larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer

Best Value Purchase

Book + eBook Bundle

  • Your Price: $53.99
  • List Price: $89.98
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Individual Purchases


  • Your Price: $39.99
  • List Price: $49.99
  • Usually ships in 24 hours.

eBook (Watermarked)

  • Your Price: $31.99
  • List Price: $39.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • About
  • Description
  • Sample Content
  • Updates


This book will help administrators

1) Understand how to identify when they are compromised.
2) Improve their network security
3) Develop a incident response plan
4) Maximize security capabilities in existing investments
5) Learn how to use critical digital forensics tools
6) Understand best practices for digital forensics.

  • Copyright 2018
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 464
  • Edition: 1st
  • Book
  • ISBN-10: 1-58714-502-2
  • ISBN-13: 978-1-58714-502-5

Investigating the Cyber Breach

The Digital Forensics Guide for the Network Engineer

· Understand the realities of cybercrime and today’s attacks

· Build a digital forensics lab to test tools and methods, and gain expertise

· Take the right actions as soon as you discover a breach

· Determine the full scope of an investigation and the role you’ll play

· Properly collect, document, and preserve evidence and data

· Collect and analyze data from PCs, Macs, IoT devices, and other endpoints

· Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence

· Analyze iOS and Android devices, and understand encryption-related obstacles to investigation

· Investigate and trace email, and identify fraud or abuse

· Use social media to investigate individuals or online identities

· Gather, extract, and analyze breach data with Cisco tools and techniques

· Walk through common breaches and responses from start to finish

· Choose the right tool for each task, and explore alternatives that might also be helpful

The professional’s go-to digital forensics resource for countering attacks right now

Today, cybersecurity and networking professionals know they can’t possibly prevent every breach, but they can substantially reduce risk by quickly identifying and blocking breaches as they occur. Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer is the first comprehensive guide to doing just that.

Writing for working professionals, senior cybersecurity experts Joseph Muniz and Aamir Lakhani present up-to-the-minute techniques for hunting attackers, following their movements within networks, halting exfiltration of data and intellectual property, and collecting evidence for investigation and prosecution. You’ll learn how to make the most of today’s best open source and Cisco tools for cloning, data analytics, network and endpoint breach detection, case management, monitoring, analysis, and more.

Unlike digital forensics books focused primarily on post-attack evidence gathering, this one offers complete coverage of tracking threats, improving intelligence, rooting out dormant malware, and responding effectively to breaches underway right now.

This book is part of the Networking Technology: Security Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

Online Sample Chapter

Responding to a Breach

Table of Contents

Introduction xix

Chapter 1 Digital Forensics 1

Defining Digital Forensics 3

Engaging Forensics Services 4

Reporting Crime 7

Search Warrant and Law 9

Forensic Roles 13

Forensic Job Market 15

Forensic Training 16

Summary 23

References 24

Chapter 2 Cybercrime and Defenses 25

Crime in a Digital Age 27

Exploitation 31

Adversaries 34

Cyber Law 36

Summary 39

Reference 39

Chapter 3 Building a Digital Forensics Lab 41

Desktop Virtualization 42

VMware Fusion 43

VirtualBox 44

Installing Kali Linux 44

Attack Virtual Machines 52

Cuckoo Sandbox 56

Virtualization Software for Cuckoo 58

Installing TCPdump 58

Creating a User on VirtualBox for Cuckoo 59

Binwalk 60

The Sleuth Kit 61

Cisco Snort 62

Windows Tools 67

Physical Access Controls 68

Storing Your Forensics Evidence 71

Network Access Controls 72

Jump Bag 74

Summary 74

References 75

Chapter 4 Responding to a Breach 77

Why Organizations Fail at Incident Response 78

Preparing for a Cyber Incident 80

Defining Incident Response 81

Incident Response Plan 82

Assembling Your Incident Response Team 84

When to Engage the Incident Response Team 85

Outstanding Items that Often Get Missed with Incident Response 88

Phone Tree and Contact List 88

Facilities 89

Responding to an Incident 89

Assessing Incident Severity 91

Following Notification Procedures 92

Employing Post-Incident Actions and Procedures 93

Identifying Software Used to Assist in Responding to a Breach 93

Trend Analysis Software 94

Security Analytics Reference Architectures 94

Other Software Categories 97

Summary 97

References 98

Chapter 5 Investigations 99

Pre-Investigation 100

Opening a Case 102

First Responder 105

Device Power State 110

Search and Seizure 113

Chain of Custody 118

Network Investigations 121

Forensic Reports 127

Case Summary 129

Example 129

Acquisition and Exam Preparation 129

Example 129

Findings 130

Example 130

Conclusion 130

Example 131

List of Authors 131

Example 131

Closing the Case 132

Critiquing the Case 136

Summary 139

References 139

Chapter 6 Collecting and Preserving Evidence 141

First Responder 141

Evidence 144

Autopsy 145

Authorization 147

Hard Drives 148

Connections and Devices 150

RAID 152

Volatile Data 153

DumpIt 154

LiME 154

Volatility 156

Duplication 158

dd 161

dcfldd 161

ddrescue 162

Netcat 162

Guymager 163

Compression and Splitting 164

Hashing 166

MD5 and SHA Hashing 168

Hashing Challenges 169

Data Preservation 170

Summary 172

References 172

Chapter 7 Endpoint Forensics 173

File Systems 174

Locating Data 178

Unknown Files 180

Windows Registry 182

Deleted Files 185

Windows Recycle Bin 187

Shortcuts 189

Printer Spools 190

Slack Space and Corrupt Clusters 191

Alternate Data Streams 196

Mac OS X 198

OS X Artifacts 199

Log Analysis 202

IoT Forensics 207

Summary 210

References 211

Chapter 8 Network Forensics 213

Network Protocols 214

Security Tools 215

Firewall 219

Intrusion Detection and Prevention System 219

Content Filter 219

Network Access Control 220

Packet Capturing 223

NetFlow 224

Sandbox 225

Honeypot 226

Security Information and Event Manager (SIEM) 228

Threat Analytics and Feeds 229

Security Tool Summary 229

Security Logs 229

Network Baselines 233

Symptoms of Threats 235

Reconnaissance 235

Exploitation 238

Malicious Behavior 242

Beaconing 244

Brute Force 249

Exfiltration 250

Other Indicators 254

Summary 255

References 255

Chapter 9 Mobile Forensics 257

Mobile Devices 258

Investigation Challenges 258

iOS Architecture 259

iTunes Forensics 261

iOS Snapshots 263

How to Jailbreak the iPhone 265

Android 266

PIN Bypass 270

How to Brute Force Passcodes on the Lock Screen 271

Forensics with Commercial Tools 272

Call Logs and SMS Spoofing 274

Voicemail Bypass 275

How to Find Burner Phones 276

SIM Card Cloning 278

Summary 279

Reference 279

Chapter 10 Email and Social Media 281

A Message in a Bottle 281

Email Header 283

Social Media 288

People Search 288

Google Search 293

Facebook Search 297

Summary 304

References 305

Chapter 11 Cisco Forensic Capabilities 307

Cisco Security Architecture 307

Cisco Open Source 310

Cisco Firepower 312

Cisco Advanced Malware Protection (AMP) 313

Cisco Threat Grid 319

Cisco Web Security Appliance 322

Cisco CTA 323

Meraki 324

Email Security Appliance 326

Cisco Identity Services Engine 328

Cisco Stealthwatch 331

Cisco Tetration 335

Cisco Umbrella 337

Cisco Cloudlock 342

Cisco Network Technology 343

Summary 343

Reference 343

Chapter 12 Forensic Case Studies 345

Scenario 1: Investigating Network Communication 346

Pre-engagement 347

Investigation Strategy for Network Data 348

Investigation 350

Closing the Investigation 355

Scenario 2: Using Endpoint Forensics 357

Pre-engagement 357

Investigation Strategy for Endpoints 358

Investigation 359

Potential Steps to Take 360

Closing the Investigation 362

Scenario 3: Investigating Malware 364

Pre-engagement 364

Investigation Strategy for Rogue Files 365

Investigation 365

Closing the Investigation 369

Scenario 4: Investigating Volatile Data 370

Pre-engagement 371

Investigation Strategy for Volatile Data 372

Investigation 373

Closing the Investigation 375

Scenario 5: Acting as First Responder 377

Pre-engagement 377

First Responder Strategy 377

Closing the Investigation 379

Summary 381

References 382

Chapter 13 Forensic Tools 383

Tools 384

Slowloris DDOS Tool: Chapter 2 385

Low Orbit Ion Cannon 386

VMware Fusion: Chapter 3 386

VirtualBox: Chapter 3 387

Metasploit: Chapter 3 388

Cuckoo Sandbox: Chapter 3 389

Cisco Snort: Chapter 3 389

FTK Imager: Chapters 3, 9 390

FireEye Redline: Chapter 3 391

P2 eXplorer: Chapter 3 392

PlainSight: Chapter 3 392

Sysmon: Chapter 3 393

WebUtil: Chapter 3 393

ProDiscover Basics: Chapter 3 393

Solarwinds Trend Analysis Module: Chapter 4 394

Splunk: Chapter 4 394

RSA Security Analytics: Chapter 4 395

IBM’s QRadar: Chapter 4 396

HawkeyeAP: Chapter 4 396

WinHex: Chapters 6, 7 396

OSForensics: Chapter 6 397

Mount Image Pro: Chapter 6 397

DumpIt: Chapter 6 398

LiME: Chapter 6 398

TrIDENT: Chapter 7 398

PEiD: Chapter 7 399

Lnkanalyser: Chapter 7 399

Windows File Analyzer: Chapter 7 399

LECmd: Chapter 7 401

SplViewer: Chapter 7 401

PhotoRec: Chapter 7 402

Windows Event Log: Chapter 7 402

Log Parser Studio: Chapter 7 403

LogRhythm: Chapter 8 403

Mobile Devices 404

Elcomsoft: Chapter 9 404

Cellebrite: Chapter 9 404

iPhone Backup Extractor: Chapter 9 405

iPhone Backup Browser: Chapter 9 405

Pangu: Chapter 9 405

KingoRoot Application: Chapter 9 405

Kali Linux Tools 406

Fierce: Chapter 8 406

TCPdump: Chapter 3 406

Autopsy and Autopsy with the Sleuth Kit: Chapters 3, 6 406

Wireshark: Chapter 8 406

Exiftool: Chapter 7 407

DD: Chapter 6 407

Dcfldd: Chapter 6 408

Ddrescue: Chapter 6 408

Netcat: Chapter 6 408

Volatility: Chapter 6 408

Cisco Tools 408

Cisco AMP 408

Stealthwatch: Chapter 8 409

Cisco WebEx: Chapter 4 409

Snort: Chapter 11 409

ClamAV: Chapter 10 409

Razorback: Chapter 10 410

Daemonlogger: Chapter 10 410

Moflow Framework: Chapter 10 410

Firepower: Chapter 10 410

Threat Grid: Chapter 10 410

WSA: Chapter 10 410

Meraki: Chapter 10 411

Email Security: Chapter 10 411

ISE: Chapter 10 411

Cisco Tetration: Chapter 10 411

Umbrella: Chapter 10 411

Norton ConnectSafe: No Chapter 412

Cloudlock: Chapter 10 412

Forensic Software Packages 413

FTK Toolkit: Chapter 3 413

X-Ways Forensics: Chapter 3 413

OSforensics: Chapter 6 414

EnCase: Chapter 7 414

Digital Forensics Framework (DFF): Chapter 7 414

Useful Websites 414

Shodan: Chapter 1 414

Wayback Machine: Chapter 3 415

Robot.txt files: Chapter 2 415

Hidden Wiki: Chapter 2 415

NIST: Chapter 4 416

CVE: Chapter 4 416

Exploit-DB: Chapter 4 416

Pastebin: Chapters 4, 10 416

University of Pennsylvania Chain of Custody Form: Chapter 6 417

List of File Signatures: Chapter 9 417

Windows Registry Forensics Wiki: Chapter 7 417

Mac OS Forensics Wiki: Chapter 7 417

Miscellaneous Sites 417

Searchable FCC ID Database 418

Service Name and Transport Protocol Port Number Registry 418

NetFlow Version 9 Flow-Record Format 418

NMAP 418

Pwnable 418

Embedded Security CTF 419

CTF Learn 419

Reversing.Kr 419

Hax Tor 419

W3Challs 419

RingZer0 Team Online CTF 420

Hellbound Hackers 420

Over the Wire 420

Hack This Site 420

VulnHub 420

Application Security Challenge 421

iOS Technology Overview 421

Summary 421

9781587145025 TOC 1/10/2017

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020