Cloud Forensics Demystified : Decoding Cloud Investigation Complexities for Digital Forensic Professionals

Cloud Forensics Demystified Decoding Cloud Investigation Complexities for Digital Forensic Professionals

Enhance your skills as a cloud investigator to adeptly respond to cloud incidents by combining traditional forensic techniques with innovative approaches Key Features Uncover the steps involved in cloud forensic investigations for M365 and Google Workspace Explore tools and logs available within AWS...

Descripción completa

Detalles Bibliográficos
Otros Autores: Ramakrishnan, Ganesh, author (author), Haqanee, Mansoor, author
Formato: Libro electrónico
Idioma:Inglés
Publicado: Birmingham, England : Packt Publishing [2024]
Edición:First edition
Materias:
Computer crimes > Investigation.
Forensic sciences > Data processing.
Cloud computing.
Information storage and retrieval systems.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009805128506719
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright and Credits
  • Contributors
  • Table of Contents
  • Preface
  • Part 1: Cloud Fundamentals
  • Chapter 1: Introduction to the Cloud
  • Advantages and disadvantages of cloud computing
  • An overview of cloud services
  • Cloud deployment models
  • Cloud adoption success stories
  • Impact of the cloud and other technologies
  • Summary
  • Further reading
  • Chapter 2: Trends in Cyber and Privacy Laws and Their Impact on DFIR
  • The role of a breach counselor (breach coach)
  • General legal considerations for cloud adoption
  • eDiscovery considerations and legal guidance
  • Digital forensics challenges
  • Legal frameworks for private data
  • Contractual private data
  • Regulated private data
  • Jurisdictional requirements in relation to private data
  • Legal implications for data retention and deletion
  • Responsibilities and liabilities of the cloud and their implications for incident response
  • Jurisdiction and cross-border data transfers
  • Summary
  • Further reading
  • Chapter 3: Exploring the Major Cloud Providers
  • Amazon Web Services (AWS)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Simple Storage Service (S3)
  • AWS Identity and Access Management (IAM)
  • Amazon Relational Database Service (RDS)
  • Microsoft Azure
  • Microsoft Azure virtual machines
  • Microsoft Azure Virtual Network
  • Microsoft Azure Blob Storage
  • Microsoft Azure Active Directory (Azure AD)
  • Microsoft Azure SQL Database
  • Google Cloud Platform (GCP)
  • Google Compute Engine (GCE)
  • Google Virtual Private Cloud (VPC)
  • Google Cloud Storage (GCS)
  • Google Cloud SQL
  • Other cloud service providers
  • Summary
  • Further reading
  • Chapter 4: DFIR Investigations - Logs in AWS
  • VPC flow logs
  • VPC basics
  • Sample VPC flow log
  • DFIR use cases for VPC flow logging
  • S3 access logs.
  • Logging options
  • DFIR use cases for S3 monitoring
  • AWS CloudTrail
  • Creating a trail
  • Event data stores
  • Investigating CloudTrail events
  • DFIR use cases for CloudTrail logging
  • AWS CloudWatch
  • CloudWatch versus CloudTrail
  • Setting up CloudWatch logging
  • Querying CloudWatch logs on the AWS console
  • DFIR use cases for CloudWatch
  • Amazon GuardDuty
  • Amazon Detective
  • Summary
  • Further reading
  • Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
  • Chapter 5: DFIR Investigations - Logs in Azure
  • Azure Log Analytics
  • Azure Virtual Networks
  • NSG flow logs
  • Azure Storage
  • Azure Monitor
  • Azure Virtual Machines log analysis
  • Microsoft Defender for Cloud
  • NSG flow logs
  • Microsoft Sentinel
  • Summary
  • Further reading
  • Chapter 6: DFIR Investigations - Logs in GCP
  • GCP core services
  • GCP IAM
  • GCP's IAM roles and identities
  • Policy Analyzer
  • DFIR use cases for Policy Analyzer
  • GCP Logs Explorer
  • Overview of log buckets
  • DFIR use cases for using Logs Explorer
  • Familiarizing with Logs Explorer
  • VPC Flow Logs
  • Enabling VPC Flow Logs
  • Hunting VPC Flow Logs for malicious activities
  • Packet Mirroring
  • Compute Engine logs
  • GCP's logging platform
  • GCP's default logging
  • Logging Dataflow pipelines
  • GCP storage logs
  • Storage permissions
  • Storage object logging
  • Investigating GCP Cloud storage logs
  • Cloud Security Command Center (Cloud SCC)
  • IAM roles
  • Threats and Findings dashboards
  • GCP Cloud Shell
  • Summary
  • Further reading
  • Chapter 7: Cloud Productivity Suites
  • Overview of Microsoft 365 and Google Workspace core services
  • Microsoft 365
  • Google Workspace
  • IAM in Microsoft 365 and Google Workspace
  • Microsoft 365
  • Google Workspace
  • Auditing and compliance features in Microsoft 365 and Google Workspace.
  • Microsoft 365's Security and Compliance Center (Microsoft Purview)
  • Google Workspace Admin console and security features
  • Summary
  • Further reading
  • Part 3: Cloud Forensic Analysis - Responding to an Incident in the Cloud
  • Chapter 8: The Digital Forensics and Incident Response Process
  • The basics of the incident response process
  • Tools and techniques for digital forensic investigations
  • Prerequisites
  • Cloud host forensics
  • Memory forensics
  • Live forensic analysis and threat hunting
  • EDR-based threat hunting
  • Hunting for malware
  • Common persistence mechanisms
  • Network forensics
  • Basic networking concepts
  • Cloud network forensics - log sources and tools
  • Network investigation tools
  • Malware investigations
  • Setting up your malware analysis lab
  • Working with packed malware
  • Binary comparison
  • Traditional forensics versus cloud forensics
  • Summary
  • Further reading
  • Chapter 9: Common Attack Vectors and TTPs
  • MITRE ATT&amp
  • CK framework
  • Forensic triage collections
  • Host-based forensics
  • Evidence of intrusion
  • Prefetch analysis
  • AmCache analysis
  • ShimCache analysis
  • Windows Event Logs
  • Analyzing memory dumps
  • Misconfigured virtual machine instances
  • Unnecessary ports left open
  • Default credentials left unchanged
  • Outdated or unpatched software
  • Publicly exposed sensitive data (or metadata)
  • Misconfigured storage buckets
  • Public permissions
  • Exposed API keys or credentials
  • Improper use of IAM policies
  • Cloud administrator portal breach
  • Summary
  • Further reading
  • Chapter 10: Cloud Evidence Acquisition
  • Forensic acquisition of AWS instance
  • Step 1 - creating EC2 volume snapshots
  • Step 2 - acquiring OS memory images
  • Step 3 - creating a forensic collector instance
  • Step 4 - creating and attaching infected volume from snapshots.
  • Step 5 - exporting collected images to AWS S3 for offline processing
  • Forensic acquisition of Microsoft Azure Instances
  • Step 1 - creating an Azure VM Snapshot
  • Step 2 - exporting an Azure VM snapshot directly
  • Step 3 - connecting to an Azure VM for memory imaging
  • Forensic acquisition of GCP instances
  • Step 1 - creating a snapshot of the compute engine instance
  • Step 2 - attaching a snapshot disk for forensic acquisition
  • Step 3 - connecting to the GCP compute engine instance for memory acquisition
  • Summary
  • Further reading
  • Chapter 11: Analyzing Compromised Containers
  • What are containers?
  • Docker versus Kubernetes
  • Types of containers and their use cases
  • Detecting and analyzing compromised containers
  • About the Kubernetes orchestration platform
  • Acquiring forensic data and container logs for analysis
  • Summary
  • Further reading
  • Chapter 12: Analyzing Compromised Cloud Productivity Suites
  • Business email compromise explained
  • BEC attack phases
  • Common types of BECs
  • Initial scoping and response
  • Remediation steps
  • Microsoft 365 incident response
  • Tooling
  • Analysis
  • Google Workspace incident response
  • Tooling
  • Analysis
  • Summary
  • Further reading
  • Index
  • Other Books You May Enjoy.

Ejemplares similares