Blue - DFIR: Digital Forensics and Incident Response
DFIR: Digital Forensics and Incident Response is a hugely important important sector of cyber security, where your everyday security analysis is take to the next level. While most security analysts will work out of a SIEM or SOAR platform, Incident Responders and Forensic analysts typically work directly with a potentially compromised device. With this, they are required to not only be familiar with a larger array of tools for analysis, but also a much stricter set of process and procedures as their actions are often subject to legal requirements.
DFIR Resource Collections
DFIR Compendium - The Definitive Compendium Project Digital Forensics & Incident Response
Infosec Reference: DFIR - Massive collection of DFIR guides, articles, and tools
https://start.me/p/jj0B26/dfir - Collection of more DFIR resources
https://www.jaiminton.com/cheatsheet/DFIR/ - Huge collection of DFIR commands and methodology
Training
https://dfirmadness.com/ - Collection of training use cases to hone your DFIR skills
Incident Response
ATC React - The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques. It can be used for prioritization of Incident Response capabilities development, including skills development, technical measures acquisition/deployment, internal procedures development, etc, as well as gap analysis to determine "coverage" of existing Incident Response capabilities.
https://github.com/certsocietegenerale/IRM - CERT Societe Generale Incident Response Methodologies 2022
https://gitlab.com/syntax-ir/playbooks#ir-playbooks - Public IR playbooks
BTFM: Incident Response checklist - pg. 109
BTFM: Remediation Tasks - pg. 112
(BTHb: INRE): Incident Response Steps - pg. 5
IR/Malware Scanners
Kansa (Powershell) - A modular incident response framework in Powershell. It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.
Windows Forensic Toolchest - The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.
Veliciraptor - A tool for collecting host based state information.
Meerkat - Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisreconnaissanceance of Windows-based endpoints without requiring a pre-deployed agent.
https://www.cadosecurity.com/cado-community-edition/ - The Cado Community Edition leverages the scale and speed of the cloud to simplify deep-dive investigations. With the free community edition, data can be processed in minutes compared to days when using traditional methods. Stop wasting time, money, or effort. Achieve forensic-level detail without forensic-level effort. Only Cado empowers the security community to investigate and respond at cloud speed.
DFIR Commands
pageInteract with remote machinepageWindows System EnumerationpageWindows Process InformationpageWindows DFIR CheckspageWindows DFIR Check by MITRE TacticpageWindows Event LogspageWindows Remediation CommandspageIR Event Log CheatsheetpageLinux DFIR CommandspageMacOS DFIR CommandsForensics
Triage and Order of Volatility
(BTHb: INRE): Order of Volatility - pg. 29
BTFM: Live Triage - pg. 60
bulk-extractor - bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
dumpzilla - Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.
regripper - RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
safecopy - safecopy tries to get as much data from SOURCE as possible, even resorting to device specific low level operations if applicable.
Malware Analysis
In incident response, phishing, or security monitoring scenarios, you will encounter potentially malicious files that will require in depth analysis to certify the nature of the file. These files can be as overt as an executable labeled "virus.exe" or as covert as "resume.doc". There will be instances where even after all of your analysis, you still cannot verify the nature of the document, and therefore should be considered malicious until proven otherwise.
pageSandboxingOutside of sandboxing, there are a host of other tools available that can perform different types of analysis on malware. There are even a few virtual machine distributions that are dedicated to malware analysis. The foremost of them are Flare-VM and Remnux. These will usually include sandboxing tools like cuckoo, code analysis tools like Snyk and Ghidra, and a host of other handy options.
Remember: it is always advised to perform your malware analysis on a virtual machine, in order to prevent unwanted accidents.
Reverse Engineering
pageReverse EngineeringLast updated