Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer

Features

This book will help administrators

1) Understand how to identify when they are compromised.
2) Improve their network security
3) Develop a incident response plan
4) Maximize security capabilities in existing investments
5) Learn how to use critical digital forensics tools
6) Understand best practices for digital forensics.

Investigating the Cyber Breach

The Digital Forensics Guide for the Network Engineer

· Understand the realities of cybercrime and today’s attacks

· Build a digital forensics lab to test tools and methods, and gain expertise

· Take the right actions as soon as you discover a breach

· Determine the full scope of an investigation and the role you’ll play

· Properly collect, document, and preserve evidence and data

· Collect and analyze data from PCs, Macs, IoT devices, and other endpoints

· Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence

· Analyze iOS and Android devices, and understand encryption-related obstacles to investigation

· Investigate and trace email, and identify fraud or abuse

· Use social media to investigate individuals or online identities

· Gather, extract, and analyze breach data with Cisco tools and techniques

· Walk through common breaches and responses from start to finish

· Choose the right tool for each task, and explore alternatives that might also be helpful

The professional’s go-to digital forensics resource for countering attacks right now

Today, cybersecurity and networking professionals know they can’t possibly prevent every breach, but they can substantially reduce risk by quickly identifying and blocking breaches as they occur. Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer is the first comprehensive guide to doing just that.

Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.

Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.

This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Online Sample Chapter

Responding to a Breach

Table of Contents

Introduction xix

Chapter 1 Digital Forensics 1

Defining Digital Forensics 3

Engaging Forensics Services 4

Reporting Crime 7

Search Warrant and Law 9

Forensic Roles 13

Forensic Job Market 15

Forensic Training 16

Summary 23

References 24

Chapter 2 Cybercrime and Defenses 25

Crime in a Digital Age 27

Exploitation 31

Adversaries 34

Cyber Law 36

Summary 39

Reference 39

Chapter 3 Building a Digital Forensics Lab 41

Desktop Virtualization 42

VMware Fusion 43

VirtualBox 44

Installing Kali Linux 44

Attack Virtual Machines 52

Cuckoo Sandbox 56

Virtualization Software for Cuckoo 58

Installing TCPdump 58

Creating a User on VirtualBox for Cuckoo 59

Binwalk 60

The Sleuth Kit 61

Cisco Snort 62

Windows Tools 67

Physical Access Controls 68

Storing Your Forensics Evidence 71

Network Access Controls 72

Jump Bag 74

Summary 74

References 75

Chapter 4 Responding to a Breach 77

Why Organizations Fail at Incident Response 78

Preparing for a Cyber Incident 80

Defining Incident Response 81

Incident Response Plan 82

Assembling Your Incident Response Team 84

When to Engage the Incident Response Team 85

Outstanding Items that Often Get Missed with Incident Response 88

Phone Tree and Contact List 88

Facilities 89

Responding to an Incident 89

Assessing Incident Severity 91

Following Notification Procedures 92

Employing Post-Incident Actions and Procedures 93

Identifying Software Used to Assist in Responding to a Breach 93

Trend Analysis Software 94

Security Analytics Reference Architectures 94

Other Software Categories 97

Summary 97

References 98

Chapter 5 Investigations 99

Pre-Investigation 100

Opening a Case 102

First Responder 105

Device Power State 110

Search and Seizure 113

Chain of Custody 118

Network Investigations 121

Forensic Reports 127

Case Summary 129

Example 129

Acquisition and Exam Preparation 129

Example 129

Findings 130

Example 130

Conclusion 130

Example 131

List of Authors 131

Example 131

Closing the Case 132

Critiquing the Case 136

Summary 139

References 139

Chapter 6 Collecting and Preserving Evidence 141

First Responder 141

Evidence 144

Autopsy 145

Authorization 147

Hard Drives 148

Connections and Devices 150

RAID 152

Volatile Data 153

DumpIt 154

LiME 154

Volatility 156

Duplication 158

dd 161

dcfldd 161

ddrescue 162

Netcat 162

Guymager 163

Compression and Splitting 164

Hashing 166

MD5 and SHA Hashing 168

Hashing Challenges 169

Data Preservation 170

Summary 172

References 172

Chapter 7 Endpoint Forensics 173

File Systems 174

Locating Data 178

Unknown Files 180

Windows Registry 182

Deleted Files 185

Windows Recycle Bin 187

Shortcuts 189

Printer Spools 190

Slack Space and Corrupt Clusters 191

Alternate Data Streams 196

Mac OS X 198

OS X Artifacts 199

Log Analysis 202

IoT Forensics 207

Summary 210

References 211

Chapter 8 Network Forensics 213

Network Protocols 214

Security Tools 215

Firewall 219

Intrusion Detection and Prevention System 219

Content Filter 219

Network Access Control 220

Packet Capturing 223

NetFlow 224

Sandbox 225

Honeypot 226

Security Information and Event Manager (SIEM) 228

Threat Analytics and Feeds 229

Security Tool Summary 229

Security Logs 229

Network Baselines 233

Symptoms of Threats 235

Reconnaissance 235

Exploitation 238

Malicious Behavior 242

Beaconing 244

Brute Force 249

Exfiltration 250

Other Indicators 254

Summary 255

References 255

Chapter 9 Mobile Forensics 257

Mobile Devices 258

Investigation Challenges 258

iOS Architecture 259

iTunes Forensics 261

iOS Snapshots 263

How to Jailbreak the iPhone 265

Android 266

PIN Bypass 270

How to Brute Force Passcodes on the Lock Screen 271

Forensics with Commercial Tools 272

Call Logs and SMS Spoofing 274

Voicemail Bypass 275

How to Find Burner Phones 276

SIM Card Cloning 278

Summary 279

Reference 279

Chapter 10 Email and Social Media 281

A Message in a Bottle 281

Email Header 283

Social Media 288

People Search 288

Google Search 293

Facebook Search 297

Summary 304

References 305

Chapter 11 Cisco Forensic Capabilities 307

Cisco Security Architecture 307

Cisco Open Source 310

Cisco Firepower 312

Cisco Advanced Malware Protection (AMP) 313

Cisco Threat Grid 319

Cisco Web Security Appliance 322

Cisco CTA 323

Meraki 324

Email Security Appliance 326

Cisco Identity Services Engine 328

Cisco Stealthwatch 331

Cisco Tetration 335

Cisco Umbrella 337

Cisco Cloudlock 342

Cisco Network Technology 343

Summary 343

Reference 343

Chapter 12 Forensic Case Studies 345

Scenario 1: Investigating Network Communication 346

Pre-engagement 347

Investigation Strategy for Network Data 348

Investigation 350

Closing the Investigation 355

Scenario 2: Using Endpoint Forensics 357

Pre-engagement 357

Investigation Strategy for Endpoints 358

Investigation 359

Potential Steps to Take 360

Closing the Investigation 362

Scenario 3: Investigating Malware 364

Pre-engagement 364

Investigation Strategy for Rogue Files 365

Investigation 365

Closing the Investigation 369

Scenario 4: Investigating Volatile Data 370

Pre-engagement 371

Investigation Strategy for Volatile Data 372

Investigation 373

Closing the Investigation 375

Scenario 5: Acting as First Responder 377

Pre-engagement 377

First Responder Strategy 377

Closing the Investigation 379

Summary 381

References 382

Chapter 13 Forensic Tools 383

Tools 384

Slowloris DDOS Tool: Chapter 2 385

Low Orbit Ion Cannon 386

VMware Fusion: Chapter 3 386

VirtualBox: Chapter 3 387

Metasploit: Chapter 3 388

Cuckoo Sandbox: Chapter 3 389

Cisco Snort: Chapter 3 389

FTK Imager: Chapters 3, 9 390

FireEye Redline: Chapter 3 391

P2 eXplorer: Chapter 3 392

PlainSight: Chapter 3 392

Sysmon: Chapter 3 393

WebUtil: Chapter 3 393

ProDiscover Basics: Chapter 3 393

Solarwinds Trend Analysis Module: Chapter 4 394

Splunk: Chapter 4 394

RSA Security Analytics: Chapter 4 395

IBM’s QRadar: Chapter 4 396

HawkeyeAP: Chapter 4 396

WinHex: Chapters 6, 7 396

OSForensics: Chapter 6 397

Mount Image Pro: Chapter 6 397

DumpIt: Chapter 6 398

LiME: Chapter 6 398

TrIDENT: Chapter 7 398

PEiD: Chapter 7 399

Lnkanalyser: Chapter 7 399

Windows File Analyzer: Chapter 7 399

LECmd: Chapter 7 401

SplViewer: Chapter 7 401

PhotoRec: Chapter 7 402

Windows Event Log: Chapter 7 402

Log Parser Studio: Chapter 7 403

LogRhythm: Chapter 8 403

Mobile Devices 404

Elcomsoft: Chapter 9 404

Cellebrite: Chapter 9 404

iPhone Backup Extractor: Chapter 9 405

iPhone Backup Browser: Chapter 9 405

Pangu: Chapter 9 405

KingoRoot Application: Chapter 9 405

Kali Linux Tools 406

Fierce: Chapter 8 406

TCPdump: Chapter 3 406

Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406

Wireshark: Chapter 8 406

Exiftool: Chapter 7 407

DD: Chapter 6 407

Dcfldd: Chapter 6 408

Ddrescue: Chapter 6 408

Netcat: Chapter 6 408

Volatility: Chapter 6 408

Cisco Tools 408

Cisco AMP 408

Stealthwatch: Chapter 8 409

Cisco WebEx: Chapter 4 409

Snort: Chapter 11 409

ClamAV: Chapter 10 409

Razorback: Chapter 10 410

Daemonlogger: Chapter 10 410

Moflow Framework: Chapter 10 410

Firepower: Chapter 10 410

Threat Grid: Chapter 10 410

WSA: Chapter 10 410

Meraki: Chapter 10 411

Email Security: Chapter 10 411

ISE: Chapter 10 411

Cisco Tetration: Chapter 10 411

Umbrella: Chapter 10 411

Norton ConnectSafe: No Chapter 412

Cloudlock: Chapter 10 412

Forensic Software Packages 413

FTK Toolkit: Chapter 3 413

X-Ways Forensics: Chapter 3 413

OSforensics: Chapter 6 414

EnCase: Chapter 7 414

Digital Forensics Framework (DFF): Chapter 7 414

Useful Websites 414

Shodan: Chapter 1 414

Wayback Machine: Chapter 3 415

Robot.txt files: Chapter 2 415

Hidden Wiki: Chapter 2 415

NIST: Chapter 4 416

CVE: Chapter 4 416

Exploit-DB: Chapter 4 416

Pastebin: Chapters 4, 10 416

University of Pennsylvania Chain of Custody Form: Chapter 6 417

List of File Signatures: Chapter 9 417

Windows Registry Forensics Wiki: Chapter 7 417

Mac OS Forensics Wiki: Chapter 7 417

Miscellaneous Sites 417

Searchable FCC ID Database 418

Service Name and Transport Protocol Port Number Registry 418

NetFlow Version 9 Flow-Record Format 418

NMAP 418

Pwnable 418

Embedded Security CTF 419

CTF Learn 419

Reversing.Kr 419

Hax Tor 419

W3Challs 419

RingZer0 Team Online CTF 420

Hellbound Hackers 420

Over the Wire 420

Hack This Site 420

VulnHub 420

Application Security Challenge 421

iOS Technology Overview 421

Summary 421

9781587145025 TOC 1/10/2017

Submit Errata