Introduction to DFIR

What is DFIR anyway?

  • Curiosity: It’s always about what you don’t know.
  • Attention to Detail: You never know what bit of data makes the difference.
  • A Need for Variety: One day it’s logs, the next it’s packets, then memory.
  • Working with People: There’s always an attacker and a victim.
  • An Affinity for Stress: You don’t have to like it, but you must handle it.
  • The Taste for Blood: Great DFIR engineers want to win and hate to lose.
  • A video: For an easy broad introduction.
  • A link: To a site focused on that topic.
  • A tool: The if you’re going to know one tool this is the one.
  • A book: To go deep into a subject you’ll have a comprehensive resource.
  • A person: An expert in each subject who you’ll want to learn from.

DFIR Skills

Technical Skills

File System Forensics

Memory Forensics

  • Video: Memory Forensics for Incident Response ~ I’m not big into memory forensics, so I learned a lot from this SANS DFIR Webcast. I think it’s a solid starting resource.
  • Link: Volatility Labs ~ If you’re doing memory analysis with Volatility (and it’s where I’d start) you want the Volatility blog.
  • Tool: Volatility ~ The defacto standard. Also look at Google’s Rekall.
  • Book: The Art Of Memory Forensics ~ A 4.6 rating on GoodReads and the recommendation of all the memory analysis folks I know is enough for me.
  • Person: @attrc — Andrew Case ~ I hear he’s taken a course on Memory Forensics. And was a core Volatility dev. And wrote the Art of Memory Forensics.

Network Forensics

  • Video: Network Forensics: What Are Your Investigations Missing ~ Phil Hagan wrote the book… er… course on advanced Network Forensics, but this introduction is pretty awesome. This is a great overview of what you can do with Network Forensics.
  • Link: Pcapr ~ The toughest thing with learning network forensics is having interesting pcaps to look at. This collection has some of everything, from DDoS to Malware. Just what the doctor ordered.
  • Tool: Wireshark ~ The defacto tool for ripping apart packets is Wireshark. Learn more about it here.
  • Book: The Tao of Network Security Monitoring ~ I think every Network Analysis type I know cut their teeth with Tao. Somewhat dated now, but the seminal work on the topic.
  • Person: @Hectaman — Liam Randall Doing some amazing stuff with the Bro network intrusion detection system.

Malware Triage

  • Video: Lenny Zeltser’s Introduction to Malware Analysis ~ There are only a handful speakers I will always take the chance to hear. Lenny is one of them. I learn something every single time.
  • Link: Malwr ~ So this is actually a tool which analyzes malware by running it but it’s also a great place to experiment and learn.
  • Tool: Yara ~ It’s basically AV you control. Also check out this intro video.
  • Book: Practical Malware Analysis ~ Easily the best book I’ve read for getting stronger in RE, this takes a very real world approach.
  • Person: @lennyzeltser — Lenny Zeltser ~ There are tons of amazing malware analysts. Lenny is the best teacher of them all.

Log Analysis

Intelligence Analysis

Attacker Methodology

Development

  • Video: Write your own tools with python ~ Nicolle’s high level introduction to Python is a whirlwind, but excellent for getting started, especially if you have some programming background.
  • Link: CodeAcademy: Learn Python ~ If you want hands on this is the place to learn Python. You’ll be writing real code in minutes.
  • Tool: Python ~ People will argue, but it’s my go to. Also look at Go.
  • Book: Grey Hat Python ~ I didn’t love this book, too penetration testing heavy for me, but it got the key points across.
  • Person: @pidydx — Sean Gillespie ~ A passionate DFIR+Developer and one of the major non-Google GRR developers.

Soft Skills

Investigation Process & Analysis

Operational Security

Communication

Working in a Team

Gaining Experience

T Shaped People

  • Not everyone needs to have the same skills. It’s ok to have an affinity for a one skill and struggle a bit more with another.
  • DFIR teams must focus on complimentary skills. If you have a team strong in memory forensics perhaps you want your next hire to be a strong malware analyst. No one person can be an expert in everything, but your team should have strength across the board.

Conclusion

Honorable Mentions

--

--

--

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott J Roberts

Scott J Roberts

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

More from Medium

Network Services 2 — NFS on TryHackMe Walkthrough Defense Path

How to Capture Memory Dump? (Magnet Forensics way)

TRY HACK ME: Intro to Digital Forensics Write-Up

CIA in security

Three principles of security