Intro to DFIR: The Divide and Conquer Process

Notes from Basis Technology course

General Process

Start with the investigative question you need to answer. Decide if it is specific enough to complete answer with a single artifact category. If not, breat it down, and repeat on each of those questions.

Once we have specific questions:

  • We will prioritize the questions

  • We will review the artifacts to answer the question

  • Based on the answer, we will figure out our next step.

Break Down Techniques

We first try to break down based on how computers works. We also may break down based on how attackers operate.

Examples

What process initiated the connection to the suspicious IP?

Questions Taxonomy

  • Malicious Process Questions

    • Backdoor, C2, keyloggers, etc.

  • User Questions

    • Account takeover, insider threat, etc.

  • OS Config Questions

    • Services enabled, logging disabled, etc.

  • Hardware Questions

    • Firmware, BIOS, etc.

Endpoint Visibility Tools

There are two types: collection and analysis.

Collection

Select artefacts or collect them continuously

Analysis

Give a context about an artefact, pivot between artefacts or score artefacts.

Approaches

  • Using UI (Process Explorer, Task Scheduler, Event Viewer,...)

  • CLI

  • EDR (Continuous Monitoring)

  • Image (Full Disk Image)

The more automation you can get, the more efficient you will be.

Resources

Cyber Triage Basics

Basic workflow

  1. Collect Artefacts

  2. Score

  3. Review

  4. Deep Dive (optional)

  5. Report

User Activity

Looks for (Suspicious) Accounts (present now/in past), (Suspicious) Logins and (Suspicious) Account Activity related to the accounts.

Malware

Is it malicious or not?

Malware needs to be started, then it will try to hide itself and make some dirty stuff.

OS Configuration Change

Are there malicious OS configuration changes? Baselines are important!

Process and Prioritization

Prioritize.

Conclusion

PreviousIntroduction into DFIRNextForensics

Last updated