DFIR (Digital Forensic and Incident Response) refers to the process of collecting, analyzing, and preserving digital data related to an incident, typically in a criminal or cybersecurity context. The goal is to uncover evidence and information that can help identify the cause of the incident and prevent similar incidents from happening in the future. This process involves a combination of technical and legal skills, and often involves the use of specialized software and hardware tools.
DFIR process might include the following steps:
Identification of incident
Preservation of evidence
Collection of evidence
Analysis of evidence
Reporting of findings
Remediation of incident
Review of process
Preparation: This involves establishing the necessary policies, procedures, tools, and resources needed for a successful DFIR investigation.
Identification: This involves determining that an incident has occurred, and determining the scope and nature of the incident. This may involve receiving a complaint, noticing unusual activity, or performing routine monitoring of systems and networks.
Preservation: This involves collecting, acquiring, and preserving digital evidence in a way that maintains its authenticity, integrity, and reliability. This may involve creating images of hard drives, memory dumps, or other digital artifacts, and storing them in a secure location.
Collection: This involves identifying and gathering digital evidence from a variety of sources, including servers, workstations, mobile devices, cloud services, and network devices. Collection should be performed in a manner that minimizes disruption to normal business operations and preserves the integrity of the evidence.
kape.exe --tsource C: --tdest C:\Forensics\KAPEDEST1\Artifacts --target !Quick_Triage --msource C: --module !ALL --mdest C:\Forensics\KAPEDEST1\Artifacts\Volatile_Data --zip %COMPUTERNAME%Analysis: This involves examining and analyzing the collected digital evidence to identify and extract relevant information related to the incident. This may involve using specialized tools, techniques, and methodologies to examine the data and identify patterns, anomalies, and trends.
NOTE: //d/ - Drive D:\ and path to the case files /data - mount point inside docker blacktop/volatility - Docker image name '-f' - Volatility switch/option pointing to memory file after mounting into docker. '--profile' : Volatility switch/option to determine the OS version of the memory dump 'hashdump' : Volatility command.
Download the Plugins from https://github.com/TazWake/volatility-plugins
QUICK MEMORY ANALYSIS:
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem imageinfo
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/hollowfind -f /Memory/memory.raw --profile=Win2012R2x64 hollowfind
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/triagecheck -f /Memory/memory.raw --profile=Win2012R2x64 triagecheck
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 cmdcheck
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/FastVADScan -f /Memory/memory.raw --profile=Win2012R2x64 fastvadscan
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/ramscan -f /Memory/memory.raw --profile=Win2012R2x64 ramscan -output=html --output-file=/Memory/ramscan.html
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/pathcheck -f /Memory/memory.raw --profile=Win2012R2x64 pathcheck
DETAILED ANALYSIS:
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -f /Memory/memory.raw imageinfo
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hashdump
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 pslist
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 pstree
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 malfind
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shellbags
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 sessions
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hashdump
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hivelist
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 psxview
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 netscan
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shutdowntime
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 connscan
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 sockets
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 modules
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shimcache
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 mftparser
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 iehistory
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 amcache
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 clipboard
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 callbacks
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 handles
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 envars
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 lsadump -d /data/
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hivedump -d /data/
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 userassist
docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 crashinfo
PROCESS DUMP COMMAND
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -f /Memory/memory.raw --profile=Win2012R2x64 procdump -D /Memory/ -p ID
CREATING TIMELINE FROM MEOMRY
cd D:/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility --plugins=/Memory/volatilityplugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 timeliner --output=body > timeliner.body
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility --plugins=/Memory/volatilityplugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 mftparser --output=body > mftparser.body
copy *.body fullmemory.body
docker run --rm -v //d/Forensics/KAPEDEST1/Artifacts:/Artifacts:rw log2timeline/plaso log2timeline --parser "mactime" timeline.plaso fullmemory.body
docker run --rm log2timeline/plaso psort -o L2csv --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w myownpc.csv timeline.plaso
Reporting: This involves documenting the results of the DFIR investigation and presenting the findings to stakeholders. This may involve producing detailed technical reports, summaries, and visual representations of the evidence and findings.
Better of using Cyber Triage tool or Intezer to generate reports without efforts.
Remediation: This involves taking steps to address the underlying cause of the incident and prevent similar incidents from happening in the future. This may involve implementing security measures, deploying software patches, or updating policies and procedures.
Review: This involves evaluating the DFIR process and the results of the investigation, and making recommendations for improvement. This may involve identifying areas where the process can be streamlined, tools can be improved, or additional training is needed.
In case of more doubts, please comment below for help.
Comments