Digital Forensics and Incident Response - Second Edition: Incident response techniques and procedures to respond to modern cyber threats, 2nd Edition

Digital Forensics and Incident Response

Second Edition

Incident response techniques and procedures

to respond to modern cyber threats

Gerard Johansen

BIRMINGHAM - MUMBAI

Digital Forensics and Incident Response Second Edition

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Rahul Nair

Content Development Editor: Ronn Kurien

Senior Editor: Richard Brookes-Bland

Technical Editor: Dinesh Pawar

Copy Editor: Safis Editing

Project Coordinator: Anish Daniel

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Arvindkumar Gupta

First published: July 2017

Second edition: June 2020

Production reference: 2050620

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83864-900-5

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Gerard Johansen is an incident response professional with over 15 years' experience in areas such as penetration testing, vulnerability management, threat assessment modeling, and incident response. Beginning his information security career as a cyber crime investigator, he has built on that experience while working as a consultant and security analyst for clients and organizations ranging from healthcare to finance. Gerard is a graduate of Norwich University's Master of Science in Information Assurance program and a certified information systems security professional.

He is currently employed as a senior incident response consultant with a large technology company, focusing on incident detection, response, and threat intelligence integration.

I would like to thank my family for their support in this endeavor. Thank you also to my teammates, from whom I have learned a great deal. Finally, thank you to the staff at Packt Publishing for their tireless efforts in publishing this volume.

About the reviewer

Kyle Anderson is a graduate of the Joint Cyber Analysis Course (JCAC), and holds a Master of Science (M.S.) degree in digital forensics from Champlain College and a Bachelor of Arts degree in theater from Idaho State University. Kyle is currently serving in the United States Navy, his main points of focus being incident response, digital forensics, and malware analysis. As a DF and IR team lead, he has guided analysis of multiple incidents, including cases involving sensitive data spillage, insider threats, and malicious compromise. He was responsible for creating and providing forensics and malware analysis training to a wide variety of audiences, including Navy red team members, junior forensic and malware analysts, and other government employees.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Digital Forensics and Incident Response Second Edition

About Packt

Why subscribe?

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Foundations of Incident Response and Digital Forensics

Understanding Incident Response

The incident response process

The role of digital forensics

The incident response framework

The incident response charter

CSIRT

CSIRT core team

Technical support personnel

Organizational support personnel

External resources

The incident response plan

Incident classification

The incident response playbook

Escalation procedures

Testing the incident response framework

Summary

Questions

Further reading

Managing Cyber Incidents

Engaging the incident response team

CSIRT models

Security Operations Center escalation

SOC and CSIRT combined

CSIRT fusion center

The war room

Communications

Staff rotation

Incorporating crisis communications

Internal communications

External communications

Public notification

Investigating incidents

Incorporating containment strategies

Getting back to normal – eradication and recovery

Eradication strategies

Recovery strategies

Summary

Questions

Further reading

Fundamentals of Digital Forensics

Legal aspects

Laws and regulations

Rules of evidence

Digital forensics fundamentals

A brief history

The digital forensics process

Identification

Preservation

Collection

Proper evidence handling

Chain of custody

Examination

Analysis

Presentation

Digital forensics lab

Physical security

Tools

Hardware

Software

Linux forensic tools

Jump kits

Summary

Questions

Further reading

Section 2: Evidence Acquisition

Collecting Network Evidence

An overview of network evidence

Preparation

Network diagram

Configuration

Firewalls and proxy logs

Firewalls

Web proxy server

NetFlow

Packet captures

tcpdump

WinPcap and RawCap

Wireshark

Evidence collection

Summary

Questions

Further reading

Acquiring Host-Based Evidence

Preparation

Order of Volatility

Evidence acquisition

Evidence collection procedures

Acquiring volatile memory

Local acquisition

FTK Imager

WinPmem

RAM Capturer

Remote acquisition

WinPmem

Virtual machines

Acquiring non-volatile evidence

CyLR.exe

Checking for encryption

Summary

Questions

Further reading

Forensic Imaging

Understanding forensic imaging

Imaging tools

Preparing a stage drive

Using write blockers

Imaging techniques

Dead imaging

Imaging using FTK Imager

Live imaging

Remote memory acquisition

WinPmem

F-Response

Virtual machines

Linux imaging

Summary

Questions

Further reading

Section 3: Analyzing Evidence

Analyzing Network Evidence

Network evidence overview

Analyzing firewall and proxy logs

DNS blacklists

SIEM tools

The Elastic Stack

Analyzing NetFlow

Analyzing packet captures

Command-line tools

Moloch

Wireshark

Summary

Questions

Further reading

Analyzing System Memory

Memory analysis overview

Memory analysis methodology

SANS six-part methodology

Network connections methodology

Memory analysis tools

Memory analysis with Redline

Redline analysis process

Redline process analysis

Memory analysis with Volatility

Installing Volatility

Working with Volatility

Volatility image information

Volatility process analysis

Process list

Process scan

Process tree

DLL list

The handles plugin

LDR modules

Process xview

Volatility network analysis

connscan

Volatility evidence extraction

Memory dump

DLL file dump

Executable dump

Memory analysis with strings

Installing Strings

IP address search

HTTP search

Summary

Questions

Further reading

Analyzing System Storage

Forensic platforms

Autopsy

Installing Autopsy

Opening a case

Navigating Autopsy

Examining a case

Web artifacts

Email

Attached devices

Deleted files

Keyword searches

Timeline analysis

MFT analysis

Registry analysis

Summary

Questions

Further reading

Analyzing Log Files

Logging and log management

Working with event management systems

Security Onion

The Elastic Stack

Understanding Windows logs

Analyzing Windows event logs

Acquisition

Triage

Analysis

Event Log Explorer

Analyzing logs with Skadi

Summary

Questions

Further reading

Writing the Incident Report

Documentation overview

What to document

Types of documentation

Sources

Audience

Incident tracking

Fast Incident Response

Written reports

Executive summary

Incident report

Forensic report

Summary

Questions

Further reading

Section 4: Specialist Topics

Malware Analysis for Incident Response

Malware classifications

Malware analysis overview

Static analysis

Dynamic analysis

Analyzing malware

Static analysis

ClamAV

PeStudio

REMnux

YARA

Dynamic analysis

Malware sandbox

Process Explorer

Process Spawn Control

Cuckoo Sandbox

Summary

Questions

Further reading

Leveraging Threat Intelligence

Understanding threat intelligence

Threat intelligence types

Pyramid of pain

Threat intelligence methodology

Threat intelligence direction

Cyber kill chain

Diamond model

Threat intelligence sources

Internally developed sources

Commercial sourcing

Open source

Threat intelligence platforms

MISP threat sharing

Using threat intelligence

Proactive threat intelligence

Reactive threat intelligence

Autopsy

Adding IOCs to Redline

Yara and Loki

Summary

Questions

Further reading

Hunting for Threats

The threat hunting maturity model

Threat hunt cycle

Initiating event

Creating a working hypothesis

Leveraging threat intelligence

Applying forensic techniques

Identifying new indicators

Enriching the existing hypothesis

MITRE ATT&CK

Threat hunt planning

Threat hunt reporting

Summary

Questions

Further reading

Appendix

Assessment

Chapter 1: Understanding Incident Response

Chapter 2: Managing Cyber Incidents

Chapter 3: Fundamentals of Digital Forensics

Chapter 4: Collecting Network Evidence

Chapter 5: Acquiring Host-Based Evidence

Chapter 6: Forensic Imaging

Chapter 7: Analyzing Network Evidence

Chapter 8: Analyzing System Memory

Chapter 9: Analyzing System Storage

Chapter 10: Analyzing Log Files

Chapter 11: Writing the Incident Report

Chapter 12: Malware Analysis for Incident Response

Chapter 13: Leveraging Threat Intelligence

Chapter 14: Hunting for Threats

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Digital Forensics and Incident Response – Second Edition provides an overview of the various topics surrounding the various technical and operational aspects of incident response and digital forensics. This will start with an examination of the proactive actions to take to ensure that an organization is ready for an incident. Next, the integration of digital forensic concepts and techniques and how they relate to incident response is addressed. Moving from concepts to actual techniques, you will be shown how to acquire evidence from a variety of sources including disks, memory, and networks. You will then be guided through examining those sources of evidence for indicators of compromise or attack. Next, you will examine the role of reporting your findings and how to configure reports for the various entities that require insight into an incident. To round out the skill set, the roles of malware analysis, threat intelligence, and threat hunting are discussed. By the end of this book, you will have a solid foundation in the forensic techniques and methodologies of incident response, as well as the experience required to bring these techniques into your own organization to better prepare for a potential security incident.

Who this book is for

This book is for the information security professional, digital forensic practitioner, and students with knowledge and experience in the use of software applications and basic command-line usage. This book will also help information security professionals who are new to an incident response, digital forensics, or threat hunting role within their organization.

What this book covers

Chapter 1, Understanding Incident Response, addresses the incident response process at a high level and explains how to craft an incident response framework within an enterprise. This framework allows the detailed and orderly investigation of an incident's root cause, the containment of the incident to lessen the impact, and finally, the remediation of damage to bring the enterprise back to a normal state.

Chapter 2, Managing Cyber Incidents, discusses the incident management framework, which provides a strategic construct for incident response. In this chapter, you will be guided through managing the incident. This includes tactical-level issues such as incident escalation, configuring an incident war room, crisis communication, and the technical aspects of bringing an organization back to normal.

Chapter 3, Fundamentals of Digital Forensics, focuses on the fundamental aspects of digital forensics. This includes an examination of the history of digital forensics, the basic elements of forensic science, and how these techniques are integrated into the incident response framework.

Chapter 4, Collecting Network Evidence, focuses on the acquisition of network-based evidence. This includes log files from network devices such as firewalls, routers, switches, proxy servers, and other network-layer devices. Other types of evidence such as packet captures will also be explored.

Chapter 5, Acquiring Host-Based Evidence, explains that compromised hosts are often the target of attacks, either as the direct target or as a pivot point into other areas of the network. Evidence from these systems is critical in determining root causes. This chapter focuses on the tools and techniques used to capture the volatile memory, log files, and other pertinent evidence.

Chapter 6, Forensic Imaging, explains that physical disk drives from compromised systems are a significant source of evidence. In order to ensure that this evidence is sound, it has to be acquired properly. This chapter focuses on the proper methods to image suspect hard disk drives (HDDs).

Chapter 7, Analyzing Network Evidence, shows how to use open source tools such as tcpdump, Wireshark, and Moloch. You will be guided through the analysis of network evidence to identify command and control channels or data exfiltration. This evidence will be further correlated with other network evidence, such as a network proxy or firewall logs and packet captures.

Chapter 8, Analyzing System Memory, through the use of several industry-standard tools, shows various methods for identifying malicious activity contained within the system memory. These include methods for identifying malicious processes, network connections, and other indicators associated with malware running on an infected system.

Chapter 9, Analyzing System Storage, is an overview of the tools and techniques available for extracting evidence from previously imaged HDDs. An overview of some of the methods available to examine a system's storage is explored, but it should be noted that due to the depth of this topic, this chapter will only highlight certain aspects.

Chapter 10, Analyzing Log Files, explores the various Windows OS logs that are created during legitimate and adversarial behavior. You will be shown methods to analyze log files with open source tools to examine security, system or application event logs, and to identify potential indicators of compromise.

Chapter 11, Writing the Incident Report, discusses crafting a written document that captures the actions of responders and their analysis, which is as critical as the investigation itself. This chapter focuses on preparing reports for key internal and external stakeholders, including potential legal entities. The end goal is to prepare a report that stands up to the scrutiny of a court of law.

Chapter 12, Malware Analysis for Incident Response, provides an overview of some of the tools and techniques that are deployed when examining malicious code. This includes static analysis techniques to identify key indicators, as well as dynamic analysis where the behavior of the malware is explored.

Chapter 13, Leveraging Threat Intelligence, explains that threat intelligence has become more and more important to incident response by providing details of the wider context of adversarial tactics, techniques, and procedures. This chapter will give you an understanding of threat intelligence and how it can be applied to the incident response process. 

Chapter 14, Hunting for Threats, introduces a methodology that integrates digital forensics tools and techniques with threat intelligence to determine whether a network has been compromised. This chapter explores the methodology of threat hunting and how threat intelligence can facilitate hunting through the crafting of a threat hunt hypothesis and indicators to hunt for.

Chapter 15, Appendix, includes the most critical events that pertain to security and incident investigations and have been provided as a reference. There is a significant number of Windows Event Log types available to IT and security professionals. 

To get the most out of this book

Readers should be familiar with the Windows OS and have the ability to download and run applications as well as to use the Windows command line. Familiarity with the Linux command line is also helpful. An understanding of the basic network protocols and various types of network traffic is required as well. It's not required, but it is helpful to have access to a virtualization software platform and a Windows OS in which to run specific tools. Finally, incident response and digital forensics is a growing field. You will get the most out of this book by continuing to research and try new tools and techniques.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838649005_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Once in Command Prompt, navigate to the folder containing the RawCap.exe file.

A block of code is set as follows:

meta:

description = Stuxnet Sample - file ~WTR4141.tmp

author = Florian Roth

reference = Internal Research

date = 2016-07-09

Any command-line input or output is written as follows:

dfir@ubuntu:~$ tcpdump -h

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: Click on File and then on Capture Memory.

Warnings or important notes appear like this.

Tips and tricks appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Foundations of Incident Response and Digital Forensics

Section one of this book lays the foundations of incident response and digital forensics. These foundational elements, such as the IR process, forensic principles, and incident management, will tie in directly with subsequent parts of the book.

This section comprises the following chapters:

Chapter 1, Understanding Incident Response

Chapter 2, Managing Cyber Incidents

Chapter 3, Fundamentals of Digital Forensics

Understanding Incident Response

When examining the threats to today's information technology, it can seem overwhelming. From simple script kiddies using off-the-shelf code to nation state adversary tools, it is critical to be prepared. For example, an internal employee can download a single instance of ransomware and can have a significant impact on an organization. More complex attacks such as a network exploitation attempt or targeted data breach increases the chaos that a security incident causes. Technical personnel will have their hands full attempting to determine the systems that have been impacted and how they are being manipulated. They will also have to contend with addressing the possible loss of data through compromised systems. Adding to this chaotic situation are senior managers haranguing them for updates and an answer to the all-important questions: How did this happen? and How bad is it?

Having the ability to properly respond to security incidents in an orderly and efficient manner allows organizations to both limit the damage of a potential cyber attack, and also recover from the associated damage that is caused. To facilitate this orderly response, organizations of all sizes have looked at adding an incident response capability to their existing policies, procedures, and processes.

In order to build this capability within the organization, several key components must be addressed. First, organizations need to have a working knowledge of the incident response process. This process outlines the general flow of an incident and the general actions that are taken at each stage. Second, organizations need to have access to personnel who form the nucleus of any incident response capability. Once a team is organized, a formalized plan and associated processes need to be created. This written plan and processes form the orderly structure that an organization can follow during an incident. Finally, with this framework in place, the plan must be continually evaluated, tested, and improved as new threats emerge. Utilizing this framework will position organizations to be prepared for the unfortunate reality that many organizations have already faced, an incident that compromises their security.

We will be covering the following topics in this chapter:

The incident response process

The incident response framework

The incident response plan

The incident response playbook

Testing the incident response framework

The incident response process

There is a general path that cyber security incidents follow during their lifetime. If the organization has a mature incident response capability, they will have taken measures to ensure they are prepared to address an incident at each stage of the process. Each incident starts with the first time the organization becomes aware of an event or series of events indicative of malicious activity. This detection can come in the form of a security control alert or external party informing the organization of a potential security issue. Once alerted, the organization moves through analyzing the incident through containment measures to bring the information system back to normal operations. The following diagram shows how these flow in a cycle with Preparation as the starting point. Closer examination reveals that every incident is used to better prepare the organization for future incidents as the Post-Incident Activity, and is utilized in the preparation for the next incident:

The incident response process can be broken down into six distinct phases, each with a set of actions the organization can take to address the incident:

Preparation: Without good preparation, any subsequent incident response is going to be disorganized and has the potential to make the incident worse. One of the critical components of preparation is the creation of an incident response plan. Once a plan is in place with the necessary staffing, ensure that personnel detailed with incident response duties are properly trained. This includes processes, procedures, and any additional tools necessary for the investigation of an incident. In addition to the plan, tools such as forensics hardware and software should be acquired and incorporated into the overall process. Finally, regular exercises should be conducted to ensure that the organization is trained and familiar with the process.

Detection: The detection of potential incidents is a complex endeavor. Depending on the size of the organization, they may have over 100 million separate events per day. These events can be records of legitimate actions taken during the normal course of business or be indicators of potentially malicious activity. Couple this mountain of event data with other security controls constantly alerting to activity and you have a situation where analysts are inundated with data and must subsequently sift out the valuable pieces of signal from the vastness of network noise. Even today's cutting-edgeSecurity Incident andEvent Management (SIEM) tools lose their effectiveness if they are not properly maintained with regular updates of rule sets that identify what events qualify as a potential incident. The detection phase is that part of the incident response process where the organization first becomes aware of a set of events that possibly indicates malicious activity. This event, or events, that have been detected and are indicative of malicious behavior are then classified as an incident. For example, a security analyst may receive an alert that a specific administrator account was in use during the time where the administrator was on vacation. Detection may also come from external sources. An ISP or law enforcement agency may detect malicious activity originating in an organization's network and contact them and advise them of the situation.

In other instances, users may be the first to indicate a potential security incident. This may be as simple as an employee contacting the help desk and informing a help desk technician that they received an Excel spreadsheet from an unknown source and opened it. They are now complaining that their files on the local system are being encrypted. In each case, an organization would have to escalate each of these events to the level of an incident (which we will cover a little later in this chapter) and begin the reactive process to investigate and remediate.

Analysis: Once an incident has been detected, personnel from the organization or a trusted third party will begin the analysis phase. In this phase, personnel begin the task of collecting evidence from systems such as running memory, log files, network connections, and running software processes. Depending on the type of incident, this collection can take as little as a few hours to several days.

Once the evidence is collected, it then needs be examined. There are a variety of tools to conduct this analysis, many of which are explored in this book. With these tools, analysts are attempting to ascertain what happened, what it affected, whether any other systems were involved, and whether any confidential data was removed. The ultimate goal of the analysis is to determine the root cause of the incident and reconstruct the actions of the threat actor from initial compromise to detection.

Containment: Once there is a solid understanding of what the incident is and what systems are involved, organizations can then move into the containment phase. In this phase, organizations take measures to limit the ability for threat actors to continue compromising other network resources, communicating with command and control infrastructures, or exfiltrating confidential data. Containment strategies can range from locking down ports and IP addresses on a firewall to simply removing the network cable from the back of an infected machine. Each type of incident involves its own containment strategy, but having several options allows personnel to stop the bleeding at the source if they are able to detect a security incident before or during the time when threat actors are pilfering data.

Eradication and recovery: During the eradication phase, the organization removes the threat actor from the impacted network. In the case of a malware infection, the organization may run an enhanced anti-malware solution. Other times, infected machines must be wiped and reimaged. Other activities include removing or changing compromised user accounts. If an organization has identified a vulnerability that was exploited, vendor patches are applied, or software updates are made. Recovery activities are very closely aligned with those that may be found in an organization'sbusiness continuity or disaster recoveryplans. In this phase of the process, organizations reinstall fresh operating systems or applications. They will also restore data on local systems from backups. As a due diligence step, organizations will also audit their existing user and administrator accounts to ensure that there are no accounts that have been enabled by threat actors. Finally, a comprehensive vulnerability scan is conducted so that the organization is confident that any exploitable vulnerabilities have been removed.

Post-incident activity: At the conclusion of the incident process is a complete review of the incident with all the principle stakeholders. Post-incident activity includes a complete review of all the actions taken during the incident. What worked, and more importantly, what did not work, are important topics for discussion. These reviews are important because they may highlight specific tasks and actions that had either a positive or negative impact on the outcome of the incident response. It is during this phase of the process that a written report is completed. Documenting the actions taken during the incident is critical to capture both what occurred and whether the incident will ever see the inside of a courtroom. For documentation to be effective, it should be detailed and show a clear chain of events with a focus on the root cause, if it was determined. Personnel involved in the preparation of this report should realize that stakeholders outside of information technology might read this report. As a result, technical jargon or concepts should be explained.

Finally, the organizational personnel should update their own incident response processes with any new information developed during the post-incident debrief and reporting. This incorporation of lessons learned is important as it makes future responses to incidents more effective.

The role of digital forensics

There is a misconception that is often held by people unfamiliar with the realm of incident response. This misconception is that incident response is merely a