DFIR Flashcards
DF
Digital Forensics: Examining and analyzing artifacts after a cyberattack
IR
Incident Response: Performing actions when a cyber event occurs
DFIR
Investigate and respond to a cyberattack after an incident
Threat Hunting
Active defense. Proactively search for threats
IRP
Incident Response Plan
Stages of Incident Response Planning
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
DFIR Process
Collect Evidence, Examine Collected Data, Analyze Important Artifacts, Report the Findings
DF Analysis Types
Dead Analysis (powered off computers)
Live Analysis (powered on computers)
Targeted Artifacts
Files on a Drive, Memory Artifacts, Processes, Log Files, Cached Data
Acquisition Tools
dd (data Dump): Drive Acquisition
FTK Imager: Drive and Memory Acquisition
DumpIt: Memory Acquisition
Non-Repudiation
Provides proof of the origin and integrity of data
RACI
Responsible, Accountable, Consulted, Informed
Used to assigned roles and responsibilities for each incident alert
NIST
National Institution of Standards and Technology
Government agency
SANS
Private organization. Offers research and education in the field of information security
DRP
Disaster Recovery Plan
Outlines response strategies for unplanned events. Helps minimize the effects
Data Acquisition Recommendations
Memory before drive acquisition
Memory captures are better is user is logged on
Use sterilized media
Document the capture properly
System interaction should be minimal
Capture to an external source
Full Clone
The closest option to having the actual drive
Logical Image
Narrows the search field. Some evidence may be spread across multiple partitions.
Capture Formats
RAW, ISO, EWF, dd
Clonezilla
Linux distribution for cloning drives. Not typically for forensic purposes.
Can clone over the network
FTK Imager
Part of Forensic Toolkit Suite. Clone drive through interactive wizard
Forensic Image Formats
E01: Provides compression per file checksum and password protection
AFF: Stores the imaged disk as compressed segments for better saving and metadata of the image
Autopsy
Uses forensic tools from The Sleuth Kit. Created cases for captures
Image Splitting
Virtualization software may split a drive into multiple files. Splitting is done to increase read and write speeds
History
Includes entered URLs and webpages marked as favorites
Cache
Files, images, scripts, and other media-related data
Prefetch Files
Applications executed in Windows create prefetch filed
The files are used as cache for loading time optimization
Power Forensics
Add-on to PowerShell and is a Forensics framework
Works with FAT and NTFS and can be launched from live systems
Depends mostly on the MFT (Master File Table)
PowerForensics Operation Modes
Live System and Mounted Drive
Errors can occur if the drive is lager than 2TB
PowerForensics Analysis Capabilities
Boot and Partitions, NTFS and EXT4, Windows Artifacts, Windows Registry, Application Cache
Boot Record types
MBR: Supports up to 4 partitions per storage device and only with storage devices up to 2 TB
GPT: Supports up to 16 exabytes and supports up to 128 partitions
NTFS Specialties
Journaling: Recording storage device activity
Indexing: Enables quick access to files stored on devices
Alternate Data Stream (ADS): More than one resource included in a single file
File Carving
Reassembles files from fragments when no metadata is available.
Can be used to recover partially overwritten files
Memory Analysis 6 Investigation Steps
Processes, DLL & Handles, Network, Code Injection, Rootkits, Dump
Network Investigation: Network Connections
Connscan: Scans for identifiable TCP connections in older versions of Windows (Netscan can be used in more recent versions of Windows)
Sockets: Scans for all open sockets
Logs
Automatically created to sore records of events
Log Classification
Informational, Debug, Warning, Error, Alert
Log Attacks- What to Attack
Host which logs are generated, Transmitted logs, Agents that collect logs, Database in which logs are stored
Threat Hunting
Proactive approach to handling cyberattacks. Aims to protect an organization from covert cyberthreats
Threat Intelligence
Based on learning from other’s mistakes. Forensic researchers can learn about new exploration techniques from public sources
IOC
Indicators of Compromise. Help determine is an organization was harmed by a threat that was implemented. Can be used to distinguish false positives.
Malware Forensics Suspicious Behavior
Increased Traffic, Accessed File Types, Service Inspection, Domain Identification, Persistence
Zeek
Framework used to parse, normalize, and correlate logs. Focuses on extracting security-related information from logs to detect anomalies.
Malware Analysis
Describes all actions, methods, and tools used to identify and study malicious behavior.
Reverse Engineering
The process of deconstructing an executable to reveal its design, architecture, and activity
Static Analysis
Can provide a lot of info even without executing the code. Used to identify IoC’s
Binwalk
Static Malware Analysis tool. Enables identification of magic byte patterns in a file.
DLL
Dynamic Linked Library: A Windows file containing code and data that can be used by another program
Dynamic Analysis
Methodology based on executing malware. Used to analyze malware’s behavior and impact on the system
Monitored Data
File System Changes, Network Activity, Registry Changes
