Chapter 37 Exercises: Incident Response and Digital Forensics

Exercise 37.1: Incident Response Plan Development

Difficulty: Beginner Objective: Create a foundational incident response plan for a small organization.

Scenario: You are the sole security professional at a 200-person company with a web application, internal Active Directory network, and cloud infrastructure (AWS).

  1. Define the incident response team structure. Who is involved beyond IT security (legal, HR, communications, management)?
  2. Create an incident classification scheme with at least four severity levels. Define criteria for each level.
  3. Write escalation procedures: Who is notified at each severity level? What is the timeline for notification?
  4. Define communication channels for incident response (primary and backup, including out-of-band options).
  5. Create a contact list template with roles, names, phone numbers, and email addresses.
  6. Write a one-page incident declaration procedure: How does someone declare an incident? What information is required?
  7. Define evidence preservation requirements for each severity level.

Deliverable: Complete incident response plan document (4-6 pages).

Exercise 37.2: Tabletop Exercise Design and Execution

Difficulty: Beginner Objective: Design and facilitate a tabletop exercise for a ransomware scenario.

  1. Design a ransomware tabletop exercise scenario with: - Background: Organization description, current security posture - Inject 1: Initial detection (helpdesk receives call about encrypted files) - Inject 2: Scope expansion (additional systems found encrypted) - Inject 3: Ransom note discovered (demand for $500,000 in cryptocurrency) - Inject 4: Media inquiry (reporter calls asking about data breach) - Inject 5: Data exfiltration confirmed (double extortion)
  2. For each inject, write 3-5 discussion questions.
  3. Create a facilitator guide with expected responses and discussion points.
  4. If possible, run the exercise with classmates or colleagues.
  5. Document lessons learned and action items from the exercise.
  6. Create an after-action report template.

Deliverable: Tabletop scenario document, facilitator guide, and after-action report template.

Exercise 37.3: Memory Acquisition Practice

Difficulty: Intermediate Objective: Practice acquiring memory images from running systems.

  1. Set up a Windows 10/11 VM with some simulated activity (open browser, run applications, create network connections).
  2. Capture a memory image using at least two different tools: - WinPmem - FTK Imager (Lite version)
  3. For each capture: - Record the file size, time to capture, and hash (SHA-256) of the output - Document the process you followed - Note any issues encountered
  4. Compare the two memory images: Are they the same size? Are the hashes different? Why?
  5. Set up a Linux VM and capture memory using LiME: - Compile the LiME kernel module - Capture memory in lime format - Document the process
  6. Calculate and record SHA-256 hashes for all memory images.
  7. Create chain of custody documentation for each acquired image.

Deliverable: Memory images (or screenshots of the process), hash values, and chain of custody forms.

Exercise 37.4: Volatility 3 Analysis

Difficulty: Intermediate Objective: Analyze a memory image using Volatility 3 to identify malicious activity.

  1. Download a practice memory image from MemLabs (https://github.com/stuxnet999/MemLabs) or a DFIR challenge site.
  2. Identify the operating system and build using windows.info.
  3. List all processes and identify any suspicious ones: - Run windows.pslist and windows.psscan - Compare the two outputs to find hidden processes - Run windows.pstree to analyze parent-child relationships - Identify processes running from unusual locations
  4. Analyze network connections: - Run windows.netscan - Identify connections to external IP addresses - Research any suspicious IPs using threat intelligence tools
  5. Check for code injection: - Run windows.malfind - Analyze any suspicious memory regions
  6. Extract artifacts: - Dump suspicious processes with windows.dumpfiles - Extract command-line arguments with windows.cmdline - Check registry for persistence with windows.registry.printkey
  7. Write a summary report of your findings.

Deliverable: Volatility command outputs, analysis notes, and summary report.

Exercise 37.5: Disk Forensics with Autopsy

Difficulty: Intermediate Objective: Conduct a disk forensic analysis using the Autopsy digital forensics platform.

  1. Download a forensic disk image from a practice site (e.g., Digital Forensics workstation from cfreds.nist.gov or Forensics CTF images).
  2. Create a new case in Autopsy and add the disk image as a data source.
  3. Run all ingest modules (hash lookup, keyword search, web artifacts, recent activity, etc.).
  4. Analyze the following: - File system structure and notable directories - Recently accessed and modified files - Deleted files (recoverable through Autopsy's recovery features) - Web browser history, bookmarks, and downloads - Email artifacts - USB device history - Installed programs
  5. Create a timeline of user activity for a specific date range.
  6. Export relevant evidence items with hash verification.
  7. Write an examination report documenting your process and findings.

Deliverable: Case summary, timeline, exported evidence items with hashes, and examination report.

Exercise 37.6: Windows Event Log Analysis

Difficulty: Intermediate Objective: Analyze Windows Event Logs to reconstruct malicious activity.

  1. Set up a Windows VM with Sysmon installed (use a detection-focused Sysmon configuration like SwiftOnSecurity's).
  2. Simulate malicious activity: - Create a new user account - Add the user to the Administrators group - Execute PowerShell commands (encoded and plain) - Create a scheduled task for persistence - Access a network share - Clear security event logs
  3. Export the following event logs: Security, System, Sysmon/Operational, PowerShell/Operational.
  4. Analyze the logs using Event Viewer or a log analysis tool (ELK, Splunk free, or EvtxExplorer).
  5. For each simulated activity, identify: - The specific Event ID(s) generated - The timestamp - The user account involved - Additional context from the event data
  6. Create a detection matrix: for each simulated activity, list the Event IDs that provide evidence.
  7. Write detection rules (Sigma format) for three of the activities.

Deliverable: Event log analysis document, detection matrix, and three Sigma rules.

Exercise 37.7: KAPE Triage Collection

Difficulty: Intermediate Objective: Use KAPE to perform rapid forensic triage collection.

  1. Download and install KAPE on a Windows VM.
  2. Familiarize yourself with KAPE's targets and modules: - List available targets: kape.exe --tlist - List available modules: kape.exe --mlist
  3. Perform a triage collection using the KapeTriage target: - kape.exe --tsource C: --tdest D:\evidence --target KapeTriage
  4. Examine the collected artifacts: - Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT) - Event logs - Prefetch files - MFT - Web browser artifacts - Amcache and Shimcache
  5. Process the collected artifacts using Eric Zimmerman's tools: - Parse Prefetch with PECmd - Parse Amcache with AmcacheParser - Parse ShellBags with SBECmd - Parse MFT with MFTECmd
  6. Correlate findings across artifact types.
  7. Document the complete process and timeline of findings.

Deliverable: KAPE collection log, processed artifact outputs, and correlation analysis.

Exercise 37.8: Network Forensics with Wireshark

Difficulty: Intermediate Objective: Analyze network packet captures to identify malicious activity.

  1. Download a practice PCAP file containing malicious activity (Malware-Traffic-Analysis.net provides excellent resources).
  2. Open the PCAP in Wireshark and perform initial analysis: - Identify the capture duration and total packet count - Review the Protocol Hierarchy statistics - Identify all unique IP addresses and their roles (internal/external)
  3. Analyze HTTP traffic: - Filter for HTTP requests and identify all accessed URLs - Look for suspicious downloads (executables, scripts) - Export any downloaded files and calculate their hashes
  4. Analyze DNS traffic: - Filter for DNS queries - Identify suspicious domain lookups (DGA domains, known-bad domains) - Note any DNS tunneling indicators (long subdomain names)
  5. Analyze TLS connections: - Identify all TLS connections by server name (SNI) - Look for connections to suspicious domains - Check certificate details where visible
  6. Look for data exfiltration indicators: - Large outbound data transfers - Unusual protocols for data transfer - Encoded or encrypted data in HTTP POST bodies
  7. Create an IOC list from your analysis (IPs, domains, hashes, user agents).

Deliverable: Wireshark analysis report, IOC list, and exported malicious files with hashes.

Exercise 37.9: YARA Rule Development

Difficulty: Intermediate Objective: Write YARA rules to detect specific malware samples and suspicious patterns.

  1. Download a known malware sample from MalwareBazaar or a similar repository (use a safe, isolated analysis environment).
  2. Perform basic static analysis: - Extract strings from the sample - Identify unique strings, patterns, or byte sequences - Note any file properties (size, sections, imports)
  3. Write a YARA rule to detect this specific sample: - Include at least three string matches - Include at least one hex pattern - Include metadata (author, description, hash, date) - Test the rule against the sample
  4. Write a generic YARA rule to detect a category of malicious behavior: - Choose a behavior (e.g., PowerShell download cradle, packed executables, web shells) - Define string and condition patterns that match the category - Test against both malicious and benign samples
  5. Write a YARA rule that could produce false positives. Then refine it to reduce false positives while maintaining detection.
  6. Test all rules against a directory containing both malicious and clean files. Calculate true positive, false positive, and false negative rates.

Deliverable: Three YARA rules, test results, and false positive analysis.

Exercise 37.10: Timeline Analysis

Difficulty: Advanced Objective: Build a comprehensive forensic timeline from multiple evidence sources.

  1. Using evidence from a practice forensic case (or from your own lab simulations): - Collect disk artifacts (MFT, Event Logs, Prefetch, browser history) - Collect memory artifacts (process list, network connections) - Collect network logs (if available)
  2. Create a super timeline using Plaso/log2timeline: - Process all evidence sources into a single Plaso database - Filter the timeline to the relevant date range - Export to CSV format
  3. Open the timeline in Timeline Explorer (Eric Zimmerman) or a spreadsheet.
  4. Identify key events: - Initial compromise (first suspicious activity) - Lateral movement events - Data access events - Persistence establishment - Exfiltration events - Attacker cleanup attempts
  5. Create a visual timeline showing key events on a chronological axis.
  6. Write a narrative that tells the story of the incident based on your timeline analysis.

Deliverable: Super timeline (filtered), visual timeline diagram, and narrative report.

Exercise 37.11: Malware Analysis Lab Setup

Difficulty: Intermediate Objective: Build a safe malware analysis environment.

  1. Design and build a malware analysis lab: - Create an isolated virtual network (host-only, no internet access) - Set up a Windows analysis VM with:
    • Flare VM or similar analysis toolkit
    • Process Monitor, Process Explorer, Autoruns
    • Wireshark, FakeNet-NG
    • Ghidra or IDA Free
    • PE analysis tools (pestudio, CFF Explorer)
    • Set up a Linux analysis VM with:
    • REMnux distribution (or install tools manually)
    • Volatility 3, YARA, radare2
    • Set up a monitoring VM for network capture
  2. Document your lab architecture with a network diagram.
  3. Create snapshot procedures (when to snapshot, naming convention).
  4. Test your lab by downloading and analyzing a known-safe test file (EICAR test file).
  5. Verify isolation: confirm the analysis VMs cannot reach the internet or your host network.
  6. Create a standard operating procedure (SOP) for malware analysis in your lab.

Deliverable: Lab architecture documentation, network diagram, SOP, and verification test results.

Exercise 37.12: Incident Response Playbook Development

Difficulty: Intermediate Objective: Create detailed incident response playbooks for specific incident types.

Write complete playbooks for three incident types:

  1. Phishing incident playbook: - Detection criteria (how you know this is a phishing incident) - Initial triage steps - Scope assessment (who else received the email?) - Containment actions (block sender, remove emails, disable compromised accounts) - Investigation steps (analyze email headers, attachments, URLs) - Recovery procedures - Communication templates

  2. Insider threat playbook: - Detection criteria - Legal and HR coordination requirements - Evidence preservation (heightened chain of custody) - Investigation steps (user activity monitoring, data access logs) - Containment without alerting the subject - Documentation requirements

  3. Cloud compromise playbook (AWS): - Detection criteria (GuardDuty alerts, CloudTrail anomalies) - Initial response (identify affected resources, preserve CloudTrail logs) - Containment (revoke credentials, isolate resources) - Investigation (CloudTrail analysis, resource inventory) - Recovery (rotate all credentials, rebuild from IaC)

Deliverable: Three complete playbooks in a standardized format.

Exercise 37.13: Log Aggregation and Analysis

Difficulty: Advanced Objective: Build a centralized log collection and analysis system for incident investigation.

  1. Deploy an ELK stack (Elasticsearch, Logstash, Kibana) or Wazuh in your lab.
  2. Configure log collection from: - Windows Event Logs (Security, System, Sysmon) - Linux syslog and auth.log - Apache/Nginx web server logs - Firewall logs (simulated or from lab firewall)
  3. Create at least five detection dashboards: - Failed authentication attempts by source - Process creation events with suspicious patterns - Network connection anomalies - File modification events in sensitive directories - User account changes (creation, modification, group changes)
  4. Create alert rules for: - Brute force detection (more than N failed logins from one IP) - Suspicious process execution (PowerShell with encoded commands) - New service installation
  5. Simulate an attack in your lab and verify that your dashboards and alerts detect it.
  6. Practice searching and investigating using your log analysis platform.

Deliverable: Deployment documentation, dashboard screenshots, alert rules, and detection verification results.

Exercise 37.14: File Carving Exercise

Difficulty: Advanced Objective: Practice file recovery techniques from disk images.

  1. Create a test disk image: - Format a USB drive or virtual disk - Copy various files to it (images, documents, text files, executables) - Record the files and their hashes - Delete several files - Create some files and then overwrite them with other files
  2. Create a forensic image of the disk using dc3dd or FTK Imager.
  3. Attempt file recovery using multiple techniques: - File carving with Foremost or Scalpel - MFT analysis with MFTECmd (for NTFS) - Autopsy's file recovery features
  4. For each recovered file: - Calculate the SHA-256 hash - Compare with the original hash - Determine if the file was fully or partially recovered
  5. Analyze unallocated space for additional artifacts.
  6. Document which files were recoverable and which were not, and explain why.

Deliverable: Test disk contents list, forensic image hash, recovered files with hashes, and recovery analysis report.

Exercise 37.15: Incident Investigation Capstone

Difficulty: Advanced Objective: Conduct a complete incident investigation from detection through reporting.

Scenario: A company's intrusion detection system has flagged suspicious outbound traffic from an internal workstation. Your task is to investigate.

Set up the scenario in your lab: 1. On a Windows VM, simulate a compromise: - Create a malicious scheduled task - Create a new admin user account - Simulate data collection (copy files to a staging directory) - Create outbound connections (simulate C2 with a simple script) - Clear some event logs

  1. Investigate as if you are the incident responder: - Capture memory - Collect disk artifacts with KAPE - Capture network traffic (if you set up the C2 simulation) - Analyze memory with Volatility - Analyze disk artifacts with Zimmerman tools - Build a timeline - Identify all IOCs

  2. Write a complete investigation report: - Executive summary - Scope and methodology - Timeline of events - Findings (organized by category: malware, persistence, credential access, etc.) - Indicators of Compromise - Impact assessment - Recommendations for remediation and prevention - Evidence inventory with chain of custody

Deliverable: Complete investigation report (8-12 pages) with supporting evidence.

Exercise 37.16: Cloud Forensics Investigation

Difficulty: Advanced Objective: Investigate a simulated cloud security incident using cloud-native tools.

  1. In an AWS Free Tier account, set up a simple infrastructure: - EC2 instance, S3 bucket, IAM users - Enable CloudTrail logging
  2. Simulate malicious activity: - Create new IAM access keys - Enumerate S3 buckets - Access data from an S3 bucket - Create a new IAM user with admin permissions - Launch an unauthorized EC2 instance
  3. Investigate using cloud-native tools: - Query CloudTrail for the simulated activities - Identify the timeline of events - Determine which credentials were used - Identify all resources accessed or created
  4. Document the differences between cloud forensics and traditional disk/memory forensics.
  5. Write investigation findings in a report format.

Deliverable: CloudTrail query results, investigation timeline, and forensic report.