Index
As this ebook edition doesn't have fixed pagination, the page numbers below are hyperlinked for reference only, based on the printed edition of this book.
A
AccessData Forensic Toolkit 249
acquisition, host-based evidence
live acquisition 119
local 119
offline acquisition 120
remote 119
Address Resolution Protocol (ARP) 55
AD Forest Recovery
reference link 358
administrative shares, problems
reference link 356
Advanced Forensics File Format (AFF4) 164
Advanced Persistent Threat (APT) 76, 431, 465
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) 21, 82, 438
adversaries 195
AFF4 Imager 166
After-Action Review (AAR) 44
AlienVault Open Threat Exchange (OTX) 447
Amazon Web Services (AWS) 88, 141
Anonymous 431
Antimalware Scan Interface (AMSI) 356
antivirus scanning 406
App.any 419
application servers 99
packet captures, analyzing 208-212
resetting 213
Asset 88
authentication servers 99
automated analysis 414
installing 250
Autopsy, case
deleted files 269
email 266
B
backdoor 403
Base64-encoded command 369
Base64 encoding 424
Base64 XOR recipe 384
Belkasoft’s RamCapturer 122
boot or logon scripts 438
botnet 403
business continuity (BC) 6
Business Continuity Plan (BCP) 357
Business email compromise (BEC) 18
Business Resumption Plan (BRP) 357
business unit (BU) 17
C
CERT Coordination Center (CERT/CC) 8, 52
electronically 56
paper and pen 56
chief executive officer (CEO) 10
chief information security officer (CISO) 10
chief security officer (CSO) 10
CIA triad 33
availability 33
confidentiality 33
integrity 33
ClamAV 419
download link 419
clients 143
cloud sandbox 405
Cobalt Strike 301
Cobalt Strike Base64-encoded script 381
Cobalt Strike PowerShell Event Log entry 380
Cold Disk Quick Response (CDQR) tool 308
collection procedures, host-based evidence 120, 121
Command and Control (C2) 6, 35, 77, 385, 406
Command and Scripting Interpreter: PowerShell [T1059.001] technique 347
command-line tools
packet captures, analyzing 201, 202
Comma-Separated Value (CSV) 275, 446
Common Attack Pattern Enumeration and Classification Identification (CAPEC) 439
communications 35
Communications Assistance for Law Enforcement Act (CALEA) 50
Computer Aided INvestigative Environment (CAINE) 65, 185
Computer Analysis and Response Team (CART) 52
computer emergency response team (CERT) 8
Computer Fraud and Abuse Act (CFAA) 50
Computer Security Incident Response Team (CSIRT) 8, 47, 76, 286
containment strategies
incorporating 40
network containment 41
perimeter containment 41
physical containment 40
Content-Addressable Memory (CAM) 98
Conti
reference link 346
Conti ransomware case study 342
exfiltration 352
impact 352
operational disclosure 344-346
tactics and techniques 346
Coordinated Universal Time (UTC) 20
crisis communications
external communications 39
internal communications 38
public notification 39
CryptoLocker 340
CryptoWall 340
CSI Linux
URL 66
CSIRT analyst(s) 11
CSIRT engagement models 28
Security Operations Center (SOC) escalation 28-30
SOC integration model 30
CSIRT function 27
CSIRT incident
investigating 32
CSIRT incident, methods
incident attribution 34
root cause, identifying 33, 34
scope, identifying 32
CSIRT senior analyst(s) 10, 11
CSIRT team 9
organizational support personnel 13
technical support personnel 11, 12
CSIRT war room 34
limited access 35
note sharing 34
team displays 34
whiteboards 35
workspace 34
CTB-Locker 340
CyberChef 369
interface 370
cybercriminals 431
cyber espionage 431
Actions on Objectives phase 86
Command and Control phase 86
delivery phase 85
exploitation phase 86
installation phase 86
weaponization phase 85
Cybersecurity and Infrastructure Agency (CISA) 346
cyber threat OSINT
formats 437
Cyclical Redundancy Check (CRC) 164
CyLR 151
reference link 133
D
Data Encrypted for Impact [T1486] 352
dd command 166
dead imaging 172
defined point analysis 410
demilitarized zone (DMZ) 22
Denial-of-Service (DoS) 7, 50, 102, 403
Department of Defense Cyber Crime Center (DC3) 189
detailed analysis, Windows Event Logs
DHCP servers 99
attribution 93
combining, with kill chain intrusion analysis 92
Digital Evidence and Forensic Toolkit (DEFT) Zero 64
digital forensics
in incident response 51
role, in IR process 7
digital forensics lab 61
physical security 61
tools 61
digital forensics lab, tools
software 63
digital forensics process 53, 54
analysis 60
collection element 55
examination 60
identification 54
presentation 60
preservation 54
digital forensics process, collection element
evidence handling 55
Digital Forensics Research Workshop (DFRWS) 53
digital forensic techniques
for threat hunting 476
disassembly 406
disaster recovery (DR) 6
Distributed Denial-of-Service (DDoS) attack 33, 403
domain controllers 99
DoublePulsar 341
Download-as-a-Service (DaaS) 342
downloader 403
Dridex 85
dropper 342
Dynamic Host Configuration Protocol (DHCP) 99
dynamic malware analysis 410
advantages 410
automated analysis 414
defined point analysis 410
runtime behavior analysis 410
E
Economic Espionage Act of 1996 (EEA) 50
Elasticsearch 198
Electronic Communications Privacy Act (ECPA) 50
email 266
email carving 249
EnCase 63
EnCase evidence files 164
EnCase Imager 166
Endpoint Detection and Response (EDR) 9, 37, 79, 142, 465
disadvantage 143
enterprise incident response
Entity 88
eradication 42
disadvantages 21
guidelines, for CSIRT to address issue 20, 21
ET MALWARE Observed Qbot Style SSL Certificate 386
events 87
evidence handling 55
guidance 56
tenets 55
Exfiltration Over Web Service [T1567] 352
Expert Witness Format (EWF) 164
external communications 39
external vendors 15
Exterro’s FTK Imager 122
F
Federal Bureau of Investigation (FBI) 14, 52, 250
file structure view 249
file wipers 403
Find, Fix, Track, Target, Engage, Assess (F2T2EA) 83
fingerprinting 406
fire department 27
analyzing 197
remote access logs 102
Web Application Firewall (WAF) 102
FLARE 405
reference link 405
forensic applications
Autopsy 63
EnCase 63
Forensic Toolkit (FTK) 63
X-Ways Forensics 63
forensic imaging 161
image files, types 164
logical volume, versus physical volume 162, 163
staging drive, preparing 167-171
techniques 172
versus forensic copying 162
write blockers, using 171, 172
forensic imaging, techniques
dead imaging 172
forensic platforms 248
preparing 329
forensic science
Forensic Toolkit (FTK) 63, 167
URL 123
used, for dead imaging 173-181
FTK obtaining protected files 133
Full Disk Encryption (FDE) 163
functional digital forensic investigation methodology 78, 79
event deconfliction 82
evidence, collecting 80
identification and scoping 79
initial event analysis 80
kill chain analysis 82
preliminary correlation 81
reporting 83
second correlation 82
timeline 82
G
Gameover ZeuS 340
General Data Protection Regulation (GDPR) 37
Global Regular Expression Print (GREP) 243
Gold Image 357
Google Rapid Response (GRR) 164
H
hacktivism 431
hard disk drive (HDD)
versus solid-state drive (SSD) 164-166
Health Insurance Portability and Accountability Act (HIPAA) 13, 38
Heating, Ventilation, and Air Conditioning (HVAC) 39
hex viewer 249
high availability (HA) 163
High Technology Crime Investigation Association (HTCIA)
URL 14
host-based evidence
acquiring 117
collection procedures 120, 121
non-volatile evidence, acquiring 132
volatile memory, acquiring 122
volatility, order of 118
host intrusion prevention system (HIPS) 18
Human Intelligence (HUMINT) 431
Hunt Maturity 0 (HM0) 471
hypothesis
crafting 473
I
image files
types 164
Imagery Intelligence (IMINT) 431
image viewer 249
incident classification 16
high-level incident 16
low-level incident 17
moderate-level incident 17
Incident Commander (IC) 35
incident investigation analysis
attribution analysis 78
detection analysis 77
intrusion analysis 78
preliminary analysis 77
root-cause analysis 77
incident report
documentation, overview 316
documenting, considerations 316, 317
preparing 329
sources 318
incident response 450
Incident Response Platform (IRP) 36
incident response team
communications 35
CSIRT incident, investigating 32
CSIRT war room 34
rotating staff 35
Indicators of Attack (IOAs) 432, 470
Indicators of Compromise (IOC) 36, 79, 432, 467
atomic indicators 80
behavioral 81
computational indicators 80
information security officer (ISO) 10
information-stealing malware 403
information technology (IT) 3
InfraGard
reference link 14
Inhibit System Recovery [T1490] 352
internal communications 38
International Organization on Computer Evidence (IOCE) 52
Internet Engineering Task Force (IETF) 55
Internet Information Service (IIS) 81
Internet Protocol (IP) 6
Internet Protocol Version 4 (IPV4) 218
internet service provider (ISP) 5
Intezer Analyze sandbox 414
code analysis 418
file upload 414
malware conviction 416
malware IoCs 419
metadata 416
MITRE ATT&CK techniques 419
reference link 414
strings 418
intrusion analysis
Intrusion Detection System (IDS) 36, 75, 98, 291
Intrusion Prevention Systems (IPSs) 37, 98
IR charter 8
constituency, defining 8
mission statement, creating 8
senior leadership support, obtaining 8
service delivery, determining 9
IR coordinator 10
IR framework 7
CSIRT team 9
IR plan 15
contact list 15
CSIRT personnel 15
expanded services catalog 15
internal communication plan 16
IR charter 15
maintenance 16
training 16
IR playbook/handbook 17
analysis 18
containment 18
detection 18
eradication 18
post-incident activity 19
preparation 18
recovery 19
social engineering 19
IR process 4
digital forensics role 7
phases 5
IR process, phases
analysis 5
containment 6
detection 5
eradication and recovery 6
post-incident activity 6
preparation 5
IT security engineer/analyst(s) 11
J
Joe Sandbox 419
K
Kabana platform 308
keylogger 403
Kibana 199
kill chain intrusion analysis
diamond model, combining with 92
Komitet Gosudarstvennoy Bezopasnosti (KGB) 76
Kroll Artifact Parser and Extractor (KAPE) 135-139
reference link 135
L
lateral movement techniques
law enforcement 14
Lawrence Berkley Laboratory (LBL) 74
line of business (LOB) 15
live imaging
Local Administrator Password Solution (LAPS) 359
Local Security Authority Subsystem Service (LSASS) 349
Locard’s exchange principle 48
Locky 341
log file analysis 197
filtered log review 197
log file correlation 197
log file data mining 197
log file searching 197
manual log review 197
logical volume
versus physical volume 162, 163
Logstash 199
M
macro code plaintext 367
macro file text output 368
macro obfuscated code 369
macro obfuscation 367
Magnet Forensics
URL 266
Malicious Links [1566.002] 346
download link 454
malware analysis
challenges 402
fully automated analysis 400
interactive behavior analysis 401
manual code reversing 401
overview 400
static property analysis 401
stuxnet malware analysis 402
MalwareBazaar 447
malware classification 402
backdoor 403
botnet 403
downloader 403
file wipers 403
information-stealing malware 403
keylogger 403
ransomware 403
rootkit 403
Trojan 403
virus 403
worm 403
malware detection tool 36
malware handling 407
malware sandbox
cloud sandbox 405
setting up 404
Managed Detection and Response (MDR) 28
Managed Security Service Provider (MSSP) 28
Managed Service Providers (MSPs) 39
Mandiant FLARE v 2.0 405
Master Boot Record (MBR) 162, 403
Master File Table (MFT) 118, 269
memory analysis
overview 226
tools 228
with Strings 242
with Volatility 228
memory analysis methodology 226
network connections methodology 228
SANS six-part methodology 227
Message Digest 5 (MD5) 164
metadata 249
Metropolitan Area Network (MAN) 98
Mimikatz tool
usage 442
MITRE ATT&CK framework 438-446, 473, 474
MITRE CAPEC 439
multi-factor authentication (MFA) 354
N
National Institute of Standards and Technology (NIST) 4, 286
NetFlow 102
configuring 104
diagram 103
east-west traffic 103
north-south traffic 103
NetFlow Collector 103
NetFlow record
components 200
network access 359
network connections methodology 228
network containment 41
network devices 98
network evidence
command and control 196
configuration 101
data exfiltration 196
initial infection 196
lateral movement 196
preparation 99
reconnaissance and scanning behavior 196
network IDSs/IPSs 99
Network Interface Card (NIC) 98
NetworkMiner 206
packet captures, analyzing 206-208
URL 206
network segmentation 354
network tap 104
Network Time Protocol (NTP) 273
non-volatile data 118
non-volatile evidence
acquiring 132
acquiring, with CyLR response tool 133, 134
acquiring, with FTK obtaining protected files 133
O
Obfuscated Files or Information [T1027] 348
Object Linking and Embedding (OLE) 364
Oledump.py macro identification 366
Oledump.py output 365
OpenIOC 437
Open Source Intelligence (OSINT) 435
OpenText EnCase 249
Open Threat Exchange (OTX) 437
Operational Security (OPSEC) 414
operational threat intelligence 432
organizational support personnel 13
corporate security 14
facilities 14
human resources (HR) 13
legal 13
marketing/communications 13
OS Credential Dumping
LSASS Memory [T1003.001] 349
P
packer analysis 406
packet capture 104
analyzing 200
analyzing, with Arkmine 208-212
analyzing, with command-line tools 201, 202
analyzing, with NetworkMiner 206-208
analyzing, with Real Intelligence Threat Analytics 202-206
analyzing, with Wireshark 213-222
performing, with RawCap 108-110
performing, with tcpdump 104-107
performing, with WinPcap 108
performing, with Wireshark 110-112
Payment Card Industry Data Security Standard (PCI-DSS) 13, 80, 288
perimeter containment 41
Persistence tactic 438
persistent adversary relationship 91
PEStudio 407
download link 407
indicators view 409
metadata view 408
strings 410
physical containment 41
physical volume
versus logical volume 162, 163
PING (Packet Internet Groper) command 106
Plug and Play (PnP) 280
point of sale (POS) 432
post-exploitation frameworks
PowerShell
usage, restricting 356
PowerSploit 301
printed circuit board (PCB) 165
proactive services 9
Process Environment Block (PEB) 236
download link 411
Process Injection: Dynamic-link Library Injection [T1055.001] 348
reference link 412
Programmable Logic Controllers (PLCs) 401
proxy logs
analyzing 197
PsActiveProcessHead 232
public notification 39
R
ransomware 403
credential access and theft, discovering 376
CryptoLocker 340
CryptoWall 340
CTB-Locker 340
Locky 341
Ryuk 342
SamSam 341
TeslaCrypt 341
WannaCry 341
Ransomware-as-a-Service (RaaS) 341
ransomware attack
eradication 355
preparing 353
recovery 355
resiliency 353
ransomware attacks
ransomware, credential access and theft
ransomware incident
containment 355
eradication 357
recovery operations 357
ransomware incident, containment
administrative shares, disabling 356
firewall rules 355
PowerShell use, restricting 356
remote access, restricting 357
SMB communication, disabling 356
ransomware incident, recovery
enterprise password reset 358, 359
recovery network architecture 358
remote access MFA 359
ransomware resilience strategy
endpoint detection and response 353
multi-factor authentication 354
network topology 354
secure backups 354
system hygiene 353
ransomware threat actors
C2 traffic 385
ransomware threat actors, C2 traffic
Security Onion 386
RawCap 108
used, for performing packet capture 108-110
raw images 164
RDP logon entry 393
reactive services 9
Real Intelligence Threat Analytics (RITA) 202, 387, 388
packet captures, analyzing 202-206
recovery 42
Regional Computer Forensic Laboratory (RCFL) 53
REMnux 67
Remote Access Trojan (RAT) 403
Remote Desktop Protocol (RDP) 21, 81, 341
Remote Desktop Services (RDS) 40
Remote Services
Remote Desktop Protocol [1021.001] 351
SMB/Windows Admin Shares [T1021.002] 351
root cause analysis (RCA) 357
rootkit 403
rotating staff 35
routers 98
runtime behavior analysis 410
Ryuk 342
S
SamSam 341
SANS six-part methodology 227
Scientific Working Group on Digital Evidence (SWGDE) 52
SDB 187
Secure File Transfer Protocol (SFTP) 352
Secure Hash Algorithm 1 (SHA1) 181
Security Accounts Manager (SAM) 277
Security Information and Event Management (SIEM) 5, 32, 197
reference link 289
Splunk platform 290
tasks, performing related to incident response 288, 289
tools 198
Security Operations Center (SOC) 11, 28, 436
issues 29
Security Orchestration and Automation (SOA) 36
Security Orchestration, Automation, and Response (SOAR) 32, 36
Security Technical Implementation Guides (STIGs) 353
Server Message Block (SMB) 21, 40, 293, 351
language 324
Service Stop [1489] 352
Shellcode analysis 385
Shellcode output 384
SIFT workstation
reference link 66
Signals Intelligence (SIGINT) 431
SMB logon event log entry 391
sneaker-net approach 154
SOAR solutions
alert prioritization 37
automation 37
collaboration 37
reporting 37
threat intelligence enrichment 37
Software Engineering Institute (SEI) 8
solid-state drive (SSD) 269
versus hard disk drive (HDD) 164-166
Spear Phishing Attachment attack [T1566.001] 363
Spear Phishing campaigns [T1566.001] 346
Special Publication (SP) 4
Splunk platform 290
staging drive
static malware analysis
antivirus scanning 406
disadvantages 407
disassembly 406
file format 406
fingerprinting 406
packer analysis 406
string extraction 406
static properties analysis
Storage Area Networks (SANs) 354
Strategic Defense Initiative (SDI) 75
strategic threat intelligence 433
string extraction 406
Strings
installing 243
memory analysis 242
reference link 243
searches 243
Structured Query Language (SQL) 12
Structured Threat Information Expression (STIX) 437
stuxnet malware analysis 402
Switched Port Analyzer (SPAN) port
configuring 104
switches 98
System Administration, Network, and Security (SANS) 16
System Binary Proxy Execution: Rundll32 [T1218.011] 347
system storage
Autopsy 250
T
T1037 438
tabletop exercise (TTX) 355
tactical threat intelligence
IOAs 432
IOCs 432
TTPs 432
tactics 438
tactics and techniques, Conti
defense evasion 348
discovery 350
initial access 346
lateral movement 351
privilege escalation 348
Tactics, Techniques, and Procedures (TTPs) 76, 432, 468
tcpdump 104
URL 104
used, for performing packet capture 104-107
technical report statements
categories 333
technical support personnel 11, 12
application support 12
desktop support 12
help desk 12
network architect/administrator 12
server administrator 12
TeslaCrypt 341
text strings, YARA rule
using, with modifiers 423
The Onion Routing (TOR) 340
The SANS Investigative Forensic Toolkit (SIFT) 66
threat hunt cycle 466
existing hypothesis, enriching 470
forensic techniques, applying 469
new indicators, identifying 469
threat intelligence, using 468, 469
working hypothesis, creating 468
threat hunting
digital forensic techniques 476
overview 465
threat hunting maturity model 471, 472
HM0 - Initial 472
HM1 - Minimal 472
HM2 - Procedural 472
HM3 - Innovative 472
HM4 - Leading 472
evidence sources 474
hypothesis 474
MITRE ATT&CK tactic(s) 474
scope 475
threat intelligence 474
timeframe 475
tools 474
threat hunt report 470
executive summary 470
forensic report 470
recommendations 471
threat hunt plan 470
threat intelligence 450
commercial sourcing 436
consideration 430
cycle 435
internally developed sources 436
open source intelligence 437
sourcing 436
threat actor groups 431
types 432
Threat Intelligence Platform (TIP) 36
threat intelligence (TI) 15
threat intelligence (TI), types
operational threat intelligence 432
strategic threat intelligence 433
tactical threat intelligence 432
TRIM 165
Trojan 403
Trusted Automated Exchange of Intelligence Information (TAXII) 437
U
United States Department of Homeland Security (US DHS) 8
V
Velocidex’s WinPmem 122
Velociraptor 143
scenarios 149
setup 144
URL 143
virtual file system (VFS) 152, 153
Velociraptor evidence collection 149, 154-159
with Windows Command Line 149-151
Velociraptor Windows collector 147, 148
Virtual Address Descriptor (VAD) 236
Virtual Basic Application (VBA) 363
Virtual Basic Scripting (VBS) 80
virtual file system (VFS) 152
virtualization tools 166
Virtual Local Area Networks (VLANs) 42, 358
clean VLAN 358
infected VLAN 358
staging 358
virtual machine (VM) 183
Virtual Memory (VMEM) file 132
Virtual Network Computing (VNC) 351
Virtual Private Network (VPN) 39, 102
virus 403
VirusTotal 447
VirusTotal analysis 372
VirusTotal transform API 455
Visual Basic for Applications (VBA) 86
Visual Studio Code 365
VMware Suspended State (VMSS) file 132
Vocabulary for Event Recording and Incident Sharing (VERIS) 437
volatile data 118
volatile memory
acquiring 122
acquiring, FTK Imager used 123-126
acquiring, RAM Capturer used 130, 131
acquiring, virtual systems used 131, 132
acquiring, WinPmem used 126-129
Volatility
commands 231
for memory analysis 228
reference link 229
versions 229
Volatility, process analysis 232
DLL list 234
process scan 233
process tree 234
windows.handles plugin 235, 236
download link 241
Vulnerability Management Systems (VMSs) 37
W
WannaCry 341
Web Application Firewall (WAF) 102
web history 264
Wide Area Network (WAN) 98
windows.dumpfiles plugin 239
analyzing 296
detailed analysis 301
types 294
types, for responders 295
windows.handles plugin 235
windows.ldrmodules plugin 236
Windows Logs 292
windows.malfind plugin 237
windows.pslist plugin 232
windows.psscan plugin 233
windows.pstree plugin 234
WinPcap
URL 108
reference link 126
packet captures, analyzing 213-222
resources 213
URL 213
used, for performing packet capture 110-112
worm 403
write blockers
X
Y
conditions 424
metadata 423
reference link 462
rule name 423
strings 423
text strings 423
YARA (Yet Another Ridiculous Acronym) 421-424
reference link 422
rules 422
scanning tool 422
download link 424
Z
Zeek
URL 203