Digital Forensics & Incident Response
What is DFIR?
DFIR is the acronym for Digital Forensics Incident Response. Within computer forensics there is a branch known as Incident Response and a discipline known as Digital Forensics. The main objective of professionals specialized in both disciplines is to respond quickly and effectively to a cybersecurity incident so that it has the least possible impact on organizations.
These professionals specialized in DFIR identify, investigate and remediate the effects of a cyberattack, identifying the entry vector to the organization, its scope within the company’s systems, whether information has been exfiltrated, etc.
So basically, as in the picture below, DFIR professionals are like firefighters, ready to jump into the incident and respond to it. They will then be able to obtain evidence and present it in a court of law.
Incident Response.
Today, there are a multitude of complex threats to information systems, imagine if your employee downloads a zip file from an email and it is actually an ISO that launches a malicious process such as a Bumblebee.
To facilitate an orderly response to these incidents, organizations of all sizes have considered adding an incident response capability to their existing policies and procedures.
Having the ability to respond appropriately and in a timely manner to security incidents allows organizations to not only limit the damage from a potential cyberattack, but also recover from the damage caused.
Incident Response Process.
There is a general trajectory that cybersecurity incidents follow throughout their life. If the organization has a mature incident response capability, it will have taken steps to ensure that it is prepared to deal with an incident at every stage of the process.
We will start with good preparedness, followed by detection, analysis, containment, eradication and recovery, ending with post-incident activity.
Role of Digital forensics
Digital forensics is a critical component to incident response, there is more to addressing an incident than examining hard drives. Forensics is a supporting function of the overall incident response process. Some incidents such as DoS will require little to no forensic work but others like C2 will requires more of digital forensics.
Digital Forensics.
Digital forensics is an important component of incident response. It is often the application of digital forensics methods that allows incident responders to gain an understanding of the chain of events that led to a malicious action, such as a server compromise or a data breach.
Digital Forensic Process.
In my case, I will introduce you to the Digital Forensics Research Workshop (DFRWS). This framework contains six elements:
- Identification.
- Preservation.
- Collection.
- Examination.
- Analysis.
- Presentation.
Chain of custody.
The chain of custody describes the documentation of a piece of evidence throughout its life cycle. This lifecycle begins when a person first assumes custody of the evidence item until when the incident is finally disposed of and the evidence can be returned or destroyed. It is critical to maintain a proper chain of custody in the event that an item of evidence has to be presented in court.
Conclusion
I hope you found it useful and hopefully you will find in DFIR your dream position in the cybersecurity world. For people living in Spain, I emphasize that I am not being paid for this, you can visit the following link to the Securizame course page where they offer reasonably priced courses on DFIR.