSICS INVESTIGATION 93
THE INVESTIGATOR 94
FORENSICS FUNDAMENTALS 96
ARRIVING AT AN INVESTIGATION 100
INVESTIGATIVE PROCESS 100
SUMMARY 104
8 THE LAWS AND ETHICS OF DIGITAL FORENSICS 105
CRIMES WITHOUT BORDERS 105
LAWS APPLICABLE TO FORENSICS 107
ETHICAL CONSIDERATIONS 115
SUMMARY 116
9 DIGITAL FORENSICS TOOLS 117
GRAB BAG 117
FORENSIC HARDWARE 120
FORENSIC SOFTWARE 124
SUMMARY 128
10 EVIDENCE ACQUISITION BASICS 129
THE HARD DISK DRIVE 129
REMOVABLE MEDIA 134
PROCESSING DISK IMAGES 135
FILE SYSTEMS 136
OPERATING SYSTEMS 139
FILES 143
ANALYSIS OF ARTEFACTS 144
SUMMARY 146
11 CAPTURING A MOVING TARGET\r 147
INCIDENT RESPONSE AND DIGITAL FORENSICS 147
LIVE ACQUISITION DRIVERS 148
LIVE ACQUISITION TECHNIQUE 152
ORDER OF VOLATILITY 152
NETWORK FORENSICS 155
SUMMARY 158
12 MEMORY FORENSICS 160
UNDERSTANDING MEMORY DEVICES 160
CAPTURING 164
ANALYSIS 166
SUMMARY 168
13 CLOUD FORENSICS 169
CLOUD COMPUTING TERMINOLOGY 169
ACQUISITION IN THE CLOUD 171
CONTAINER FORENSICS 177
FORENSICS IN THE CLOUD? 178
SUMMARY 178
14 MOBILE DEVICE FORENSICS 179
MOBILE PHONE TERMINOLOGY 179
SEIZING MOBILE DEVICES 182
ACQUISITION TYPES AND TOOLS 184
SMARTPHONES 186
SUMMARY 188
15 REPORTING AND PRESENTING YOUR FINDINGS 189
LAYOUT AND CONTENT 190
AUDIENCE 194
SUMMARY 195
16 THE HUMAN ELEMENTS OF AN INVESTIGATION 196
VICTIMS 196
PERPETRATORS 201
INVESTIGATORS 203
SUMMARY 204
INDEX 205
Back Cover 213