Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer

Investigating the Cyber Breach

The Digital Forensics Guide for the Network Engineer

·         Understand the realities of cybercrime and today’s attacks

·         Build a digital forensics lab to test tools and methods, and gain expertise

·         Take the right actions as soon as you discover a breach

·         Determine the full scope of an investigation and the role you’ll play

·         Properly collect, document, and preserve evidence and data

·         Collect and analyze data from PCs, Macs, IoT devices, and other endpoints

·         Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence

·         Analyze iOS and Android devices, and understand encryption-related obstacles to investigation

·         Investigate and trace email, and identify fraud or abuse

·         Use social media to investigate individuals or online identities

·         Gather, extract, and analyze breach data with Cisco tools and techniques

·         Walk through common breaches and responses from start to finish

·         Choose the right tool for each task, and explore alternatives that might also be helpful

The professional’s go-to digital forensics resource for countering attacks right now

Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.

Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.

This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Table of Contents

Introduction xix

Chapter 1 Digital Forensics 1

Defining Digital Forensics 3

Engaging Forensics Services 4

Reporting Crime 7

Search Warrant and Law 9

Forensic Roles 13

Forensic Job Market 15

Forensic Training 16

Summary 23

References 24

Chapter 2 Cybercrime and Defenses 25

Crime in a Digital Age 27

Exploitation 31

Adversaries 34

Cyber Law 36

Summary 39

Reference 39

Chapter 3 Building a Digital Forensics Lab 41

Desktop Virtualization 42

    VMware Fusion 43

    VirtualBox 44

Installing Kali Linux 44

Attack Virtual Machines 52

Cuckoo Sandbox 56

    Virtualization Software for Cuckoo 58

    Installing TCPdump 58

    Creating a User on VirtualBox for Cuckoo 59

Binwalk 60

The Sleuth Kit 61

Cisco Snort 62

Windows Tools 67

Physical Access Controls 68

Storing Your Forensics Evidence 71

    Network Access Controls 72

Jump Bag 74

Summary 74

References 75

Chapter 4 Responding to a Breach 77

Why Organizations Fail at Incident Response 78

Preparing for a Cyber Incident 80

Defining Incident Response 81

Incident Response Plan 82

Assembling Your Incident Response Team 84

    When to Engage the Incident Response Team 85

    Outstanding Items that Often Get Missed with Incident Response 88

    Phone Tree and Contact List 88

    Facilities 89

Responding to an Incident 89

Assessing Incident Severity 91

Following Notification Procedures 92

Employing Post-Incident Actions and Procedures 93

Identifying Software Used to Assist in Responding to a Breach 93

    Trend Analysis Software 94

    Security Analytics Reference Architectures 94

    Other Software Categories 97

Summary 97

References 98

Chapter 5 Investigations 99

Pre-Investigation 100

Opening a Case 102

First Responder 105

Device Power State 110

Search and Seizure 113

Chain of Custody 118

Network Investigations 121

Forensic Reports 127

    Case Summary 129

        Example 129

    Acquisition and Exam Preparation 129

        Example 129

    Findings 130

        Example 130

    Conclusion 130

        Example 131

    List of Authors 131

        Example 131

Closing the Case 132

Critiquing the Case 136

Summary 139

References 139

Chapter 6 Collecting and Preserving Evidence 141

First Responder 141

Evidence 144

    Autopsy 145

    Authorization 147

Hard Drives 148

    Connections and Devices 150

    RAID 152

Volatile Data 153

    DumpIt 154

    LiME 154

    Volatility 156

Duplication 158

    dd 161

    dcfldd 161

    ddrescue 162

    Netcat 162

    Guymager 163

    Compression and Splitting 164

Hashing 166

    MD5 and SHA Hashing 168

    Hashing Challenges 169

Data Preservation 170

Summary 172

References 172

Chapter 7 Endpoint Forensics 173

File Systems 174

    Locating Data 178

    Unknown Files 180

Windows Registry 182

    Deleted Files 185

    Windows Recycle Bin 187

    Shortcuts 189

Printer Spools 190

    Slack Space and Corrupt Clusters 191

    Alternate Data Streams 196

    Mac OS X 198

    OS X Artifacts 199

Log Analysis 202

IoT Forensics 207

Summary 210

References 211

Chapter 8 Network Forensics 213

Network Protocols 214

Security Tools 215

    Firewall 219

    Intrusion Detection and Prevention System 219

    Content Filter 219

    Network Access Control 220

    Packet Capturing 223

    NetFlow 224

    Sandbox 225

    Honeypot 226

    Security Information and Event Manager (SIEM) 228

    Threat Analytics and Feeds 229

    Security Tool Summary 229

Security Logs 229

Network Baselines 233

Symptoms of Threats 235

    Reconnaissance 235

    Exploitation 238

    Malicious Behavior 242

    Beaconing 244

    Brute Force 249

    Exfiltration 250

    Other Indicators 254

Summary 255

References 255

Chapter 9 Mobile Forensics 257

Mobile Devices 258

    Investigation Challenges 258

iOS Architecture 259

iTunes Forensics 261

iOS Snapshots 263

How to Jailbreak the iPhone 265

Android 266

PIN Bypass 270

    How to Brute Force Passcodes on the Lock Screen 271

Forensics with Commercial Tools 272

Call Logs and SMS Spoofing 274

Voicemail Bypass 275

How to Find Burner Phones 276

SIM Card Cloning 278

Summary 279

Reference 279

Chapter 10 Email and Social Media 281

A Message in a Bottle 281

Email Header 283

Social Media 288

People Search 288

Google Search 293

Facebook Search 297

Summary 304

References 305

Chapter 11 Cisco Forensic Capabilities 307

Cisco Security Architecture 307

Cisco Open Source 310

Cisco Firepower 312

Cisco Advanced Malware Protection (AMP) 313

Cisco Threat Grid 319

Cisco Web Security Appliance 322

Cisco CTA 323

Meraki 324

Email Security Appliance 326

Cisco Identity Services Engine 328

Cisco Stealthwatch 331

Cisco Tetration 335

Cisco Umbrella 337

Cisco Cloudlock 342

Cisco Network Technology 343

Summary 343

Reference 343

Chapter 12 Forensic Case Studies 345

Scenario 1: Investigating Network Communication 346

    Pre-engagement 347

    Investigation Strategy for Network Data 348

    Investigation 350

    Closing the Investigation 355

Scenario 2: Using Endpoint Forensics 357

    Pre-engagement 357

    Investigation Strategy for Endpoints 358

    Investigation 359

    Potential Steps to Take 360

    Closing the Investigation 362

Scenario 3: Investigating Malware 364

    Pre-engagement 364

    Investigation Strategy for Rogue Files 365

    Investigation 365

    Closing the Investigation 369

Scenario 4: Investigating Volatile Data 370

    Pre-engagement 371

    Investigation Strategy for Volatile Data 372

    Investigation 373

    Closing the Investigation 375

Scenario 5: Acting as First Responder 377

    Pre-engagement 377

    First Responder Strategy 377

    Closing the Investigation 379

Summary 381

References 382

Chapter 13 Forensic Tools 383

Tools 384

    Slowloris DDOS Tool: Chapter 2 385

    Low Orbit Ion Cannon 386

    VMware Fusion: Chapter 3 386

    VirtualBox: Chapter 3 387

    Metasploit: Chapter 3 388

    Cuckoo Sandbox: Chapter 3 389

    Cisco Snort: Chapter 3 389

    FTK Imager: Chapters 3, 9 390

    FireEye Redline: Chapter 3 391

    P2 eXplorer: Chapter 3 392

    PlainSight: Chapter 3 392

    Sysmon: Chapter 3 393

    WebUtil: Chapter 3 393

    ProDiscover Basics: Chapter 3 393

    Solarwinds Trend Analysis Module: Chapter 4 394

    Splunk: Chapter 4 394

    RSA Security Analytics: Chapter 4 395

    IBM’s QRadar: Chapter 4 396

    HawkeyeAP: Chapter 4 396

    WinHex: Chapters 6, 7 396

    OSForensics: Chapter 6 397

    Mount Image Pro: Chapter 6 397

    DumpIt: Chapter 6 398

    LiME: Chapter 6 398

    TrIDENT: Chapter 7 398

    PEiD: Chapter 7 399

    Lnkanalyser: Chapter 7 399

    Windows File Analyzer: Chapter 7 399

    LECmd: Chapter 7 401

    SplViewer: Chapter 7 401

    PhotoRec: Chapter 7 402

    Windows Event Log: Chapter 7 402

    Log Parser Studio: Chapter 7 403

    LogRhythm: Chapter 8 403

Mobile Devices 404

    Elcomsoft: Chapter 9 404

    Cellebrite: Chapter 9 404

    iPhone Backup Extractor: Chapter 9 405

    iPhone Backup Browser: Chapter 9 405

    Pangu: Chapter 9 405

    KingoRoot Application: Chapter 9 405

Kali Linux Tools 406

    Fierce: Chapter 8 406

    TCPdump: Chapter 3 406

    Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406

    Wireshark: Chapter 8 406

    Exiftool: Chapter 7 407

    DD: Chapter 6 407

    Dcfldd: Chapter 6 408

    Ddrescue: Chapter 6 408

    Netcat: Chapter 6 408

    Volatility: Chapter 6 408

Cisco Tools 408

    Cisco AMP 408

    Stealthwatch: Chapter 8 409

    Cisco WebEx: Chapter 4 409

    Snort: Chapter 11 409

    ClamAV: Chapter 10 409

    Razorback: Chapter 10 410

    Daemonlogger: Chapter 10 410

    Moflow Framework: Chapter 10 410

    Firepower: Chapter 10 410

    Threat Grid: Chapter 10 410

    WSA: Chapter 10 410

    Meraki: Chapter 10 411

    Email Security: Chapter 10 411

    ISE: Chapter 10 411

    Cisco Tetration: Chapter 10 411

    Umbrella: Chapter 10 411

    Norton ConnectSafe: No Chapter 412

    Cloudlock: Chapter 10 412

Forensic Software Packages 413

    FTK Toolkit: Chapter 3 413

    X-Ways Forensics: Chapter 3 413

    OSforensics: Chapter 6 414

    EnCase: Chapter 7 414

    Digital Forensics Framework (DFF): Chapter 7 414

Useful Websites 414

    Shodan: Chapter 1 414

    Wayback Machine: Chapter 3 415

    Robot.txt files: Chapter 2 415

    Hidden Wiki: Chapter 2 415

    NIST: Chapter 4 416

    CVE: Chapter 4 416

    Exploit-DB: Chapter 4 416

    Pastebin: Chapters 4, 10 416

    University of Pennsylvania Chain of Custody Form: Chapter 6 417

    List of File Signatures: Chapter 9 417

    Windows Registry Forensics Wiki: Chapter 7 417

    Mac OS Forensics Wiki: Chapter 7 417

Miscellaneous Sites 417

    Searchable FCC ID Database 418

    Service Name and Transport Protocol Port Number Registry 418

    NetFlow Version 9 Flow-Record Format 418

    NMAP 418

    Pwnable 418

    Embedded Security CTF 419

    CTF Learn 419

    Reversing.Kr 419

    Hax Tor 419

    W3Challs 419

    RingZer0 Team Online CTF 420

    Hellbound Hackers 420

    Over the Wire 420

    Hack This Site 420

    VulnHub 420

    Application Security Challenge 421

    iOS Technology Overview 421

Summary 421

9781587145025    TOC    1/10/2017

Submit Errata