DEV Community

Cover image for Demystifying DFIR: Understanding the Basics of Digital Forensics and Incident Response
Mohab Gabber
Mohab Gabber

Posted on

Demystifying DFIR: Understanding the Basics of Digital Forensics and Incident Response

I think it's no exaggeration to say that no day passes in your life without interacting with a computer somehow; it could be your phone, PC, smart TV, smart watch, smart fridge, or any other form of computer. And for all those computers to actually work, they need an operating system, and because operating systems usually need to deal with tons and tons of operations per second, they need to keep track of what is happening, and that's where we will start this article.

Incident Response

Let's imagine that you work as a SOC analyst in a startup called "C4T5 4R3 C00L", You run an educational platform that teaches people how much cats are awesome, but suddenly you get a text message from the CEO telling you that his personal computer was hacked. "It's ransomware" he said "All my files are gone!", How did this happen? What should you do now?

Well, don't worry; we will walk through the process together and try to save the day.

Here's what we need to do:

  1. We need to identify the threat, contain it, and isolate it by revoking the CEO's access to the company's systems.
  2. Then we need to assess the threat—was this a sophisticated attack? Did the attacker exfiltrate the CEO's files?
  3. Then we need to stop freaking out, grab a cup of coffee in our favorite cat-themed mug, and develop a plan to resolve this issue and prevent it from reoccurring.
  4. Then we need to actually do what we planned and resolve the problem.
  5. Finally, to ensure that cats remain superior to dogs, we need to make sure this doesn't happen again. We need to learn from what happened and improve the security of our systems.

What we did just now is known as an incident response, which is an organized effort by an organization to address and contain a security breach or cyber incident. Developing a good incident response plan and carrying it out is crucial to containing any security breach and minimizing the damage as much as possible.

Digital Forensics

To be able to identify what happened on our systems, we need to carry out a forensic analysis of the affected systems. A typical forensic analysis consists of collecting, preserving, and analyzing digital artifacts and evidence.

What is a digital artifact?

A digital artifact is any trace of digital evidence left on a computer system that can be used as evidence. Artifacts can be files, logs, the Windows registry, browsing history, metadata, and more.

Carrying out the task

The CEO of "C4T5 4R3 C00l" assigned you the task of identifying the threat, eliminating it, and making sure nothing else is affected, and then he gave you a speech about the importance of this company and how cute cats are. Now that you feel motivated, let's get to work!

First of all, you need to take an image of the system to examine it, so you connected a write-blocker to the CEO's laptop, then took an image of the system and made copies of it.

After analyzing logs, registry entries, and captured network traffic, we found out that the CEO received an email containing a spreadsheet. The attacker spoofed the email to appear as if it was coming from an employee in the company and claimed that the file was the financial report for the company. The CEO then proceeded to download the file and run it. This file contained macros that downloaded the ransomware and executed it on his machine.

Now that you know what happened, you started by revoking the CEO's access to the company's systems, then you took a copy of the malware file to analyze it and know what it did and if you could decrypt the files using it. After analyzing the malware, you found out that it did exfiltrate the files to an attacker-controlled server. You also found out that it contained the decryptor, so you reverse engineered it and were able to finally decrypt the files and restore the CEO's machine.

But still, the job is not done. You had a meeting with the CEO and urged him to change all his passwords, taught him how to verify where emails came from, and agreed to train the employees on basic cybersecurity so that this never happens again.

Great Job! Crisis averted!

If you like this article, don't forget to like, share, and leave a comment!

More articles on DFIR are coming soon <3

Top comments (0)