What is DFIR?
Well, to start, it stands for Digital Forensics and Incident Response. This field covers the collection of forensic artifacts from digital devices such as computers, media devices, and smartphones to investigate an incident.
By “forensic artifacts,” I refer to the traces or evidence that attackers leave behind, such as the logs produced by your computer, router, website, or any other device in general. Additionally, you have evidence in the form of registry keys, removed applications or files, etc.
To explain more “Digital Forensics and Incident Response,” These are actually two fields, not just one: digital forensics, which is the process of recovering and investigating the machine or the device to figure out what happened. Incident response, and that’s actually such a deep topic that SANS has written a whole book aboutSANS sec504
, but to summarize, it consists of six steps, according to SANS:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
To read more about these steps in detail, you can check out the book SANS 504 or check out my summary for it here.
Digital Forensics: These professionals are experts in identifying forensic artifacts or evidence of human activity on digital devices.
Incident Response: Incident responders are experts in cybersecurity and leverage forensic information to identify the activity of interest from a security perspective.
Why do we need DFIR?
- Finding evidence of attacker activity in the network
- Robustly removing the attacker.
- Identifying the extent and timeframe of a breach
- Finding the loopholes or the vulnerability that led to the breach
- Understanding attacker behavior will preemptively block further intrusion attempts by the attacker.
- Sharing information about the attacker with the community.
Some terms that are related to DFIR.
Artifacts
Pieces of evidence that point to an activity performed on a system When performing DFIR, artifacts are collected to support a hypothesis or claim about attacker activity.
Evidence Preservation
That’s why we don’t work and do our analysis on the original image; we do it on a copy of it. Also, we keep the integrity of the original image.
Chain of custody
Another critical aspect of maintaining the integrity of evidence is the chain of custody. When the evidence is collected, it must be kept in secure custody.
Order of volatility
You should prioritize your process; for example, take an image of the memory first, as it’s volatile and so on
Timeline Creation
Once we have collected the artifacts and maintained their integrity, we need to present them understandably to fully use the information contained in them.
A timeline of events needs to be created for efficient and accurate analysis. This timeline of events puts all the activities in chronological order. This activity is called timeline creation. Timeline creation provides perspective for the investigation and helps collate information from various sources to create a story of how things happened.
Tools used in DFIR
- Eric Zimmerman’s tools: a legendary set of tools that, as a DFIR, you are going to use daily.
- KAPE: This tool automates the collection and parsing of forensic artifacts and can help create a timeline of events.
- Autopsy: used for conducting forensic investigations and analyzing digital evidence. It is a powerful tool that allows investigators to examine and extract data from various types of media, including hard drives, mobile devices, and memory dumps.
With Autopsy, investigators can perform various tasks such as file system analysis, keyword searching, timeline analysis, and metadata extraction. It provides an intuitive user interface and supports the analysis of both file-level and disk-level data. - Volatility: helps perform memory analysis for memory captures from both Windows and Linux operating systems.
- FTK Imager: It is widely used in the field of digital forensics to create forensic images and acquire data from various sources, such as hard drives, memory, and mobile devices. Also, you can depend on it for doing disk analysis and exploring all the common methods of investigation.
- Redline: It’s an incident response tool; this tool can gather forensic data from a system and help with the collected forensic information.
- Velociraptor: An advanced endpoint monitoring, forensics, and response platform. It is open-source but very powerful.
These are not all the tools used in forensics, as there are an uncountable number of them, but these are the most common ones.
We going to talk about volatility more later. As it is necessary to master it when it comes to memory forensics
At the end, I am just going to tell you that we have multiple categories in forensics.
Categories of Forensics
- Disk
- Memory
- Mobile
- Network
- Application
- …….
I can’t explain them in just some blogs, as these are wide topics to learn about. But you are going to learn them via some books that you will find later in the roadmap.
Volatility
Volatility is a free memory forensics tool developed and maintained by Volatility Foundation, commonly used by malware and SOC analysts within a blue team or as part of their detection and monitoring solutions.
Volatility is the world’s most widely used framework for extracting digital artifacts from volatile memory (RAM) samples.
Acquiring memory dumps can be done by various tools, such as:
- FTK Imager
- Redline
- DumpIt.exe
- win32dd.exe/ win64dd.exe
- Memoryze
- FastDump
Memory extraction will output a .raw
file with some exceptions, like Redline. And for virtual machines, when you acquire memory dumps on them, you get different files, such as:
- VMWare -
.vmem
- HyperV -
.bin
- Parallets -
.mem
- VirtualBox -
.sav
When it comes to the analysis with volatility, you have multiple plugins that you can use, which is better than doing everything manually :”
Volatility has two versions, 2 and 3. This is a walkthrough on how to download and setup them.
I am also going to list some cheat sheets that I use when dealing with volatility.
Command Reference · volatilityfoundation/volatility Wiki (github.com)
Volatility 3 CheatSheet — onfvpBlog [Ashley Pearson]
Volatility — CheatSheet — HackTricks
Normally, when you are dealing with a memory image, first you need to determine the profile with imageinfo
Plugin python vol.py -f dump.mem imageinfo
Then you start doing your analysis with the plugins. python vol.py -f dump.mem — profile=<profile here> <plugin>
Now you have to explore the plugins and know what each one does.
That’s it for now.
Cya geeks