The Incident Response Workbook is available through Amazon and university libraries/outlets.

The Workbook is filled with activities for incident responders, digital forensic examiners, and cyber security professionals who want to gain (more) hands-on practice investigating systems. The workbook will allow the readers to combine incident response content with hands-on PowerShell activities so the readers can learn to triage and investigate incidents on their own. The Workbook is not meant to be exhaustive; however, it was written to address a variety of incidents, artifacts, and triage / investigation techniques.

Each of the scenarios comes with a PowerShell script which will add realistic artifacts to a Windows computer so the reader can gain experience investigating. The workbook then walks through a step-by-step process on how a sample investigation could be done. The activities conclude with the running of a “clean-up” script that removes the artifacts that were put in place during setup.

In all there are 12 scenarios with hands-on activities with over 100 PowerShell commands / scripts in the workbook. The goal of the activities is to provide sufficient hands-on learning through activities so the reader can applying triage and investigation techniques.  

Table of Contents

The following chapters are included in the Incident Response Workbook:

Preface
Acknowledgements
Chapter 1 - Introduction
Chapter 2 - How to Use This Book
Chapter 3 - Introduction to PowerShell Fundamentals for Incident Response
Chapter 4 - Scenario: Investigating a Suspicious Download
Chapter 5 - Scenario: Responding to Suspicious Internet Traffic (Port-to-process mapping)
Chapter 6 - Scenario: Identifying Newly Created Executables
Chapter 7 - Scenario: Identifying and Closing Remote Connections
Chapter 8 - Scenario: Investigating Malware with a Persistence Mechanism
Chapter 9 - Scenario: Responding to an an Insider Risk - Potential Theft of Intellectual Property
Chapter 10 - Scenario: VIP Traveler Reporting a Suspicious Event
Chapter 11 - Scenario: Hunting Through a List of Services
Chapter 12 - Scenario: Investigating a Suspicious Wi-Fi Connection
Chapter 13 - Scenario: Responding to a Ransom Demand
Chapter 14 - Scenario: Incident Follow-up Tasks and Security Audit
Chapter 15 - Scenario: Creating a Collection Script
Chapter 16 - Additional Topics for Incident Response
Chapter 17 - Discussion Topics
About the Author
Index

Chapter Layout

Chapters with scenarios are arranged in the following fashion:

  • There is a brief narrative to orient the reader to the realistic incident.

  • There is a setup script which installs artifacts to simulate indicators of compromise on the Windows computer.

  • An introduction of key incident response concepts and the methodology to be followed is presented.

  • A list of the PowerShell commands that will be used with the proposed solution to the scenario.

  • A step-by-step procedure with PowerShell scripts is provided so the reader can perform the hands-on activity

  • “Learning Points” are added throughout the exercise to point out key concepts.

  • A cleanup script to remove any remaining artifacts after the investigation is complete.

  • Follow-up questions and discussion points to expand on the topics covered in the scenario.