Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer, 1st edition
Published by Cisco Press (February 7, 2018) © 2018
- Joseph Muniz
- Aamir Lakhani
eTextbook
- Available for purchase from all major ebook resellers, including InformIT.com.
- To request a review copy, click on the "Request a Review Copy" button.
- A print text (hardcover or paperback)
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
Breach detection is one of the hottest topics in cyber security. As more devices become Internet capable, more systems become targets. This in turn increases the need for digital defenses meaning the intended audience will continue to grow and expand across all business sectors. This book is a guide for various levels of technical competencies. Business minded people and executives would benefit from the incident response and policy content. Network administrators will benefit from the breach detection best practices content. Security experts will benefit from the technical forensics tools and exercises. Unlike the very few books on this topic, this book will be developed as a guide that can be easily applied to any organization’s business practice.
This book will help administrators
1) Understand how to identify when they are compromised.
2) Improve their network security3) Develop a incident response plan
4) Maximize security capabilities in existing investments5) Learn how to use critical digital forensics tools
6) Understand best practices for digital forensics.
Introduction xix
Chapter 1 Digital Forensics 1
Defining Digital Forensics 3
Engaging Forensics Services 4
Reporting Crime 7
Search Warrant and Law 9
Forensic Roles 13
Forensic Job Market 15
Forensic Training 16
Summary 23
References 24
Chapter 2 Cybercrime and Defenses 25
Crime in a Digital Age 27
Exploitation 31
Adversaries 34
Cyber Law 36
Summary 39
Reference 39
Chapter 3 Building a Digital Forensics Lab 41
Desktop Virtualization 42
VMware Fusion 43
VirtualBox 44
Installing Kali Linux 44
Attack Virtual Machines 52
Cuckoo Sandbox 56
Virtualization Software for Cuckoo 58
Installing TCPdump 58
Creating a User on VirtualBox for Cuckoo 59
Binwalk 60
The Sleuth Kit 61
Cisco Snort 62
Windows Tools 67
Physical Access Controls 68
Storing Your Forensics Evidence 71
Network Access Controls 72
Jump Bag 74
Summary 74
References 75
Chapter 4 Responding to a Breach 77
Why Organizations Fail at Incident Response 78
Preparing for a Cyber Incident 80
Defining Incident Response 81
Incident Response Plan 82
Assembling Your Incident Response Team 84
When to Engage the Incident Response Team 85
Outstanding Items that Often Get Missed with Incident Response 88
Phone Tree and Contact List 88
Facilities 89
Responding to an Incident 89
Assessing Incident Severity 91
Following Notification Procedures 92
Employing Post-Incident Actions and Procedures 93
Identifying Software Used to Assist in Responding to a Breach 93
Trend Analysis Software 94
Security Analytics Reference Architectures 94
Other Software Categories 97
Summary 97
References 98
Chapter 5 Investigations 99
Pre-Investigation 100
Opening a Case 102
First Responder 105
Device Power State 110
Search and Seizure 113
Chain of Custody 118
Network Investigations 121
Forensic Reports 127
Case Summary 129
Example 129
Acquisition and Exam Preparation 129
Example 129
Findings 130
Example 130
Conclusion 130
Example 131
List of Authors 131
Example 131
Closing the Case 132
Critiquing the Case 136
Summary 139
References 139
Chapter 6 Collecting and Preserving Evidence 141
First Responder 141
Evidence 144
Autopsy 145
Authorization 147
Hard Drives 148
Connections and Devices 150
RAID 152
Volatile Data 153
DumpIt 154
LiME 154
Volatility 156
Duplication 158
dd 161
dcfldd 161
ddrescue 162
Netcat 162
Guymager 163
Compression and Splitting 164
Hashing 166
MD5 and SHA Hashing 168
Hashing Challenges 169
Data Preservation 170
Summary 172
References 172
Chapter 7 Endpoint Forensics 173
File Systems 174
Locating Data 178
Unknown Files 180
Windows Registry 182
Deleted Files 185
Windows Recycle Bin 187
Shortcuts 189
Printer Spools 190
Slack Space and Corrupt Clusters 191
Alternate Data Streams 196
Mac OS X 198
OS X Artifacts 199
Log Analysis 202
IoT Forensics 207
Summary 210
References 211
Chapter 8 Network Forensics 213
Network Protocols 214
Security Tools 215
Firewall 219
Intrusion Detection and Prevention System 219
Content Filter 219
Network Access Control 220
Packet Capturing 223
NetFlow 224
Sandbox 225
Honeypot 226
Security Information and Event Manager (SIEM) 228
Threat Analytics and Feeds 229
Security Tool Summary 229
Security Logs 229
Network Baselines 233
Symptoms of Threats 235
Reconnaissance 235
Exploitation 238
Malicious Behavior 242
Beaconing 244
Brute Force 249
Exfiltration 250
Other Indicators 254
Summary 255
References 255
Chapter 9 Mobile Forensics 257
Mobile Devices 258
Investigation Challenges 258
iOS Architecture 259
iTunes Forensics 261
iOS Snapshots 263
How to Jailbreak the iPhone 265
Android 266
PIN Bypass 270
How to Brute Force Passcodes on the Lock Screen 271
Forensics with Commercial Tools 272
Call Logs and SMS Spoofing 274
Voicemail Bypass 275
How to Find Burner Phones 276
SIM Card Cloning 278
Summary 279
Reference 279
Chapter 10 Email and Social Media 281
A Message in a Bottle 281
Email Header 283
Social Media 288
People Search 288
Google Search 293
Facebook Search 297
Summary 304
References 305
Chapter 11 Cisco Forensic Capabilities 307
Cisco Security Architecture 307
Cisco Open Source 310
Cisco Firepower 312
Cisco Advanced Malware Protection (AMP) 313
Cisco Threat Grid 319
Cisco Web Security Appliance 322
Cisco CTA 323
Meraki 324
Email Security Appliance 326
Cisco Identity Services Engine 328
Cisco Stealthwatch 331
Cisco Tetration 335
Cisco Umbrella 337
Cisco Cloudlock 342
Cisco Network Technology 343
Summary 343
Reference 343
Chapter 12 Forensic Case Studies 345
Scenario 1: Investigating Network Communication 346
Pre-engagement 347
Investigation Strategy for Network Data 348
Investigation 350
Closing the Investigation 355
Scenario 2: Using Endpoint Forensics 357
Pre-engagement 357
Investigation Strategy for Endpoints 358
Investigation 359
Potential Steps to Take 360
Closing the Investigation 362
Scenario 3: Investigating Malware 364
Pre-engagement 364
Investigation Strategy for Rogue Files 365
Investigation 365
Closing the Investigation 369
Scenario 4: Investigating Volatile Data 370
Pre-engagement 371
Investigation Strategy for Volatile Data 372
Investigation 373
Closing the Investigation 375
Scenario 5: Acting as First Responder 377
Pre-engagement 377
First Responder Strategy 377
Closing the Investigation 379
Summary 381
References 382
Chapter 13 Forensic Tools 383
Tools 384
Slowloris DDOS Tool: Chapter 2 385
Low Orbit Ion Cannon 386
VMware Fusion: Chapter 3 386
VirtualBox: Chapter 3 387
Metasploit: Chapter 3 388
Cuckoo Sandbox: Chapter 3 389
Cisco Snort: Chapter 3 389
FTK Imager: Chapters 3, 9 390
FireEye Redline: Chapter 3 391
P2 eXplorer: Chapter 3 392
PlainSight: Chapter 3 392
Sysmon: Chapter 3 393
WebUtil: Chapter 3 393
ProDiscover Basics: Chapter 3 393
Solarwinds Trend Analysis Module: Chapter 4 394
Splunk: Chapter 4 394
RSA Security Analytics: Chapter 4 395
IBM’s QRadar: Chapter 4 396
HawkeyeAP: Chapter 4 396
WinHex: Chapters 6, 7 396
OSForensics: Chapter 6 397
Mount Image Pro: Chapter 6 397
DumpIt: Chapter 6 398
LiME: Chapter 6 398
TrIDENT: Chapter 7 398
PEiD: Chapter 7 399
Lnkanalyser: Chapter 7 399
Windows File Analyzer: Chapter 7 399
LECmd: Chapter 7 401
SplViewer: Chapter 7 401
PhotoRec: Chapter 7 402
Windows Event Log: Chapter 7 402
Log Parser Studio: Chapter 7 403
LogRhythm: Chapter 8 403
Mobile Devices 404
Elcomsoft: Chapter 9 404
Cellebrite: Chapter 9 404
iPhone Backup Extractor: Chapter 9 405
iPhone Backup Browser: Chapter 9 405
Pangu: Chapter 9 405
KingoRoot Application: Chapter 9 405
Kali Linux Tools 406
Fierce: Chapter 8 406
TCPdump: Chapter 3 406
Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406
Wireshark: Chapter 8 406
Exiftool: Chapter 7 407
DD: Chapter 6 407
Dcfldd: Chapter 6 408
Ddrescue: Chapter 6 408
Netcat: Chapter 6 408
Volatility: Chapter 6 408
Cisco Tools 408
Cisco AMP 408
Stealthwatch: Chapter 8 409
Cisco WebEx: Chapter 4 409
Snort: Chapter 11 409
ClamAV: Chapter 10 409
Razorback: Chapter 10 410
Daemonlogger: Chapter 10 410
Moflow Framework: Chapter 10 410
Firepower: Chapter 10 410
Threat Grid: Chapter 10 410
WSA: Chapter 10 410
Meraki: Chapter 10 411
Email Security: Chapter 10 411
ISE: Chapter 10 411
Cisco Tetration: Chapter 10 411
Umbrella: Chapter 10 411
Norton ConnectSafe: No Chapter 412
Cloudlock: Chapter 10 412
Forensic Software Packages 413
FTK Toolkit: Chapter 3 413
X-Ways Forensics: Chapter 3 413
OSforensics: Chapter 6 414
EnCase: Chapter 7 414
Digital Forensics Framework (DFF): Chapter 7 414
Useful Websites 414
Shodan: Chapter 1 414
Wayback Machine: Chapter 3 415
Robot.txt files: Chapter 2 415
Hidden Wiki: Chapter 2 415
NIST: Chapter 4 416
CVE: Chapter 4 416
Exploit-DB: Chapter 4 416
Pastebin: Chapters 4, 10 416
University of Pennsylvania Chain of Custody Form: Chapter 6 417
List of File Signatures: Chapter 9 417
Windows Registry Forensics Wiki: Chapter 7 417
Mac OS Forensics Wiki: Chapter 7 417
Miscellaneous Sites 417
Searchable FCC ID Database 418
Service Name and Transport Protocol Port Number Registry 418
NetFlow Version 9 Flow-Record Format 418
NMAP 418
Pwnable 418
Embedded Security CTF 419
CTF Learn 419
Reversing.Kr 419
Hax Tor 419
W3Challs 419
RingZer0 Team Online CTF 420
Hellbound Hackers 420
Over the Wire 420
Hack This Site 420
VulnHub 420
Application Security Challenge 421
iOS Technology Overview 421
Summary 421
9781587145025 TOC 1/10/2017
Joseph Muniz is an architect at Cisco Systems and a security researcher. He has extensive experience in designing security solutions and architectures for the top Fortune 500 corporations and the U.S. government. Joseph’s current role gives him visibility into the latest trends in cybersecurity, from both leading vendors and customers. Examples of Joseph’s research include his RSA talk titled “Social Media Deception,” which has been quoted by many sources (search for “Emily Williams Social Engineering”), as well as his articles in PenTest Magazine regarding various security topics. Joseph runs The Security Blogger website, a popular resource for security, hacking, and product implementation. He is the author and contributor of several publications covering various penetration testing, certification, and security topics. You can follow Joseph at www.thesecurityblogger.com and @SecureBlogger.
Aamir Lakhani is a leading senior security strategist. He is responsible for providing IT security solutions to major enterprises and government organizations. Aamir creates technical security strategies and leads security implementation projects for Fortune 500 companies. Industries of focus include healthcare providers, educational institutions, financial institutions, and government organizations. He has designed offensive counter-defense measures for the Department of Defense and national intelligence agencies. He has also assisted organizations with safeguarding IT and physical environments from attacks perpetrated by underground cybercriminal groups. Aamir is considered an industry leader for creating detailed security architectures within complex computing environments. His areas of expertise include cyber defense, mobile application threats, malware management, Advanced Persistent Threat (APT) research, and investigations relating to the Internet’s dark security movement.
Need help? Get in touch
Play
Pearson eTextbook: What’s on the inside just might surprise you
They say you can’t judge a book by its cover. It’s the same with your students. Meet each one right where they are with an engaging, interactive, personalized learning experience that goes beyond the textbook to fit any schedule, any budget, and any lifestyle.
Digital Learning NOW
Extend your professional development and meet your students where they are with free weekly Digital Learning NOW webinars. Attend live, watch on-demand, or listen at your leisure to expand your teaching strategies. Earn digital professional development badges for attending a live session.