Digital Forensics and Incident Response

What is Digital Forensics and Incident Response? 

Digital Forensics & Incident Response is a multidisciplinary profession that focuses on identifying, investigating, and remediating computer network exploitation. This can take varied forms and involves a wide variety of skills, kinds of attackers, an kinds of targets

DFIR is a broad field so here are some of the basic of the things you should know as an introduction to DFIR and where to learn more. Over the coming days I’m going to post about various topics in DFIR (more below) and people learn differently I will provide different types of resources. Each topic will have.

  • A video: For an easy broad introduction.
  • A link: To a site focused on that topic.
  • A tool: The if you’re going to know one tool this is the one.
  • A book: To go deep into a subject you’ll have a comprehensive resource.
  • A person: An expert in each subject who you’ll want to learn from.

How do Digital Forensics and Incident Response Work ?

During an engagement one of our experienced investigators will be assigned to provide incident triage and management, bringing together your internal staff, relevant third-parties and dedicated technical assistance from NCC Group.

Conduct specialist analysis, identify the impact to a business and provide fast remediation advice.  Through a combination of evidence protection and forensically sound investigation, our investigators will:

  • Determine how the incident or breach occurred, by understanding the initial vector of attack and compromise.
  • Determine the capabilities and activity of a threat actor, and the extent of infiltration.
  • Advise on data theft, configuration changes or other malicious actions carried out by the threat actor
  • As requested, help with law enforcement or third party vendor coordination for the purposes of attribution and enterprise-wide protection measures

What Tools do Digital Forensics  and Incident Response use ?

New tools are developed every day, both as elite government-sponsored solutions and basement hacker rigs. The recipe for each is a little bit different. Some of these go beyond simple searches for files or images, and delve into the arena of cybersecurity, requiring network analysis or cyber threat assessment. When there is a tool for everything, the most pressing question is which one to use. Below some of the best tools for digital forensics and cybersecurity.

Digital Forensics Tools:

  • Autopsy
  • Encrypted Disk Detector
  • Wireshark
  • FAW
  • X-Ways Forensics

For more Awesome Digital Forensics Tools: Link. 

Incident Response Tools:

  • CimSweep
  • CIRTkit
  • Cyber Triage
  • Falcon Orchestrator
  • GRR Rapid Response
  • Kolide Fleet
  • MozDef

For more Aweseome Incident Response Tools: Link.

What are the skills required for Digital Forensics  and Incident Response job?

DFIR is a mix technical and soft (people & process) skills. DFIR is a skill unto itself we’ll start with some general resources then get into specifics.

  • File System Forensics
  • Memory Forensics
  • Network Forensics
  • Malware Triage
  • Log Analysis
  • Intelligence Analysis
  • Attacker Methodology
  • Development 

What are Digital Forensics  and Incident Response professional Certifications?

Certifications are not the only thing you need, but definitely required to get your foot in the field. 

  • EC-Council (ECIH, CHFI, CEIH)
  • eLearnsecurity (IHRP, DFP