top of page
Search

#DFIR: Digital Forensics Incident Response

DFIR (Digital Forensic and Incident Response) refers to the process of collecting, analyzing, and preserving digital data related to an incident, typically in a criminal or cybersecurity context. The goal is to uncover evidence and information that can help identify the cause of the incident and prevent similar incidents from happening in the future. This process involves a combination of technical and legal skills, and often involves the use of specialized software and hardware tools.


DFIR process might include the following steps:

  1. Identification of incident

  2. Preservation of evidence

  3. Collection of evidence

  4. Analysis of evidence

  5. Reporting of findings

  6. Remediation of incident

  7. Review of process

  • Preparation: This involves establishing the necessary policies, procedures, tools, and resources needed for a successful DFIR investigation.

  • Identification: This involves determining that an incident has occurred, and determining the scope and nature of the incident. This may involve receiving a complaint, noticing unusual activity, or performing routine monitoring of systems and networks.

  • Preservation: This involves collecting, acquiring, and preserving digital evidence in a way that maintains its authenticity, integrity, and reliability. This may involve creating images of hard drives, memory dumps, or other digital artifacts, and storing them in a secure location.

  • Collection: This involves identifying and gathering digital evidence from a variety of sources, including servers, workstations, mobile devices, cloud services, and network devices. Collection should be performed in a manner that minimizes disruption to normal business operations and preserves the integrity of the evidence.


KAPE
.zip
Download ZIP • 7.98MB

kape.exe --tsource C: --tdest C:\Forensics\KAPEDEST1\Artifacts --target !Quick_Triage --msource C: --module !ALL --mdest  C:\Forensics\KAPEDEST1\Artifacts\Volatile_Data --zip %COMPUTERNAME%

  • Analysis: This involves examining and analyzing the collected digital evidence to identify and extract relevant information related to the incident. This may involve using specialized tools, techniques, and methodologies to examine the data and identify patterns, anomalies, and trends.

NOTE: //d/ - Drive D:\ and path to the case files /data - mount point inside docker blacktop/volatility - Docker image name '-f' - Volatility switch/option pointing to memory file after mounting into docker. '--profile' : Volatility switch/option to determine the OS version of the memory dump 'hashdump' : Volatility command.

  • Download the Plugins from https://github.com/TazWake/volatility-plugins



QUICK MEMORY ANALYSIS:

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem imageinfo

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/hollowfind -f /Memory/memory.raw --profile=Win2012R2x64 hollowfind

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/triagecheck -f /Memory/memory.raw --profile=Win2012R2x64 triagecheck

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 cmdcheck

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/FastVADScan -f /Memory/memory.raw --profile=Win2012R2x64 fastvadscan

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/ramscan -f /Memory/memory.raw --profile=Win2012R2x64 ramscan -output=html --output-file=/Memory/ramscan.html

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -v //d/Forensics/Tools/volatilityplugins:/Plugins --plugins=/Plugins/pathcheck -f /Memory/memory.raw --profile=Win2012R2x64 pathcheck

DETAILED ANALYSIS:

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -f /Memory/memory.raw imageinfo

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hashdump

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 pslist

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 pstree

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 malfind

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shellbags

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 sessions

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hashdump

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hivelist

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 psxview

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 netscan

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shutdowntime

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 connscan

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 sockets

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 modules

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 shimcache

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 mftparser

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 iehistory

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 amcache

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 clipboard

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 callbacks

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 handles

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 envars

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 lsadump -d /data/

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 hivedump -d /data/

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 userassist

docker run --rm -v //d/FORENSICS/TUTORIALS/CASE1-WEB-SERVER/:/data:rw blacktop/volatility -f /data/memdump.mem --profile=Win2008SP2x86 crashinfo

PROCESS DUMP COMMAND
docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility -f /Memory/memory.raw --profile=Win2012R2x64 procdump -D /Memory/ -p ID

CREATING TIMELINE FROM MEOMRY
cd D:/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility --plugins=/Memory/volatilityplugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 timeliner --output=body > timeliner.body

docker run --rm -it -v //d/Forensics/KAPEDEST1/Artifacts/Volatile_Data/Memory:/Memory:rw blacktop/volatility --plugins=/Memory/volatilityplugins/cmdcheck -f /Memory/memory.raw --profile=Win2012R2x64 mftparser --output=body > mftparser.body

copy *.body fullmemory.body

docker run --rm -v //d/Forensics/KAPEDEST1/Artifacts:/Artifacts:rw  log2timeline/plaso log2timeline --parser "mactime" timeline.plaso fullmemory.body

docker run --rm log2timeline/plaso psort -o L2csv --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w myownpc.csv timeline.plaso

  • Reporting: This involves documenting the results of the DFIR investigation and presenting the findings to stakeholders. This may involve producing detailed technical reports, summaries, and visual representations of the evidence and findings.

  • Better of using Cyber Triage tool or Intezer to generate reports without efforts.


  • Remediation: This involves taking steps to address the underlying cause of