Defensive Operations
🔥 Advanced

Digital Forensics & Incident Response

DFIR combines digital forensics (the science of collecting and analyzing digital evidence) with incident response (the process of detecting, containing, and recovering from security breaches). This discipline is critical for understanding how attackers operate, preserving evidence for legal proceedings, and preventing future incidents.

Evidence Preservation is Critical

Never analyze original evidence. Always work on forensic images (bit-for-bit copies with verified hashes). Improper handling can make evidence inadmissible in court and destroy critical artifacts.

Incident Response Lifecycle

1. Identification

Detect and validate security incident

2. Containment

Prevent further damage (isolate systems)

3. Eradication

Remove threat from environment

4. Recovery

Restore systems to normal operations

5. Lessons Learned

Post-mortem analysis and improvements

DFIR vs Red Team

While red teams simulate attacks, DFIR professionals investigate and respond to them. These are complementary skillsets:

🔴 Red Team (Offensive)

  • • Break into systems
  • • Evade detection
  • • Establish persistence
  • • Simulate real attackers
  • • Goal: Test defenses

🔵 DFIR (Defensive)

  • • Investigate breaches
  • • Find attacker artifacts
  • • Reconstruct timelines
  • • Contain and remediate
  • • Goal: Understand and stop attacks

Essential DFIR Tools

Disk Forensics

  • • Autopsy / Sleuth Kit
  • • FTK Imager
  • • X-Ways Forensics
  • • Magnet AXIOM

Memory Forensics

  • • Volatility 3
  • • Rekall
  • • DumpIt / Magnet RAM Capture
  • • MemProcFS

Network Forensics

  • • Wireshark / tshark
  • • NetworkMiner
  • • Zeek (Bro)
  • • tcpdump

Windows Forensics

  • • Eric Zimmerman Tools
  • • RegRipper
  • • Event Log Explorer
  • • Velociraptor

Linux Forensics

  • • SIFT Workstation
  • • log2timeline / Plaso
  • • osquery
  • • Sysdig

Timeline & Analysis

  • • Plaso / log2timeline
  • • Timesketch
  • • CyberChef
  • • Elasticsearch / Kibana

The Forensic Process

  1. 1. Identification: Recognize potential evidence (compromised server, suspicious network traffic)
  2. 2. Preservation: Create forensic images with write-blockers, calculate MD5/SHA256 hashes
  3. 3. Collection: Gather volatile data (memory, running processes) before non-volatile (disk)
  4. 4. Analysis: Examine artifacts for IOCs, attacker tools, and lateral movement traces
  5. 5. Documentation: Maintain detailed chain of custody and findings report
  6. 6. Presentation: Communicate findings to technical and non-technical stakeholders

Order of Volatility

Collect evidence from most volatile to least: CPU registers/cache → RAM → Swap/Page files → Disk → Backups → Logs. Memory forensics must happen before pulling the power plug!

Guide Contents

📋
1

DFIR Fundamentals

Methodology, evidence handling, and chain of custody.
💾
2

Evidence Acquisition

Disk imaging, memory capture, and network captures.
🧠
3

Memory Forensics

RAM acquisition, analysis with Volatility, detecting rootkits.
💿
4

Disk Forensics

Filesystem analysis, file carving, and deleted file recovery.
🪟
5

Windows Forensics

Event logs, registry analysis, prefetch, and MFT parsing.
🐧
6

Linux Forensics

Linux artifact analysis and log investigation.
🌐
7

Network Forensics

Packet analysis, flow analysis, and traffic reconstruction.
🚨
8

Incident Response

IR playbooks, containment strategies, and eradication.
⏱️
9

Timeline Analysis

Building comprehensive attack timelines.

Related Topics

Malware Analysis

Threat Intelligence

Network Security