Introduction to DFIR

What is DFIR anyway?

  • Curiosity: It’s always about what you don’t know.
  • Attention to Detail: You never know what bit of data makes the difference.
  • A Need for Variety: One day it’s logs, the next it’s packets, then memory.
  • Working with People: There’s always an attacker and a victim.
  • An Affinity for Stress: You don’t have to like it, but you must handle it.
  • The Taste for Blood: Great DFIR engineers want to win and hate to lose.
  • A video: For an easy broad introduction.
  • A link: To a site focused on that topic.
  • A tool: The if you’re going to know one tool this is the one.
  • A book: To go deep into a subject you’ll have a comprehensive resource.
  • A person: An expert in each subject who you’ll want to learn from.

DFIR Skills

Technical Skills

File System Forensics

Memory Forensics

  • Video: Memory Forensics for Incident Response ~ I’m not big into memory forensics, so I learned a lot from this SANS DFIR Webcast. I think it’s a solid starting resource.
  • Link: Volatility Labs ~ If you’re doing memory analysis with Volatility (and it’s where I’d start) you want the Volatility blog.
  • Tool: Volatility ~ The defacto standard. Also look at Google’s Rekall.
  • Book: The Art Of Memory Forensics ~ A 4.6 rating on GoodReads and the recommendation of all the memory analysis folks I know is enough for me.
  • Person: @attrc — Andrew Case ~ I hear he’s taken a course on Memory Forensics. And was a core Volatility dev. And wrote the Art of Memory Forensics.

Network Forensics

  • Video: Network Forensics: What Are Your Investigations Missing ~ Phil Hagan wrote the book… er… course on advanced Network Forensics, but this introduction is pretty awesome. This is a great overview of what you can do with Network Forensics.
  • Link: Pcapr ~ The toughest thing with learning network forensics is having interesting pcaps to look at. This collection has some of everything, from DDoS to Malware. Just what the doctor ordered.
  • Tool: Wireshark ~ The defacto tool for ripping apart packets is Wireshark. Learn more about it here.
  • Book: The Tao of Network Security Monitoring ~ I think every Network Analysis type I know cut their teeth with Tao. Somewhat dated now, but the seminal work on the topic.
  • Person: @Hectaman — Liam Randall Doing some amazing stuff with the Bro network intrusion detection system.

Malware Triage

  • Video: Lenny Zeltser’s Introduction to Malware Analysis ~ There are only a handful speakers I will always take the chance to hear. Lenny is one of them. I learn something every single time.
  • Link: Malwr ~ So this is actually a tool which analyzes malware by running it but it’s also a great place to experiment and learn.
  • Tool: Yara ~ It’s basically AV you control. Also check out this intro video.
  • Book: Practical Malware Analysis ~ Easily the best book I’ve read for getting stronger in RE, this takes a very real world approach.
  • Person: @lennyzeltser — Lenny Zeltser ~ There are tons of amazing malware analysts. Lenny is the best teacher of them all.

Log Analysis

Intelligence Analysis

Attacker Methodology


  • Video: Write your own tools with python ~ Nicolle’s high level introduction to Python is a whirlwind, but excellent for getting started, especially if you have some programming background.
  • Link: CodeAcademy: Learn Python ~ If you want hands on this is the place to learn Python. You’ll be writing real code in minutes.
  • Tool: Python ~ People will argue, but it’s my go to. Also look at Go.
  • Book: Grey Hat Python ~ I didn’t love this book, too penetration testing heavy for me, but it got the key points across.
  • Person: @pidydx — Sean Gillespie ~ A passionate DFIR+Developer and one of the major non-Google GRR developers.

Soft Skills

Investigation Process & Analysis

Operational Security


Working in a Team

Gaining Experience

T Shaped People

  • Not everyone needs to have the same skills. It’s ok to have an affinity for a one skill and struggle a bit more with another.
  • DFIR teams must focus on complimentary skills. If you have a team strong in memory forensics perhaps you want your next hire to be a strong malware analyst. No one person can be an expert in everything, but your team should have strength across the board.


Honorable Mentions




Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott J Roberts

Scott J Roberts

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

More from Medium

Network Services 2 — NFS on TryHackMe Walkthrough Defense Path

How to Capture Memory Dump? (Magnet Forensics way)

TRY HACK ME: Intro to Digital Forensics Write-Up

CIA in security

Three principles of security