larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer

eBook (Watermarked)

  • Your Price: $38.39
  • List Price: $47.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Also available in other formats.

  • Description
  • Sample Content
  • Updates
  • Copyright 2018
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 464
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-475587-1
  • ISBN-13: 978-0-13-475587-8

Investigating the Cyber Breach

The Digital Forensics Guide for the Network Engineer

·         Understand the realities of cybercrime and today’s attacks

·         Build a digital forensics lab to test tools and methods, and gain expertise

·         Take the right actions as soon as you discover a breach

·         Determine the full scope of an investigation and the role you’ll play

·         Properly collect, document, and preserve evidence and data

·         Collect and analyze data from PCs, Macs, IoT devices, and other endpoints

·         Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence

·         Analyze iOS and Android devices, and understand encryption-related obstacles to investigation

·         Investigate and trace email, and identify fraud or abuse

·         Use social media to investigate individuals or online identities

·         Gather, extract, and analyze breach data with Cisco tools and techniques

·         Walk through common breaches and responses from start to finish

·         Choose the right tool for each task, and explore alternatives that might also be helpful

The professional’s go-to digital forensics resource for countering attacks right now

Today, cybersecurity and networking professionals know they can’t possibly prevent every breach, but they can substantially reduce risk by quickly identifying and blocking breaches as they occur. Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer is the first comprehensive guide to doing just that.

Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.

Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.

This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Table of Contents

Introduction xix

Chapter 1 Digital Forensics 1

Defining Digital Forensics 3

Engaging Forensics Services 4

Reporting Crime 7

Search Warrant and Law 9

Forensic Roles 13

Forensic Job Market 15

Forensic Training 16

Summary 23

References 24

Chapter 2 Cybercrime and Defenses 25

Crime in a Digital Age 27

Exploitation 31

Adversaries 34

Cyber Law 36

Summary 39

Reference 39

Chapter 3 Building a Digital Forensics Lab 41

Desktop Virtualization 42

    VMware Fusion 43

    VirtualBox 44

Installing Kali Linux 44

Attack Virtual Machines 52

Cuckoo Sandbox 56

    Virtualization Software for Cuckoo 58

    Installing TCPdump 58

    Creating a User on VirtualBox for Cuckoo 59

Binwalk 60

The Sleuth Kit 61

Cisco Snort 62

Windows Tools 67

Physical Access Controls 68

Storing Your Forensics Evidence 71

    Network Access Controls 72

Jump Bag 74

Summary 74

References 75

Chapter 4 Responding to a Breach 77

Why Organizations Fail at Incident Response 78

Preparing for a Cyber Incident 80

Defining Incident Response 81

Incident Response Plan 82

Assembling Your Incident Response Team 84

    When to Engage the Incident Response Team 85

    Outstanding Items that Often Get Missed with Incident Response 88

    Phone Tree and Contact List 88

    Facilities 89

Responding to an Incident 89

Assessing Incident Severity 91

Following Notification Procedures 92

Employing Post-Incident Actions and Procedures 93

Identifying Software Used to Assist in Responding to a Breach 93

    Trend Analysis Software 94

    Security Analytics Reference Architectures 94

    Other Software Categories 97

Summary 97

References 98

Chapter 5 Investigations 99

Pre-Investigation 100

Opening a Case 102

First Responder 105

Device Power State 110

Search and Seizure 113

Chain of Custody 118

Network Investigations 121

Forensic Reports 127

    Case Summary 129

        Example 129

    Acquisition and Exam Preparation 129

        Example 129

    Findings 130

        Example 130

    Conclusion 130

        Example 131

    List of Authors 131

        Example 131

Closing the Case 132

Critiquing the Case 136

Summary 139

References 139

Chapter 6 Collecting and Preserving Evidence 141

First Responder 141

Evidence 144

    Autopsy 145

    Authorization 147

Hard Drives 148

    Connections and Devices 150

    RAID 152

Volatile Data 153

    DumpIt 154

    LiME 154

    Volatility 156

Duplication 158

    dd 161

    dcfldd 161

    ddrescue 162

    Netcat 162

    Guymager 163

    Compression and Splitting 164

Hashing 166

    MD5 and SHA Hashing 168

    Hashing Challenges 169

Data Preservation 170

Summary 172

References 172

Chapter 7 Endpoint Forensics 173

File Systems 174

    Locating Data 178

    Unknown Files 180

Windows Registry 182

    Deleted Files 185

    Windows Recycle Bin 187

    Shortcuts 189

Printer Spools 190

    Slack Space and Corrupt Clusters 191

    Alternate Data Streams 196

    Mac OS X 198

    OS X Artifacts 199

Log Analysis 202

IoT Forensics 207

Summary 210

References 211

Chapter 8 Network Forensics 213

Network Protocols 214

Security Tools 215

    Firewall 219

    Intrusion Detection and Prevention System 219

    Content Filter 219

    Network Access Control 220

    Packet Capturing 223

    NetFlow 224

    Sandbox 225

    Honeypot 226

    Security Information and Event Manager (SIEM) 228

    Threat Analytics and Feeds 229

    Security Tool Summary 229

Security Logs 229

Network Baselines 233

Symptoms of Threats 235

    Reconnaissance 235

    Exploitation 238

    Malicious Behavior 242

    Beaconing 244

    Brute Force 249

    Exfiltration 250

    Other Indicators 254

Summary 255

References 255

Chapter 9 Mobile Forensics 257

Mobile Devices 258

    Investigation Challenges 258

iOS Architecture 259

iTunes Forensics 261

iOS Snapshots 263

How to Jailbreak the iPhone 265

Android 266

PIN Bypass 270

    How to Brute Force Passcodes on the Lock Screen 271

Forensics with Commercial Tools 272

Call Logs and SMS Spoofing 274

Voicemail Bypass 275

How to Find Burner Phones 276

SIM Card Cloning 278

Summary 279

Reference 279

Chapter 10 Email and Social Media 281

A Message in a Bottle 281

Email Header 283

Social Media 288

People Search 288

Google Search 293

Facebook Search 297

Summary 304

References 305

Chapter 11 Cisco Forensic Capabilities 307

Cisco Security Architecture 307

Cisco Open Source 310

Cisco Firepower 312

Cisco Advanced Malware Protection (AMP) 313

Cisco Threat Grid 319

Cisco Web Security Appliance 322

Cisco CTA 323

Meraki 324

Email Security Appliance 326

Cisco Identity Services Engine 328

Cisco Stealthwatch 331

Cisco Tetration 335

Cisco Umbrella 337

Cisco Cloudlock 342

Cisco Network Technology 343

Summary 343

Reference 343

Chapter 12 Forensic Case Studies 345

Scenario 1: Investigating Network Communication 346

    Pre-engagement 347

    Investigation Strategy for Network Data 348

    Investigation 350

    Closing the Investigation 355

Scenario 2: Using Endpoint Forensics 357

    Pre-engagement 357

    Investigation Strategy for Endpoints 358

    Investigation 359

    Potential Steps to Take 360

    Closing the Investigation 362

Scenario 3: Investigating Malware 364

    Pre-engagement 364

    Investigation Strategy for Rogue Files 365

    Investigation 365

    Closing the Investigation 369

Scenario 4: Investigating Volatile Data 370

    Pre-engagement 371

    Investigation Strategy for Volatile Data 372

    Investigation 373

    Closing the Investigation 375

Scenario 5: Acting as First Responder 377

    Pre-engagement 377

    First Responder Strategy 377

    Closing the Investigation 379

Summary 381

References 382

Chapter 13 Forensic Tools 383

Tools 384

    Slowloris DDOS Tool: Chapter 2 385

    Low Orbit Ion Cannon 386

    VMware Fusion: Chapter 3 386

    VirtualBox: Chapter 3 387

    Metasploit: Chapter 3 388

    Cuckoo Sandbox: Chapter 3 389

    Cisco Snort: Chapter 3 389

    FTK Imager: Chapters 3, 9 390

    FireEye Redline: Chapter 3 391

    P2 eXplorer: Chapter 3 392

    PlainSight: Chapter 3 392

    Sysmon: Chapter 3 393

    WebUtil: Chapter 3 393

    ProDiscover Basics: Chapter 3 393

    Solarwinds Trend Analysis Module: Chapter 4 394

    Splunk: Chapter 4 394

    RSA Security Analytics: Chapter 4 395

    IBM’s QRadar: Chapter 4 396

    HawkeyeAP: Chapter 4 396

    WinHex: Chapters 6, 7 396

    OSForensics: Chapter 6 397

    Mount Image Pro: Chapter 6 397

    DumpIt: Chapter 6 398

    LiME: Chapter 6 398

    TrIDENT: Chapter 7 398

    PEiD: Chapter 7 399

    Lnkanalyser: Chapter 7 399

    Windows File Analyzer: Chapter 7 399

    LECmd: Chapter 7 401

    SplViewer: Chapter 7 401

    PhotoRec: Chapter 7 402

    Windows Event Log: Chapter 7 402

    Log Parser Studio: Chapter 7 403

    LogRhythm: Chapter 8 403

Mobile Devices 404

    Elcomsoft: Chapter 9 404

    Cellebrite: Chapter 9 404

    iPhone Backup Extractor: Chapter 9 405

    iPhone Backup Browser: Chapter 9 405

    Pangu: Chapter 9 405

    KingoRoot Application: Chapter 9 405

Kali Linux Tools 406

    Fierce: Chapter 8 406

    TCPdump: Chapter 3 406

    Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406

    Wireshark: Chapter 8 406

    Exiftool: Chapter 7 407

    DD: Chapter 6 407

    Dcfldd: Chapter 6 408

    Ddrescue: Chapter 6 408

    Netcat: Chapter 6 408

    Volatility: Chapter 6 408

Cisco Tools 408

    Cisco AMP 408

    Stealthwatch: Chapter 8 409

    Cisco WebEx: Chapter 4 409

    Snort: Chapter 11 409

    ClamAV: Chapter 10 409

    Razorback: Chapter 10 410

    Daemonlogger: Chapter 10 410

    Moflow Framework: Chapter 10 410

    Firepower: Chapter 10 410

    Threat Grid: Chapter 10 410

    WSA: Chapter 10 410

    Meraki: Chapter 10 411

    Email Security: Chapter 10 411

    ISE: Chapter 10 411

    Cisco Tetration: Chapter 10 411

    Umbrella: Chapter 10 411

    Norton ConnectSafe: No Chapter 412

    Cloudlock: Chapter 10 412

Forensic Software Packages 413

    FTK Toolkit: Chapter 3 413

    X-Ways Forensics: Chapter 3 413

    OSforensics: Chapter 6 414

    EnCase: Chapter 7 414

    Digital Forensics Framework (DFF): Chapter 7 414

Useful Websites 414

    Shodan: Chapter 1 414

    Wayback Machine: Chapter 3 415

    Robot.txt files: Chapter 2 415

    Hidden Wiki: Chapter 2 415

    NIST: Chapter 4 416

    CVE: Chapter 4 416

    Exploit-DB: Chapter 4 416

    Pastebin: Chapters 4, 10 416

    University of Pennsylvania Chain of Custody Form: Chapter 6 417

    List of File Signatures: Chapter 9 417

    Windows Registry Forensics Wiki: Chapter 7 417

    Mac OS Forensics Wiki: Chapter 7 417

Miscellaneous Sites 417

    Searchable FCC ID Database 418

    Service Name and Transport Protocol Port Number Registry 418

    NetFlow Version 9 Flow-Record Format 418

    NMAP 418

    Pwnable 418

    Embedded Security CTF 419

    CTF Learn 419

    Reversing.Kr 419

    Hax Tor 419

    W3Challs 419

    RingZer0 Team Online CTF 420

    Hellbound Hackers 420

    Over the Wire 420

    Hack This Site 420

    VulnHub 420

    Application Security Challenge 421

    iOS Technology Overview 421

Summary 421

9781587145025    TOC    1/10/2017

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020