Digital Forensics and Incident Response¶

DFIR is finding out what the fuck happened
When a breach occurs you need to determine the scope of compromise, identify the entry point, contain the threat, and gather evidence for potential legal action

The DFIR Process

Identification - Detect the incident (alerts , user reports , anomalies)
Containment - Stop the bleeding (disconnect , isolate , block)
Eradication - Remove the threat (malware , backdoors , persistence)
Recovery - Restore normal operations (clean backups , verify)
Lessons Learned - Improve defenses (post-mortem , recommendations)

Order of Volatility

When collecting evidence you must collect the most volatile data first because it disappears fastest:

CPU registers and cache - Gone on reboot
Routing table and ARP cache - Lost on reboot
Process table - Lost on shutdown
Kernel memory - Lost on shutdown
Temporary filesystem - /tmp contents may be cleared
Disk - Persistent (primary long-term evidence)
Remote logs - May be overwritten by attacker
Physical configuration - Network topology diagrams
Archives - Backups from before the incident

The Forensics Mindset

Document everything (chain of custody)
Never work on original evidence (always image then work on copy)
Write-block any storage device before imaging
Hash everything and verify hashes
Timeline analysis reveals correlations

Common Incident Types

Ransomware - Encrypted files , ransom note , lateral movement
Phishing - Email logs , browser history , downloaded payloads
Insider Threat - Unusual access patterns , data exfiltration
Web Compromise - Web server logs , modified files , backdoor scripts
Supply Chain - Compromised software updates , DLL hijacking

Evidence Types

Volatile - RAM, network connections, running processes
Non-volatile - Hard drives, SSDs, removable media
Network - PCAP files, firewall logs, proxy logs, DNS logs
Application - Web server logs, database logs, application logs
Remote - SIEM data, cloud logs, centralized logging