Description
Book SynopsisInvestigating the Cyber Breach
The Digital Forensics Guide for the Network Engineer
· Understand the realities of cybercrime and today’s attacks
· Build a digital forensics lab to test tools and methods, and gain expertise
· Take the right actions as soon as you discover a breach
· Determine the full scope of an investigation and the role you’ll play
· Properly collect, document, and preserve evidence and data
· Collect and analyze data from PCs, Macs, IoT devices, and other endpoints
· Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence
· Analyze iOS and Android devices, and understand encryption-related obstacles to investigation
· Investigate and trace email, and identify fraud or abuse
· Use social media to investigate individuals or online identities
· Gather, extract, and analyze breach data with Cisco tools and techniques
· Walk through common breaches and responses from start to finish
· Choose the right tool for each task, and explore alternatives that might also be helpful
The professional’s go-to digital forensics resource for countering attacks right now
Today, cybersecurity and networking professionals know they can’t possibly prevent every breach, but they can substantially reduce risk by quickly identifying and blocking breaches as they occur. Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer is the first comprehensive guide to doing just that.
Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.
Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.
This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.
Table of ContentsIntroduction xix
Chapter 1 Digital Forensics 1
Defining Digital Forensics 3
Engaging Forensics Services 4
Reporting Crime 7
Search Warrant and Law 9
Forensic Roles 13
Forensic Job Market 15
Forensic Training 16
Summary 23
References 24
Chapter 2 Cybercrime and Defenses 25
Crime in a Digital Age 27
Exploitation 31
Adversaries 34
Cyber Law 36
Summary 39
Reference 39
Chapter 3 Building a Digital Forensics Lab 41
Desktop Virtualization 42
VMware Fusion 43
VirtualBox 44
Installing Kali Linux 44
Attack Virtual Machines 52
Cuckoo Sandbox 56
Virtualization Software for Cuckoo 58
Installing TCPdump 58
Creating a User on VirtualBox for Cuckoo 59
Binwalk 60
The Sleuth Kit 61
Cisco Snort 62
Windows Tools 67
Physical Access Controls 68
Storing Your Forensics Evidence 71
Network Access Controls 72
Jump Bag 74
Summary 74
References 75
Chapter 4 Responding to a Breach 77
Why Organizations Fail at Incident Response 78
Preparing for a Cyber Incident 80
Defining Incident Response 81
Incident Response Plan 82
Assembling Your Incident Response Team 84
When to Engage the Incident Response Team 85
Outstanding Items that Often Get Missed with Incident Response 88
Phone Tree and Contact List 88
Facilities 89
Responding to an Incident 89
Assessing Incident Severity 91
Following Notification Procedures 92
Employing Post-Incident Actions and Procedures 93
Identifying Software Used to Assist in Responding to a Breach 93
Trend Analysis Software 94
Security Analytics Reference Architectures 94
Other Software Categories 97
Summary 97
References 98
Chapter 5 Investigations 99
Pre-Investigation 100
Opening a Case 102
First Responder 105
Device Power State 110
Search and Seizure 113
Chain of Custody 118
Network Investigations 121
Forensic Reports 127
Case Summary 129
Example 129
Acquisition and Exam Preparation 129
Example 129
Findings 130
Example 130
Conclusion 130
Example 131
List of Authors 131
Example 131
Closing the Case 132
Critiquing the Case 136
Summary 139
References 139
Chapter 6 Collecting and Preserving Evidence 141
First Responder 141
Evidence 144
Autopsy 145
Authorization 147
Hard Drives 148
Connections and Devices 150
RAID 152
Volatile Data 153
DumpIt 154
LiME 154
Volatility 156
Duplication 158
dd 161
dcfldd 161
ddrescue 162
Netcat 162
Guymager 163
Compression and Splitting 164
Hashing 166
MD5 and SHA Hashing 168
Hashing Challenges 169
Data Preservation 170
Summary 172
References 172
Chapter 7 Endpoint Forensics 173
File Systems 174
Locating Data 178
Unknown Files 180
Windows Registry 182
Deleted Files 185
Windows Recycle Bin 187
Shortcuts 189
Printer Spools 190
Slack Space and Corrupt Clusters 191
Alternate Data Streams 196
Mac OS X 198
OS X Artifacts 199
Log Analysis 202
IoT Forensics 207
Summary 210
References 211
Chapter 8 Network Forensics 213
Network Protocols 214
Security Tools 215
Firewall 219
Intrusion Detection and Prevention System 219
Content Filter 219
Network Access Control 220
Packet Capturing 223
NetFlow 224
Sandbox 225
Honeypot 226
Security Information and Event Manager (SIEM) 228
Threat Analytics and Feeds 229
Security Tool Summary 229
Security Logs 229
Network Baselines 233
Symptoms of Threats 235
Reconnaissance 235
Exploitation 238
Malicious Behavior 242
Beaconing 244
Brute Force 249
Exfiltration 250
Other Indicators 254
Summary 255
References 255
Chapter 9 Mobile Forensics 257
Mobile Devices 258
Investigation Challenges 258
iOS Architecture 259
iTunes Forensics 261
iOS Snapshots 263
How to Jailbreak the iPhone 265
Android 266
PIN Bypass 270
How to Brute Force Passcodes on the Lock Screen 271
Forensics with Commercial Tools 272
Call Logs and SMS Spoofing 274
Voicemail Bypass 275
How to Find Burner Phones 276
SIM Card Cloning 278
Summary 279
Reference 279
Chapter 10 Email and Social Media 281
A Message in a Bottle 281
Email Header 283
Social Media 288
People Search 288
Google Search 293
Facebook Search 297
Summary 304
References 305
Chapter 11 Cisco Forensic Capabilities 307
Cisco Security Architecture 307
Cisco Open Source 310
Cisco Firepower 312
Cisco Advanced Malware Protection (AMP) 313
Cisco Threat Grid 319
Cisco Web Security Appliance 322
Cisco CTA 323
Meraki 324
Email Security Appliance 326
Cisco Identity Services Engine 328
Cisco Stealthwatch 331
Cisco Tetration 335
Cisco Umbrella 337
Cisco Cloudlock 342
Cisco Network Technology 343
Summary 343
Reference 343
Chapter 12 Forensic Case Studies 345
Scenario 1: Investigating Network Communication 346
Pre-engagement 347
Investigation Strategy for Network Data 348
Investigation 350
Closing the Investigation 355
Scenario 2: Using Endpoint Forensics 357
Pre-engagement 357
Investigation Strategy for Endpoints 358
Investigation 359
Potential Steps to Take 360
Closing the Investigation 362
Scenario 3: Investigating Malware 364
Pre-engagement 364
Investigation Strategy for Rogue Files 365
Investigation 365
Closing the Investigation 369
Scenario 4: Investigating Volatile Data 370
Pre-engagement 371
Investigation Strategy for Volatile Data 372
Investigation 373
Closing the Investigation 375
Scenario 5: Acting as First Responder 377
Pre-engagement 377
First Responder Strategy 377
Closing the Investigation 379
Summary 381
References 382
Chapter 13 Forensic Tools 383
Tools 384
Slowloris DDOS Tool: Chapter 2 385
Low Orbit Ion Cannon 386
VMware Fusion: Chapter 3 386
VirtualBox: Chapter 3 387
Metasploit: Chapter 3 388
Cuckoo Sandbox: Chapter 3 389
Cisco Snort: Chapter 3 389
FTK Imager: Chapters 3, 9 390
FireEye Redline: Chapter 3 391
P2 eXplorer: Chapter 3 392
PlainSight: Chapter 3 392
Sysmon: Chapter 3 393
WebUtil: Chapter 3 393
ProDiscover Basics: Chapter 3 393
Solarwinds Trend Analysis Module: Chapter 4 394
Splunk: Chapter 4 394
RSA Security Analytics: Chapter 4 395
IBM’s QRadar: Chapter 4 396
HawkeyeAP: Chapter 4 396
WinHex: Chapters 6, 7 396
OSForensics: Chapter 6 397
Mount Image Pro: Chapter 6 397
DumpIt: Chapter 6 398
LiME: Chapter 6 398
TrIDENT: Chapter 7 398
PEiD: Chapter 7 399
Lnkanalyser: Chapter 7 399
Windows File Analyzer: Chapter 7 399
LECmd: Chapter 7 401
SplViewer: Chapter 7 401
PhotoRec: Chapter 7 402
Windows Event Log: Chapter 7 402
Log Parser Studio: Chapter 7 403
LogRhythm: Chapter 8 403
Mobile Devices 404
Elcomsoft: Chapter 9 404
Cellebrite: Chapter 9 404
iPhone Backup Extractor: Chapter 9 405
iPhone Backup Browser: Chapter 9 405
Pangu: Chapter 9 405
KingoRoot Application: Chapter 9 405
Kali Linux Tools 406
Fierce: Chapter 8 406
TCPdump: Chapter 3 406
Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406
Wireshark: Chapter 8 406
Exiftool: Chapter 7 407
DD: Chapter 6 407
Dcfldd: Chapter 6 408
Ddrescue: Chapter 6 408
Netcat: Chapter 6 408
Volatility: Chapter 6 408
Cisco Tools 408
Cisco AMP 408
Stealthwatch: Chapter 8 409
Cisco WebEx: Chapter 4 409
Snort: Chapter 11 409
ClamAV: Chapter 10 409
Razorback: Chapter 10 410
Daemonlogger: Chapter 10 410
Moflow Framework: Chapter 10 410
Firepower: Chapter 10 410
Threat Grid: Chapter 10 410
WSA: Chapter 10 410
Meraki: Chapter 10 411
Email Security: Chapter 10 411
ISE: Chapter 10 411
Cisco Tetration: Chapter 10 411
Umbrella: Chapter 10 411
Norton ConnectSafe: No Chapter 412
Cloudlock: Chapter 10 412
Forensic Software Packages 413
FTK Toolkit: Chapter 3 413
X-Ways Forensics: Chapter 3 413
OSforensics: Chapter 6 414
EnCase: Chapter 7 414
Digital Forensics Framework (DFF): Chapter 7 414
Useful Websites 414
Shodan: Chapter 1 414
Wayback Machine: Chapter 3 415
Robot.txt files: Chapter 2 415
Hidden Wiki: Chapter 2 415
NIST: Chapter 4 416
CVE: Chapter 4 416
Exploit-DB: Chapter 4 416
Pastebin: Chapters 4, 10 416
University of Pennsylvania Chain of Custody Form: Chapter 6 417
List of File Signatures: Chapter 9 417
Windows Registry Forensics Wiki: Chapter 7 417
Mac OS Forensics Wiki: Chapter 7 417
Miscellaneous Sites 417
Searchable FCC ID Database 418
Service Name and Transport Protocol Port Number Registry 418
NetFlow Version 9 Flow-Record Format 418
NMAP 418
Pwnable 418
Embedded Security CTF 419
CTF Learn 419
Reversing.Kr 419
Hax Tor 419
W3Challs 419
RingZer0 Team Online CTF 420
Hellbound Hackers 420
Over the Wire 420
Hack This Site 420
VulnHub 420
Application Security Challenge 421
iOS Technology Overview 421
Summary 421
9781587145025 TOC 1/10/2017
