CNIT 152: Incident Response

Fall 2020 Sam Bowne

78482 501 Mon 6:10 - 9 pm

Schedule · Lectures · Projects

Livestream: https://zoom.us/j/4108472927
Password: student1

Free Textbook Access

Go here
Click "Safari Online"
In the "Select your Institution" drop-down list box, click "Not listed? Click here"
Enter your CCSF email address
Enter the book's title the "Find a Solution..." field

Textbook

Incident Response & Computer Forensics, Third Edition by by Jason Luttgens, Matthew Pepe, and Kevin Mandia
Publisher: McGraw-Hill Education; 3 edition (August 1, 2014)
Sold by: Amazon Digital Services, LLC
ASIN: B00JFG7152
Kindle edition: $36, Paper edition: $16 (prices I saw on 4-10-16 at Amazon)
Buy from Amazon ($15 - $40)

Catalog Description

When computer networks are breached, incident response (IR) is required to assess the damage, eject the attackers, and improve security measures so they cannot return. This class covers the IR tools and techniques required to defend modern corporate networks. This class is part of the Advanced Cybersecurity Certificate.

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.
CCSF students should take quizzes in the CCSF online Canvas system: https://ccsf.instructure.com/
Non-CCSF students: Enroll Here (reset password, if needed)

Discussion Board

Each CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due.
For the topics and requirements, see the Discussion board in Canvas.

Email

For questions, please send a message inside Canvas or email cnit.152sam@gmail.com

Schedule

Mon 8-17

1 Real-World Incidents

Mon 8-24

Quizzes: Ch 1 & 2 *
Proj ED 200 due *
Discussion 1 *

2 IR Management Handbook

Mon 8-31

Quiz: Ch 3 *
Proj IR 201 & IR 202 due *
Discussion 2 *

3 Pre-Incident Preparation
Splunk BoTS Demonstration

Fri 9-4

Last Day to Add

Mon 9-7

Holiday: No Class

Mon 9-14

Quiz: Ch 4-5
Proj IR 308 & H 221 due
Discussion 3

4 Getting the Investigation Started on the Right Foot
5 Initial Development of Leads

Mon 9-21

Quiz: Ch 6-7
Proj IR 301 & 330 due
Discussion 4

6 Discovering the Scope of the Incident
7 Live Data Collection

Mon 9-28

Quiz: Ch 8
Proj IR 304 & 305 due
Discussion 5

8 Forensic Duplication

Mon 10-5

No Quiz due
Proj IR 306 & 307 due
Discussion 6

Steven Booth CSO, FireEye

Mon 10-12

Holiday: No Class

Mon 10-19

Quiz: Ch 9
Proj IR 350 due
Discussion 7

9 Network Evidence

Mon 10-26

Quiz: Ch 10
Proj IR 351 due
Discussion 8

10 Enterprise Services

Mon 11-2

Quiz: Ch 11
No Proj due
Discussion 9

11 Analysis Methodology

Sergio Nevarez

Mon, Nov 9, 6 PM

Red teaming and AWS badassery

Mon 11-16

Quiz: Ch 12 (Part 1)
Proj ATT 1 and 2 due
Discussion 10

12 Investigating Windows Systems (Part 1)

Mon 11-23

Quiz: Ch 12 (Part 2)
Proj ATT 3, 4, & 5 due
Discussion 11

12 Investigating Windows Systems (Part 2)

Mon 11-30

Quiz: Ch 12 (Part 3)
ATT 6 & 7 due
Discussion 12

12 Investigating Windows Systems (Part 3)

Matt Shelton

Mon, Dec 7, 6 PM

Director of Technical Risk and Intelligence at FireEye
APT intelligence, anatomy of attacks, breach response, etc.

Will be recorded and posted on YouTube

Last Class
All Extra Credit due

Fri 12-11 -
Fri 12-18

Final Exam available online throughout the week.
You can only take it once.

All quizzes due 30 min. before class
* No late penalty until 9-8

Lectures
Grading Policy (pdf) Syllabus (pdf) 1 Real-World Incidents · KEY (Updated 8-17-20) 2 IR Management Handbook · KEY 3 Pre-Incident Preparation · KEY 4 Getting the Investigation Started on the Right Foot & 5 Initial Development of Leads · KEY 6 Discovering the Scope of the Incident & 7 Live Data Collection · KEY 8 Forensic Duplication · KEY 9 Network Evidence · KEY 10 Enterprise Services · KEY 11 Analysis Methodology · KEY 12 Investigating Windows Systems (Part 1 of 3) · KEY 12 Investigating Windows Systems (Part 2 of 3) · KEY · PDF 12 Investigating Windows Systems (Part 3 of 3) · KEY 13 Investigating Mac OS X Systems · KEY 14 Investigating Applications · KEY ~~15 Malware Triage~~ 16 Report Writing · KEY 17 Remediation Introduction (Part 1) · KEY 18 Remediation Case Study
Note: the Slideshare lectures are for CNIT 152 even if they start with a page saying "CNIT 121".

Lectures

Grading Policy (pdf)
Syllabus (pdf)
1 Real-World Incidents · KEY (Updated 8-17-20)
2 IR Management Handbook · KEY
3 Pre-Incident Preparation · KEY
4 Getting the Investigation Started on the Right Foot &
5 Initial Development of Leads · KEY
6 Discovering the Scope of the Incident &
7 Live Data Collection · KEY
8 Forensic Duplication · KEY
9 Network Evidence · KEY
10 Enterprise Services · KEY
11 Analysis Methodology · KEY
12 Investigating Windows Systems (Part 1 of 3) · KEY
12 Investigating Windows Systems (Part 2 of 3) · KEY · PDF
12 Investigating Windows Systems (Part 3 of 3) · KEY
13 Investigating Mac OS X Systems · KEY
14 Investigating Applications · KEY
~~15 Malware Triage~~
16 Report Writing · KEY
17 Remediation Introduction (Part 1) · KEY
18 Remediation Case Study

Note: the Slideshare lectures are for CNIT 152
even if they start with a page saying "CNIT 121".

Links
Links for Chapter Lectures Ch 1a: Deconstructing a Credit Card's Data Ch 1b: Mitigating Fraud Risk Through Card Data Verification Ch 1c: What data is stored on a payment card's magnetic stripe? Ch 2a: The OpenIOC Framework Ch 3a: Free Email Certificate \| Secure SSL Certificate from Comodo Ch 3b: Digitally Sign & Encrypt Emails Ch 3c: 3 Alternatives to the Now-Defunct TrueCrypt for Your Encryption Needs Ch 3d: VeraCrypt - Home Ch 3e: Security Onion Ch 3f: Network Security Toolkit (NST 24) Ch 3g: Skynet Solutions : EasyIDS Ch 3h: NIST Computer Forensic Tool Testing Program Ch 3i: Evidence Tags and Chain of Custody Forms Ch 3j: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Ch 3k: Federal Rules of Evidence Ch 3l: Security Technical Implementation Guides (STIGs) for host hardening Ch 3k: Securing Windows Service Accounts (Part 1) Ch 3l: Download Splunk Enterprise for free Ch 3m: GitHub - mcholste/elsa: Enterprise Log Search and Archive Ch 3n: Snare SIEM Software Products Ch 3o: SIEM, Security Information Event Management, ArcSight \| Hewlett Packard Enterprise Ch 3p: RSA enVision SIEM \| EMC RSA Ch 3q: Building a DNS Blackhole with FreeBSD Ch 3r: Windows DNS Server Sinkhole Domains Tool \| SANS Institute Ch 5a: Report Crimes Against Children \| Department of Justice Ch 7a: Redline User Guide Ch 7b: LINReS \| Network Intelligence India Pvt. Ltd.(NII Consulting), Mumbai Ch 7c: LiME – Linux Memory Extractor Ch 7d: Memoryze for Mac Ch 7e: Use the Mandiant Redline memory analysis tool for threat assessments Ch 8a: Host protected area - Wikipedia Ch 8b: Device configuration overlay - Wikipedia Ch 9a: Basic Snort Rules Syntax and Usage Ch 9b: Snort: Re: Rule for detecting ssh Ch 9c: OptiView XG Network Analysis Tablet Ch 9c: Network TAPs Ch 9d: Security Onion Ch 9e: Chapter 9 Scenario PCAPs - Incident Response and Computer Forensics, 3rd Edition Ch 9f: Download NetWitness Investigator Ch 9g: Old NetWitness Project Ch 10a: Analyze Microsoft DHCP Server Log Files Ch 10b: More About Microsoft DHCP Audit and Event Logging Ch 10c: DHCP \| Internet Systems Consortium Ch 10d: Linux How To/Tutorial: Checking DHCP Logs Ch 10e: using the ISC DHCP log function for debugging Ch 10f: BIND \| Internet Systems Consortium Ch 10g: DNSCAP - DNS traffic capture utility \| DNS-OARC Ch 10h: IT Information Systems Management Software \| LANDESK Ch 10i: Parsing Landesk Registry Entries FTW Ch 10k: LANDesk SoftMon Monitoring Information Ch 10l: How to browse Software License Monitoring data ... \|LANDESK User Community Ch 10m: RegRipper Ch 10n: GitHub - keydet89/RegRipper2.8 Ch 10o: GitHub - jprosco/registry-tools: Registry Forensics Tools Ch 10p: Client Management Suite \| Symantec Ch 10q: Altiris Inventory Solution™ 7.1 SP2 from Symantec™ User Guide Ch 10r: Symantec Quarantined VBN file decoder Ch 10s: John McAfee calls McAfee anti-virus "one of the worst products on the ... planet" Ch 10t: Removing a PHP Redirector Ch 10u: Understanding IIS 7 log files - Stack Overflow Ch 11i: Filesystem Timestamps: What Makes Them Tick? Ch 11j: File System Forensic Analysis: Brian Carrier Ch 11k: Uuencoding - Wikipedia Ch 11l: National Software Reference Library Ch 11m: Nsrllookup Ch 11n Security Firm Bit9 Hacked, Used to Spread Malware (2013) Other Links Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X ProcDump SecureZeroMemory function (Windows) Under My Thumbs -- Revisiting Windows thumbnail databases Using Mandiant Redline to discover Meterpreter process injection - YouTube Elcomsoft Advanced mobile forensics: iOS (iPhone and iPad), Windows Phone and BlackBerry 10 Aid4Mail Now (Free Trial) New Unsorted Links osquery \| Easily ask questions about your Linux, Windows, and macOS infrastructure GitHub - Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X OS X Incident Response: Scripting and Analysis--RECOMMENDED GitHub - google/grr: GRR Rapid Response: remote live forensics for incident response KnockKnock shows you what's persistently installed on your Mac! -- RECOMMENDED GitHub - Yelp/amira: AMIRA: Automated Malware Incident Response & Analysis Cyphort: Anti-SIEM reduces SIEM cost, noise, complexity, and wasted time Collect NTFS forensic information with osquery Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Kit Hunter, a phishing kit detection script -- USEFUL FOR PROJECTS Log-MD Tool Free Version Threat Hunting Workshop--USE FOR PROJECTS ATT&CK Matrix - ATT&CK for Enterprise GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK. Log Management & Security Analytics, Continuous Intelligence: Sumo Logic Rekall Forensics Public PCAP files for download Automated Malware Analysis - Joe Sandbox Free Automated Malware Analysis Sandboxes and Services Free Automated Malware Analysis Service - powered by Falcon Sandbox Try AlienVault USM for Free Ch 9h: Snort rule for fake SSL certificate 7 Sumo Logic Competitors in Cloud-Based Log Management and Anomaly Detection Ch 12a: Shim Cache Parser Slides Ch 13a: Apple File System - Wikipedia Ch 13b: The MacPorts Project -- Download & Installation Ch 13c: macos - OS X 10.9: where are password hashes stored - Ask Different Ch 13d: macos - What type of hash are a Mac's password stored in? - Ask Different Ch 13e: How to crack macbook admin password Ch 13f: How to Convert plist Files to XML or Binary in Mac OS X Ch 13g: Collecting password hashes from Mac OS Mojave CAPE Sandbox--ADD TO PROJECTS Security Analyst Workshop--VERY GOOD TOOLS Splunk Cheat Sheet Available Artifacts on Windows Versions - Evidence of Execution NIST SPECIAL PUBLICATION 1800-26 Data Integrity Detecting and Responding to Ransomware and Other Destructive Events Awesome-incident-response: A curated list of tools for incident response 2020-10-15: Recommended Mandiant and FireEye Blogs Malware_Reverse_Engineering_Handbook.pdf Splunking with Sysmon Series Part 1: The Setup \| Hurricane Labs Splunking with Sysmon Ch 7f: Comparison of Acquisition Software for Digital Forensics Purposes Ch 12k: A simple way to access Shadow Copies in Vista \| Microsoft Docs Plaso: Super timeline all the things Timesketch: Collaborative forensic timeline analysis ydkhatri/mac_apt: macOS ( and ios) Artifact Parsing Tool Free Training Courses \| Splunk Blue Team Labs Online -- EXTRA CREDIT

Links

Links for Chapter Lectures
Ch 1a: Deconstructing a Credit Card's Data
Ch 1b: Mitigating Fraud Risk Through Card Data Verification
Ch 1c: What data is stored on a payment card's magnetic stripe?

Ch 2a: The OpenIOC Framework

Ch 3a: Free Email Certificate | Secure SSL Certificate from Comodo
Ch 3b: Digitally Sign & Encrypt Emails
Ch 3c: 3 Alternatives to the Now-Defunct TrueCrypt for Your Encryption Needs
Ch 3d: VeraCrypt - Home
Ch 3e: Security Onion
Ch 3f: Network Security Toolkit (NST 24)
Ch 3g: Skynet Solutions : EasyIDS
Ch 3h: NIST Computer Forensic Tool Testing Program
Ch 3i: Evidence Tags and Chain of Custody Forms
Ch 3j: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
Ch 3k: Federal Rules of Evidence
Ch 3l: Security Technical Implementation Guides (STIGs) for host hardening
Ch 3k: Securing Windows Service Accounts (Part 1)
Ch 3l: Download Splunk Enterprise for free
Ch 3m: GitHub - mcholste/elsa: Enterprise Log Search and Archive
Ch 3n: Snare SIEM Software Products
Ch 3o: SIEM, Security Information Event Management, ArcSight | Hewlett Packard Enterprise
Ch 3p: RSA enVision SIEM | EMC RSA
Ch 3q: Building a DNS Blackhole with FreeBSD
Ch 3r: Windows DNS Server Sinkhole Domains Tool | SANS Institute

Ch 5a: Report Crimes Against Children | Department of Justice

Ch 7a: Redline User Guide
Ch 7b: LINReS | Network Intelligence India Pvt. Ltd.(NII Consulting), Mumbai
Ch 7c: LiME – Linux Memory Extractor
Ch 7d: Memoryze for Mac
Ch 7e: Use the Mandiant Redline memory analysis tool for threat assessments

Ch 8a: Host protected area - Wikipedia
Ch 8b: Device configuration overlay - Wikipedia

Ch 9a: Basic Snort Rules Syntax and Usage
Ch 9b: Snort: Re: Rule for detecting ssh
Ch 9c: OptiView XG Network Analysis Tablet
Ch 9c: Network TAPs
Ch 9d: Security Onion
Ch 9e: Chapter 9 Scenario PCAPs - Incident Response and Computer Forensics, 3rd Edition
Ch 9f: Download NetWitness Investigator
Ch 9g: Old NetWitness Project

Ch 10a: Analyze Microsoft DHCP Server Log Files
Ch 10b: More About Microsoft DHCP Audit and Event Logging
Ch 10c: DHCP | Internet Systems Consortium
Ch 10d: Linux How To/Tutorial: Checking DHCP Logs
Ch 10e: using the ISC DHCP log function for debugging
Ch 10f: BIND | Internet Systems Consortium
Ch 10g: DNSCAP - DNS traffic capture utility | DNS-OARC
Ch 10h: IT Information Systems Management Software | LANDESK
Ch 10i: Parsing Landesk Registry Entries FTW
Ch 10k: LANDesk SoftMon Monitoring Information
Ch 10l: How to browse Software License Monitoring data ... |LANDESK User Community
Ch 10m: RegRipper
Ch 10n: GitHub - keydet89/RegRipper2.8
Ch 10o: GitHub - jprosco/registry-tools: Registry Forensics Tools
Ch 10p: Client Management Suite | Symantec
Ch 10q: Altiris Inventory Solution™ 7.1 SP2 from Symantec™ User Guide
Ch 10r: Symantec Quarantined VBN file decoder
Ch 10s: John McAfee calls McAfee anti-virus "one of the worst products on the ... planet"
Ch 10t: Removing a PHP Redirector
Ch 10u: Understanding IIS 7 log files - Stack Overflow

Ch 11i: Filesystem Timestamps: What Makes Them Tick?
Ch 11j: File System Forensic Analysis: Brian Carrier
Ch 11k: Uuencoding - Wikipedia
Ch 11l: National Software Reference Library
Ch 11m: Nsrllookup
Ch 11n Security Firm Bit9 Hacked, Used to Spread Malware (2013)

Other Links
Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X
ProcDump
SecureZeroMemory function (Windows)
Under My Thumbs -- Revisiting Windows thumbnail databases
Using Mandiant Redline to discover Meterpreter process injection - YouTube
Elcomsoft Advanced mobile forensics: iOS (iPhone and iPad), Windows Phone and BlackBerry 10
Aid4Mail Now (Free Trial)

New Unsorted Links
osquery | Easily ask questions about your Linux, Windows, and macOS infrastructure
GitHub - Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X
OS X Incident Response: Scripting and Analysis--RECOMMENDED
GitHub - google/grr: GRR Rapid Response: remote live forensics for incident response
KnockKnock shows you what's persistently installed on your Mac! -- RECOMMENDED
GitHub - Yelp/amira: AMIRA: Automated Malware Incident Response & Analysis
Cyphort: Anti-SIEM reduces SIEM cost, noise, complexity, and wasted time
Collect NTFS forensic information with osquery
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Kit Hunter, a phishing kit detection script -- USEFUL FOR PROJECTS
Log-MD Tool Free Version
Threat Hunting Workshop--USE FOR PROJECTS
ATT&CK Matrix - ATT&CK for Enterprise
GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.
Log Management & Security Analytics, Continuous Intelligence: Sumo Logic
Rekall Forensics
Public PCAP files for download
Automated Malware Analysis - Joe Sandbox
Free Automated Malware Analysis Sandboxes and Services
Free Automated Malware Analysis Service - powered by Falcon Sandbox
Try AlienVault USM for Free
Ch 9h: Snort rule for fake SSL certificate
7 Sumo Logic Competitors in Cloud-Based Log Management and Anomaly Detection
Ch 12a: Shim Cache Parser Slides
Ch 13a: Apple File System - Wikipedia
Ch 13b: The MacPorts Project -- Download & Installation
Ch 13c: macos - OS X 10.9: where are password hashes stored - Ask Different
Ch 13d: macos - What type of hash are a Mac's password stored in? - Ask Different
Ch 13e: How to crack macbook admin password
Ch 13f: How to Convert plist Files to XML or Binary in Mac OS X
Ch 13g: Collecting password hashes from Mac OS Mojave
CAPE Sandbox--ADD TO PROJECTS
Security Analyst Workshop--VERY GOOD TOOLS
Splunk Cheat Sheet
Available Artifacts on Windows Versions - Evidence of Execution
NIST SPECIAL PUBLICATION 1800-26 Data Integrity Detecting and Responding to Ransomware and Other Destructive Events
Awesome-incident-response: A curated list of tools for incident response
2020-10-15: Recommended Mandiant and FireEye Blogs
Malware_Reverse_Engineering_Handbook.pdf
Splunking with Sysmon Series Part 1: The Setup | Hurricane Labs
Splunking with Sysmon
Ch 7f: Comparison of Acquisition Software for Digital Forensics Purposes
Ch 12k: A simple way to access Shadow Copies in Vista | Microsoft Docs
Plaso: Super timeline all the things
Timesketch: Collaborative forensic timeline analysis
ydkhatri/mac_apt: macOS ( and ios) Artifact Parsing Tool
Free Training Courses | Splunk
Blue Team Labs Online -- EXTRA CREDIT

Last Updated: 11-30-20 7:23 pm