Cover
Part I: Prepare
1. CHAPTER 1: The Threat Landscape
  1. Attacker Motivations
  2. Attack Methods
  3. Anatomy of an Attack
  4. The Modern Adversary
  5. Conclusion
2. CHAPTER 2: Incident Readiness
  1. Preparing Your Process
  2. Preparing Your People
  3. Preparing Your Technology
  4. Conclusion
Part II: Respond
1. CHAPTER 3: Remote Triage
  1. Finding Evil
  2. Guarding Your Credentials
  3. Conclusion
2. CHAPTER 4: Remote Triage Tools
  1. Windows Management Instrumentation Command‐Line Utility
  2. Forensically Sound Approaches
  3. PowerShell
  4. Incident Response Frameworks
  5. Conclusion
3. CHAPTER 5: Acquiring Memory
  1. Order of Volatility
  2. Local Memory Collection
  3. Remote Memory Collection
  4. Live Memory Analysis
  5. Conclusion
4. CHAPTER 6: Disk Imaging
  1. Protecting the Integrity of Evidence
  2. Dead‐Box Imaging
  3. Live Imaging
  4. Imaging Virtual Machines
  5. Conclusion
5. CHAPTER 7: Network Security Monitoring
  1. Security Onion
  2. Text‐Based Log Analysis
  3. Conclusion
6. CHAPTER 8: Event Log Analysis
  1. Understanding Event Logs
  2. Account‐Related Events
  3. Object Access
  4. Auditing System Configuration Changes
  5. Process Auditing
  6. Auditing PowerShell Use
  7. Using PowerShell to Query Event Logs
  8. Conclusion
7. CHAPTER 9: Memory Analysis
  1. The Importance of Baselines
  2. Sources of Memory Data
  3. Using Volatility and Rekall
  4. Examining Processes
  5. Examining Windows Services
  6. Examining Network Activity
  7. Detecting Anomalies
  8. Conclusion
8. CHAPTER 10: Malware Analysis
  1. Online Analysis Services
  2. Static Analysis
  3. Dynamic Analysis
  4. Reverse Engineering
  5. Conclusion
9. CHAPTER 11: Disk Forensics
  1. Forensics Tools
  2. Time Stamp Analysis
  3. Link Files and Jump Lists
  4. Prefetch
  5. System Resource Usage Monitor
  6. Registry Analysis
  7. Browser Activity
  8. USN Journal
  9. Volume Shadow Copies
  10. Automated Triage
  11. Linux/UNIX System Artifacts
  12. Conclusion
10. CHAPTER 12: Lateral Movement Analysis
  1. Server Message Block
  2. Kerberos Attacks
  3. PsExec
  4. Scheduled Tasks
  5. Service Controller
  6. Remote Desktop Protocol
  7. Windows Management Instrumentation
  8. Windows Remote Management
  9. PowerShell Remoting
  10. SSH Tunnels and Other Pivots
  11. Conclusion
Part III: Refine
1. CHAPTER 13: Continuous Improvement
  1. Document, Document, Document
  2. Validate Mitigation Efforts
  3. Building On Your Successes, and Learning from Your Mistakes
  4. Improving Your Defenses
  5. Conclusion
2. CHAPTER 14: Proactive Activities
  1. Threat Hunting
  2. Adversary Emulation
  3. Conclusion
Index
End User License Agreement

List of Tables

Chapter 3
1. Table 3.1: Common lateral movement connection ports
Chapter 4
1. Table 4.1: WMIC switches
2. Table 4.2: Common WMIC aliases
3. Table 4.3: Commonwhere clause WQL operators
4. Table 4.4: LIKE operator wildcards
5. Table 4.5: wmic verbs
6. Table 4.6: Common cmdlets useful for remote triage
Chapter 5
1. Table 5.1: Commonly usedwinpmem command switches
Chapter 7
1. Table 7.1: Protocol‐specific logs created by Zeek
2. Table 7.2: Additional Zeek logs of interest
3. Table 7.3: Samplegrep commands for searching for specific information
4. Table 7.4: Example uses ofcut and sort commands
Chapter 8
1. Table 8.1: Default event log fields
2. Table 8.2: Common Event ID 4768 result codes
3. Table 8.3: Common Event ID 4776 error code descriptions
4. Table 8.4: Logon event type code descriptions
5. Table 8.5: Common logon failure status codes
6. Table 8.6: Account management events
7. Table 8.7: Network share event IDs
8. Table 8.8: Scheduled task events
9. Table 8.9: Object handle event IDs
10. Table 8.10: Scheduled task activity event IDs
11. Table 8.11: Wi‐Fi connection event IDs
12. Table 8.12: Event ID 4688
13. Table 8.13: Windows Filtering Platform (WFP) event IDs
14. Table 8.14: Windows Defender suspicious event IDs
15. Table 8.15: Event IDs generated by Sysmon
16. Table 8.16: Example PowerShell event IDs in Microsoft‐Windows‐PowerShell%4Op...
17. Table 8.17: Example PowerShell event IDs in Windows PowerShell.evtx
Chapter 9
1. Table 9.1: Default Windows operating system processes
2. Table 9.2: Sample Rekall/Volatility plug‐ins
Chapter 11
1. Table 11.1: NtfsDisableLastAccessUpdate values
Chapter 12
1. Table 12.1: Account logon events
2. Table 12.2: Logon events
3. Table 12.3: RDP‐specific indicators in the Security event log

List of Illustrations

Chapter 2
1. Figure 2.1: The active cyber defense cycle
2. Figure 2.2: The NIST incident response life cycle
Chapter 3
1. Figure 3.1: RITA detecting a C2 beacon
2. Figure 3.2: Autoruns showing various Windows autostart locations
Chapter 4
1. Figure 4.1: An example of using WMIC to access a remote computer named DC1
2. Figure 4.2: WMIC help showing the arguments accepted by the list verb
3. Figure 4.3: Using WMIC to find executables running from the Downloads folder
4. Figure 4.4: Listing the updates applied to each system
5. Figure 4.5: PowerShell ISE IntelliSense feature at work as the user types
6. Figure 4.6: The PowerShell help system being used to access help on the Get‐...
7. Figure 4.7: The output of Get‐Process being piped into Get‐Member...
8. Figure 4.8: Formatting results with the Format‐Table cmdlet
9. Figure 4.9: Remote PowerShell session to computer DC1
10. Figure 4.10: Invoke‐Command in use
11. Figure 4.11: The Win32_Process object viewed through Get‐Member
12. Figure 4.12: Selecting specific properties from the Win32_Process class
Chapter 5
1. Figure 5.1: Paladin Toolbox being used to wipe removable media
2. Figure 5.2: Memory acquisition from Client1 to removable media
3. Figure 5.3: Metadata from a captured AFF4 file
4. Figure 5.4: The contents of the AFF4 file archive
5. Figure 5.5: Using a remote share to store the winpmem executable and receive...
6. Figure 5.6: Remote RAM capture to external media
7. Figure 5.7: Pushing the memory acquisition tool and running it with WMIC
8. Figure 5.8: Using PowerShell Remoting to initiate a remote RAM acquisition w...
9. Figure 5.9: Copying files from the remote system and ending the remoting ses...
10. Figure 5.10: The F‐Response Management Console
11. Figure 5.11: Capturing RAM from a remote system with F‐Response
12. Figure 5.12: Remotely installing Rekall using PowerShell Remoting
13. Figure 5.13: Running Rekall to analyze live memory on a remote system
Chapter 6
1. Figure 6.1: Adding an evidence item to FTK Imager
2. Figure 6.2: Select the type of evidence to add.
3. Figure 6.3: Select Export Disk Image on the physical device.
4. Figure 6.4: Selecting the image destination
5. Figure 6.5: The imaging process underway
6. Figure 6.6: Creating a bootable Paladin USB
7. Figure 6.7: Launching the Paladin Toolbox
8. Figure 6.8: The Paladin Disk Manager
9. Figure 6.9: The Paladin Imager tool
10. Figure 6.10: Adding a file to a custom content image
11. Figure 6.11: Custom content sources are displayed in the lower‐left pane.
12. Figure 6.12: Creating a custom content source manually
13. Figure 6.13: Mounting the AD1 image file for analysis
14. Figure 6.14: Using F‐Response to access storage media on a remote system
15. Figure 6.15: The ESXi datastore for the example virtual machine
Chapter 7
1. Figure 7.1: The recommended Security Onion architecture
2. Figure 7.2: The RealTime Events queue of the Sguil interface
3. Figure 7.3: Escalating or categorizing an event to remove it from the RealTi...
4. Figure 7.4: The Sguil GUI's right‐click context menu for pivoting to origina...
5. Figure 7.5: Pivoting based on the Destination IP address to search for other...
6. Figure 7.6: Squert web interface to access Sguil data
7. Figure 7.7: The Squert Summary tab dashboards
8. Figure 7.8: The Kibana web interface
9. Figure 7.9: A filtered view of the Zeek (Bro) connection logs
10. Figure 7.10: The bottom of each dashboard provides a panel to view the logs ...
11. Figure 7.11: A pinned filter being used to view logs and their associated fi...
12. Figure 7.12: Bar chart showing geographic locations of external IP addresses...
13. Figure 7.13: Suspicious Subject details in a server certificate
Chapter 8
1. Figure 8.1: Event Viewer showing default logs on Windows Server 2019
2. Figure 8.2: The filter options in Event Viewer
3. Figure 8.3: A successful interactive logon event
4. Figure 8.4: The XML representation of an event log record
5. Figure 8.5: Event ID 7045 showing a malicious service
6. Figure 8.6: The XML structure of the event‐specific data area of an Event ID...
Chapter 9
1. Figure 9.1: Default Windows process tree
2. Figure 9.2: Process Hacker showing child processes in different sessions (la...
3. Figure 9.3: tasklist /APPS showing UWP app‐related processes
4. Figure 9.4: Entering the Rekall shell to examine live system memory
5. Figure 9.5: Rekall's pslist plug‐in output
6. Figure 9.6: netscan plug‐in in action
Chapter 10
1. Figure 10.1: Joe Sandbox sample submission page
2. Figure 10.2: RegShot GUI setup
3. Figure 10.3: The Process Monitor user interface
4. Figure 10.4: Process Explorer user interface
5. Figure 10.5: FLARE VM with monitoring tools in place
6. Figure 10.6: The malware sample's social engineering ruse
7. Figure 10.7: Excel launching msiexec.exe (seen in the last two entries)
8. Figure 10.8: The Process Monitor Filter window
9. Figure 10.9: Excel finding and launching msiexec.exe as observed by Process ...
10. Figure 10.10: The Process Monitor event showing the creation of the msiexec....
11. Figure 10.11: High‐level Cuckoo architecture
12. Figure 10.12: A basic Cuckoo sandbox setup
13. Figure 10.13: The Cuckoo Sandbox web interface
14. Figure 10.14: Cuckoo sandbox analysis options
15. Figure 10.15: Additional analysis options in Cuckoo
16. Figure 10.16: CAPE sandbox report example
17. Figure 10.17: The Ghidra software reverse‐engineering framework
Chapter 11
1. Figure 11.1: Timeline view in Magnet Axiom
2. Figure 11.2: A link from a jump list displayed in Magnet Axiom
3. Figure 11.3: The App history tab of Task Manager displays a portion of the d...
4. Figure 11.4: The SRUM entry for a PowerShell process displayed on Magnet Axi...
5. Figure 11.5: The Windows registry as displayed by the Registry Editor
6. Figure 11.6: The image path of each service's associated executable is found...
7. Figure 11.7: Registry Explorer used to view the Run key for unauthorized exe...
8. Figure 11.8: Amcache.hve parsed by Magnet Axiom
9. Figure 11.9: Shellbags as seen in ShellBags Explorer
10. Figure 11.10: Google Analytics’ first visit cookie viewed in Magnet Axiom
11. Figure 11.11: The Zone.Identifier alternate data stream showing the source o...
12. Figure 11.12: The location of the USN journal data seen in FTK Imager
13. Figure 11.13: The vssadmin list shadows command showing available volume sha...
14. Figure 11.14: Volume shadow copies loading into Magnet Axiom
15. Figure 11.15: The KAPE graphical user interface
Chapter 12
1. Figure 12.1: Standard account logon and logon event IDs
2. Figure 12.2: Remote file access account logon and logon event records
3. Figure 12.3: Event ID 4648 showing explicit credential use
4. Figure 12.4: An overpass‐the‐hash attack allowing the jlemburg account to im...
5. Figure 12.5: Event ID 4648 showing both the original and the stolen credenti...
Chapter 13
1. Figure 13.1: The MITRE ATT&CK matrix
2. Figure 13.2: The Windows Defender Exploit Guard configuration screen
Chapter 14
1. Figure 14.1: The threat‐hunting process
2. Figure 14.2: The ATT&CK Navigator interface
3. Figure 14.3: The CMSTP technique explanation
4. Figure 14.4: Additional details about preventing and detecting the CMSTP tec...
5. Figure 14.5: MITRE ATT&CK also tracks known techniques of threat actor group...
6. Figure 14.6: Using MITRE ATT&CK Navigator to highlight the techniques used b...
7. Figure 14.7: Each atomic test is grouped by the associated MITRE technique n...
8. Figure 14.8: Categorized list of all atomic tests
9. Figure 14.9: The files needed for the CMSTP tests
10. Figure 14.10: The markdown document describing technique T1191

Published simultaneously in Canada

ISBN: 978-1-119-56026-5

ISBN: 978-1-119-56028-9 (ebk)

ISBN: 978-1-119-56031-9 (ebk)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019954524

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Preface

Incident response requires a working knowledge of many different specialties. A good incident handler needs to be proficient in log analysis, memory forensics, disk forensics, malware analysis, network security monitoring, scripting, and command‐line kung fu. It is an amazingly difficult task and one that requires constant training across a range of disciplines. That's where this book comes in. In between these covers (or in this digital file), you will find the distilled essence of each of these specialized areas. Whether you are an IT professional looking to broaden your understanding of incident response, a student learning the ropes for the first time, or a hardened veteran of the cyber trenches in search of a quick reference guide, this book has you covered.

This work is not focused on high‐level theory, management approaches, or global policy challenges. It is written by and for hands‐on practitioners who need to detect, deter, and respond to adversarial actions within their networks on a daily basis. Drawing on experience performing intrusion investigations for the Federal Bureau of Investigation (FBI) and U.S. Department of Defense, consulting for global clients, developing digital forensics and cyber investigative capabilities for dozens of national police forces, and working with students in hundreds of courses delivered for the U.S. State Department, the FBI Academy, and SANS, I have attempted to provide the most effective and actionable techniques possible for addressing modern cyber adversaries. I have also sought out the opinions, guidance, reviews, and input of many experts (who are far smarter than I am) in the various specialties presented in this book to ensure that the most current and relevant techniques are accurately presented. The end result may bear the name of a single author, but it is truly a collective work. As a result, I will use the plural “we” for first‐person interjections to bear witness to the many practitioners and editors who helped make this work possible.

This book is in many ways a follow‐up to Mastering Windows Network Forensics and Investigation, 2nd Edition (Sybex, 2012). While that book still contains many useful techniques for dealing with incidents more than 10 years since the release of its first edition, a great deal has changed since it was initially conceived. Threat actors are more advanced; breaches occur at a faster pace; the tactics, techniques, and procedures (TTPs) used by organized criminals and nation‐state actors have merged; and code from each attack campaign is routinely reused by other threat actors. The days of pulling massive numbers of hard drives for static imaging and performing full forensic analysis of each have given way to performing targeted forensic examinations, searching live RAM across thousands of systems for injected malware, interrogating systems through scripts for indicators of compromise, and using data visualization techniques to detect malicious lateral movement among seemingly countless legitimate events. Modern threats require a different and more dynamic approach, and that is what you will find here: effective techniques for incident response that you can immediately apply in your environment.

What We Will Cover

This book approaches incident response as a cycle rather than a stand‐alone process. While we will cover several different incident response models, to achieve cyber resiliency, incident handling must feed into an overall cycle of prevention, detection, and response. Networks can no longer rely solely on preventive security defenses, viewing incident handling as an isolated and discreet activity. Instead, incident response must be an ongoing part of active defensive operations, feeding intelligence and information to network defenders to not only respond to current threats but to help mitigate future ones. We will cover a range of technical skills needed to achieve this objective over the following chapters:

Part I: Prepare
Chapter 1—“The Threat Landscape”: Over the last decade, offensive cyber operations have become a leading source of revenue for organized crime, a key method of nation‐state espionage, and an emerging weapon of war. Understanding modern adversaries and their attack vectors is a key step to effectively defending a network.
Chapter 2—“Incident Readiness”: If you are not prepared for battle, the war is over before it even begins. This chapter provides you with the tools necessary to prepare your network, your team, and your process for effective incident response.
Part II: Respond
Chapter 3—“Remote Triage”: Incidents can rapidly evolve from a single beachhead system to total domain domination. In order to properly scope and respond to an incident, you need the ability to triage systems, assess the impact of the incident, and identify impacted systems throughout the enterprise. This chapter arms you with the knowledge necessary to seek out evil in your environment.
Chapter 4—“Remote Triage Tools”: Building on the knowledge gained in Chapter 3, this chapter provides you with specific techniques and tools to interrogate systems throughout the network, identify those that may be compromised, and initiate containment and mitigation steps.
Chapter 5—“Acquiring Memory”: Once a system is identified as potentially compromised, the next logical step for an incident handler is to capture the contents of volatile memory from the system. This chapter explores various methods and tools to capture memory from local or remote systems in a forensically sound manner.
Chapter 6—“Disk Imaging”: In addition to volatile data, forensic imaging of nonvolatile storage devices such as hard disks and solid‐state disks may be necessary to preserve evidence and facilitate analysis of a compromised system. This chapter provides tools and techniques to obtain a forensic image from local and remote systems.
Chapter 7—“Network Security Monitoring”: Monitoring and analyzing network communications provides critical visibility and information to incident responders. This chapter looks at telemetry gathered from the network to aid in the incident response process and ways to fuse that information with endpoint data to achieve a more complete picture of network activity.
Chapter 8—“Event Log Analysis”: Windows event logs record granular details of system activity throughout a Windows environment. By aggregating and analyzing these logs, incident responders can reconstruct attacker activity. This chapter teaches you the skills necessary to understand and interpret this vital piece of evidence.
Chapter 9—“Memory Analysis”: Modern attackers increasingly avoid making changes to disk as a mechanism of evading detection, making volatile memory an important battlefield. Whether analyzing a previously collected RAM dump or the volatile memory from a running system, being able to parse data structures in RAM to understand the details of system activity is a key skill for any incident handler.
Chapter 10—“Malware Analysis”: Even with the rise of “living off the land” techniques, malware remains an important tool in the attacker's toolbox. This chapter gives you practical skills you can use to analyze suspected malware with both static and dynamic approaches.
Chapter 11—“Disk Forensics”: Analysis of nonvolatile storage from impacted systems can identify indicators of compromise, uncover TTPs of your adversary, and document the impact of the intrusion. This chapter provides you with the skills needed to do a deep‐dive analysis of an impacted system in a forensically sound manner.
Chapter 12—“Lateral Movement Analysis”: Many intrusions begin with a client‐side attack followed by lateral movement. We combine the skills learned in previous chapters and apply them to identifying lateral movement within your environment. This chapter explains the techniques used by adversaries to spread throughout an environment and the steps you can take as an incident handler to counter them.
Part III: Refine
Chapter 13—“Continuous Improvement”: Once a suspected incident is effectively mitigated, the information gained during the incident response needs to feed back into the overall organizational defensive posture. Understanding controls, telemetry, procedures, and training that can help mitigate future incidents helps harden your environment for the next attack.
Chapter 14—“Proactive Activities”: Incident response should not be purely reactive. Your team should actively engage in threat hunting, purple team exercises, and adversary emulation to identify potential intruders, blind spots, and gaps in your defensive posture. This chapter discusses ways to ensure that your team continuously strives to outwit the adversary.

How to Use This Book

The best way to approach this book depends on your current skill level. We assume a basic knowledge in networking, so if you are not yet familiar with core networking concepts such as ports, protocols, and IP addresses, this may not be the best place to start your journey into incident response.

If you are a student looking to build on foundational IT knowledge and embark on the next leg of your journey into IT security, then welcome! Working through each section either as part of a course or on your own will provide you with a detailed overview of the field and give you the opportunity to identify the facets of incident response that most appeal to you for further study.

IT administrators seeking to better defend their networks are also part of the intended audience. Network defense requirements have shifted away from purely preventive approaches to a combination of prevention, detection, and response. Today's adversaries are dedicated and capable, and with enough effort, they can breach any network. Administrators need to know how to recognize, contain, and respond to incidents that may occur within their environment. Learning core incident response skills will help IT practitioners better secure and defend their networks to protect operations. Skim the whole book and focus on the areas of greatest interest to you, knowing that the rest of it will be there to help you deepen your understanding when you are ready.

If you are already an incident response professional, you know the challenge of trying to keep track of all the various skills needed to do your job. For you, we offer the ability to catch up on the latest techniques, hone your skills in areas where you may not be as comfortable, and provide a valuable reference to quickly look up the event ID, registry key, PowerShell cmdlet, or other technical detail needed to address your current challenge. You will likely pick up several useful tips and tricks along the way to make you a more efficient and effective incident handler.

Regardless of your starting point, you will find additional online references located at www.AppliedIncidentResponse.com, this book's official website. We will continue to update the site with new techniques and updates related to the topics covered here to ensure that you have access to current information.

We use several different formatting conventions throughout the book:

Commands are set in monospace font.
Commands that are to be typed by the user (as opposed to prompts or output) are in bold monospace.
Context‐variable command input (such as IP addresses) are in monospace italics or <monospace in angle brackets>.
If a command is too long to fit a on a single line in print, we will use a ↵ to show that the line continues.

Building a Test Lab

One of the best ways to learn any IT‐related subject is to build a test environment and practice, and incident response is no exception. We will provide you with a wide range of commands, tools, and techniques as we proceed, and having a test lab where you can experiment in a hands‐on fashion is invaluable for being able to apply these skills in your production environment. To facilitate this, we will provide some tips (and a script) to help you quickly get a test domain up and running.

First, you will need to pick your virtualization platform. VMWare is a popular and reliable choice. If you need to run your test environment on top of an existing host OS, then the free VMWare Workstation Player (www.vmware.com/products/workstation-player.html) may be an option for you. If you can spare a separate partition or separate bare‐metal system, then VMWare ESXi (www.vmware.com/products/esxi-and-esx.html) provides a free platform and the benefit of working with a product that is implemented in many production environments. Of course, if you prefer HyperV or other (perhaps open‐source) virtualization products, those will also work perfectly well.

The next step is to identify the operating systems that you would like to include in your test environment. Microsoft offers free trial licenses of many of its products with a EULA that permits evaluation for testing. For server products, you will find the licenses and downloads at www.microsoft.com/en-us/evalcenter/evaluate-windows-server, and for the client systems, you can find downloads available at developer.microsoft.com/en-us/microsoft-edge/tools/vms. You can also find a wide range of Linux/UNIX (referred to as “*nix” throughout this book) distributions freely available. Many of these such as Security Onion, the SANS Investigative Forensics Toolkit (SIFT), and Sumuri's Paladin are focused on providing security and forensics capabilities that rival or exceed those of commercial products. We will explore each of these in the coming chapters.

After you obtain your virtualization software and test operating systems, you will need to configure them into a suitable test domain. We provide a PowerShell script on the www.AppliedIncidentResponse.com website to help you create the same environment that we use throughout this book, complete with user accounts and groups.

About the Author

Steve Anson is a former U.S. federal agent with experience working all manners of cyber‐related cases for an FBI Cybercrime Task Force and the U.S. Department of Defense Criminal Investigative Service. Steve taught computer intrusion investigation at the FBI Academy and works with national police agencies around the globe as a contractor with the U.S. Department of State's Antiterrorism Assistance Program, where he helps develop sustainable organizational capabilities in digital forensics and cyber investigations. As co‐founder of leading IT security company Forward Defense (www.forwarddefense.com), he provides security consulting services to government and private sector clients around the world. Steve is a Certified Instructor with the SANS Institute, teaching courses on securing and defending network environments.

About Other Contributors

Several other contributors have reviewed and provided advice to make this book possible. At the top of that list is Technical Editor Mick Douglas. Mick is the founder of Infosec Innovations and a SANS Certified Instructor who generously provided in‐depth technical editing of every page. He spent countless hours working with the author to refine the technical information presented in this book, ensure its accuracy, and suggest topics for inclusion in the final work. Mick's contributions can be felt in every chapter as he suggested tools and techniques to enhance the information provided every step of the way.

Mary Ellen Schutz, Jeff Parker, and the rest of the Wiley editing team did a great job of ensuring that the final product met the high standards set by Wiley. Nicole Zoeller likewise lent her quality management skills to the project, reviewing each chapter before it went to print. In addition to the core team, individual chapters were also reviewed by some of the foremost authorities in the various specialties covered. These experts took the time to review and suggest changes to chapters in their specialties to ensure that the book contains the most current and applicable topics.

Chapter 2 was reviewed by Michael Murr, an experienced incident handler, researcher, and developer who has worked in a variety of sensitive environments. The co‐author of the SANS “SEC504: Hacker Techniques, Exploits, and Incident Handling” class, Mike provided valuable insight into this chapter on preparing for an incident.

Alissa Torres, the lead author of the SANS “FOR526: Memory Forensics In‐Depth” course, and Anurag Khanna (@khannaanurag) both provided suggestions for topics and tips to include in the memory forensics chapters (Chapters 5 and 9).

Chapter 7 on network security monitoring was reviewed and improved by John Hubbard. John is a former SOC Lead for GlaxoSmithKline, with years of experience defending networks against advanced adversaries. He is the author of the SANS “SEC450: Blue Team Fundamentals” and the “SEC455: SIEM Design and Implementation” courses.

Chapter 11 on disk forensics benefited greatly from review and suggestions from Eric Zimmerman. Eric is a former special agent with the FBI who now serves as senior director for Kroll's cybersecurity and investigations practice. Eric teaches several SANS forensics courses as a Certified Instructor and is the co‐author of the SANS “FOR498: Battlefield Forensics & Data Acquisition” course.

Chapter 12 on lateral movements techniques was reviewed by Tim Medin, the founder of Red Siege (www.redsiege.com), the man who discovered Kerberoasting, and the lead author of the SANS “SEC560: Network Penetration Testing and Ethical Hacking” course. Tim's extensive experience in offensive cybersecurity helped ensure that the techniques discussed were those you will most likely see should an intrusion occur in your environment.

Chapter 13 was reviewed by Erik Van Buggenhout, the lead author of the SANS “SEC599: Defeating Advanced Adversaries” course. Erik also suggested many other topics that are covered throughout the book on preventing, detecting, and defeating cyber adversaries.

Each of these contributors made significant improvements to this book, and leveraging their individual areas of expertise ensured that the final product provides you with the most valuable topics and technical details. We hope that it will help you improve the defensive stance of your network now and into the future.

Finally, the author would like to thank his parents, for providing the opportunities and assistance that made everything that followed possible.

Applied Incident Response