Incident Response Basics: Getting started with DFIR

The digital world has borrowed terminology and principals form the kinetic world for decades. We’ve all heard of an upcoming cyber war using cyber bullets spawned from the digital pearl harbor. We have gangs, as well as cyber-gangs, or criminals, as well as cyber criminals. The reason there are so many comparisons is that there are a lot of parallels between the digital and physical world around us.

One of the most fascinating areas of information security to me is digital forensics and incident response, or DFIR. Understanding how an attack took place and piecing together the puzzle with the scattered pieces is a difficult challenge, especially when some or all of the pieces may be missing.

Years ago, a mentor of mine told me about Locard’s Exchange Principle. A criminal is always going to bring something to and leave something from a crime scene.

For the digital world, Locard’s principle is solid. An attacker coming in is going to introduce change and leave behind modified files, new services, audit logs and any number of evidence behind. Even the best attackers who clean their tracks are still going to leave some trace evidence behind.

The challenge for incident responders is to find those traces in order to piece together a picture of what might have happened on the systems they are investigating. While pulling memory from an endpoint and using a tool, such as Volatility, is comprehensive when doing analysis, gathering memory from multiple machines across an enterprise can become a lengthy and costly process.

Before doing costly incident response procedures such as memory analysis, you should first determine which systems might require that level of analysis. Doing live disk analysis of a system can help make that decision of which systems to take memory from. When doing a (Read more...)