April 20, 2023 | Cyber security education
What is digital forensics and incident response (DFIR)?
With contributions from Ted Raymond.
When it comes to cybersecurity, we tend to focus more on the things we should do to avoid a cybersecurity incident. While those things are certainly important, cyberattacks are happening more often and with more sophistication, and an incident happening at your organization is now a matter of "when," not "if."
Because of this, it's a good idea to also focus on the steps to take during and after an incident. How do you recover? How do you prove that a cybercriminal attacked your business and address the resulting impact?
The answer is simple: digital forensics and incident response (DFIR).
In this blog, you’ll learn:
- What DFIR is and why it’s Important
- The steps in the DFIR process
- The role of DFIR in cybersecurity
- What skills and tools are needed for DFIR
What is digital forensics & incident response?
DFIR is a specialized field focused on identifying, remediating, and investigating cybersecurity incidents. As the name suggests, DFIR consists of two components:
- Digital forensics involves collecting, preserving, and analyzing forensic evidence.
- Incident response involves containing, stopping, and preventing a cyberattack.
DFIR fuses traditional incident response (IR) activities—such as response planning and rehearsal, IT architecture documentation, and playbook development—with digital forensics techniques.
While traditional IR usually carries some investigative elements, DFIR takes it to another level by emphasizing digital forensics.
With DFIR, businesses can return to business after a cyberattack while also improving their resiliency against future attacks. What's more, DFIR gives you the evidence you need to press charges against the criminals who targeted your operations or support a cyber insurance claim.
And given just how expensive and damaging a single attack can be, it’s more important than ever to know how to respond to a cybersecurity incident and what your legal options are if you’re targeted.
Now, let's dive deeper into the two individual components.
What is digital forensics?
Digital forensics is a branch of forensic science that covers digital technology. Analysts focus on the recovery, investigation, and examination of material found on digital devices.
The end goal of digital forensics is to gather and preserve evidence to aid in prosecuting cybercrime, should the culprits behind an attack face criminal charges.
There are generally four major reasons why an organization engages in digital forensics:
- To confirm whether a cyberattack occurred
- To understand the full impact of a cyber incident
- To identify the cause behind a cyberattack
- To collect evidence proving a cyberattack occurred
Like any forensic investigation, speed is critical, especially if an attack is ongoing. Acting fast can help stop active cyber incidents and reduce the overall damage to a victim organization.
Computers, networks, and devices are continuously producing data that may be crucial to an investigation, even while sitting idle. Over time, the risk that this data is deleted, overwritten, or otherwise altered increases.
Many forensic artifacts are highly dependent on the state of a computer in the immediate aftermath of an incident. Forensic investigators need to move quickly to ensure they capture all this information before it's lost.
Do you know the key indicators of a security compromise?
Get this cheat sheet to learn the key indicators of email, mobile device, and host or server compromises, and what to do if you've been compromised.
What is incident response?
Incident response (IR) is a set of activities a business engages in during a cybersecurity incident. For the purposes of IR, a cyber incident can be defined as any event that compromises information confidentiality, integrity, and/or availability—core principles of information security that are often referred to as the “CIA triad.”
IR activities are typically informed by an IR plan designed to get IT infrastructure back up and running as quickly as possible while mitigating the overall damage of an incident.
First and foremost, these frameworks are designed to support recovery efforts. In a broader sense, they also help organizations build cyber maturity and proficiency. This may help enhance defenses, stopping attacks and incidents from affecting businesses in the first place.
Why is DFIR important in cybersecurity?
For businesses targeted by a cyberattack, recovery is the top-of-mind concern—but beyond getting back up and running, it’s also important to understand the how and why behind an incident.
DFIR delivers that deeper understanding through a very comprehensive and intricate forensic process. DFIR specialists gather and inspect a wealth of information to determine who attacked them, how they got in, the exact steps attackers took to compromise their systems, and what they can do to close those security gaps.
The digital forensic process
The digital forensic process is the accepted method investigators follow to gather and preserve digital evidence, with the express intent of maintaining a chain of custody. It consists of three key steps:
In this step, investigators create an exact duplicate of the media in question, usually using a hard drive duplicator or specialized software tools. The original media is secured to prevent any tampering.
Forensic specialists then analyze the duplicated files or technology, logging all the evidence they discover that supports or contradicts a hypothesis.
Ongoing analysis is conducted to reconstruct events and actions in an incident, helping them reach conclusions about what happened and how hackers compromised systems.
Once a digital forensics investigation is completed, the findings and conclusions analysts uncovered are delivered in a report that non-technical personnel can understand.
These reports are passed on to those who commissioned the investigation and usually wind up in the hands of law enforcement.
Types of digital forensic data
During the acquisition phase of the digital forensic process, analysts look for a variety of forensic data to help them in their investigation:
- Disk images. Generally speaking, a disk image refers to a copy made of a digital storage device. Disk images are bit-for-bit copies of devices, usually of hard disks or hard drives. Sometimes, images may be taken of a USB drive or other type of storage medium.
- Memory images. A computer’s RAM can be recorded by special software, similar to a disk image. Memory images are vital because some advanced techniques or threat actors are undetectable on disk.
- Application data. If a disk or memory image is unavailable or not relevant, investigators will turn to application data. This includes host logs, network device logs, and software-specific logs.
What is the chain of custody?
According to the National Institute of Standards and Technology (NIST), the chain of custody is a “process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers.”
Basically, the chain of custody is documentation that proves that the evidence used to prosecute a cybercrime is, in fact, legitimate evidence and was not placed fraudulently or edited for malicious purposes.
Why is digital evidence important?
Think of every police procedural story you’ve read or seen on TV. Detectives catch the bad guys by uncovering and documenting evidence that helps them recreate the exact circumstances surrounding a crime. Digital evidence is no different: it comprises significant information transmitted or stored on a digital device during a crime.
Broadly speaking, digital evidence should meet five key criteria:
- It is admissible in court
- It is authentic
- It is complete
- It is reliable
- It is believable
DFIR investigators will gather this information and store it safely to prevent contamination in order to ensure it remains admissible in court.
But it’s not the only sort of evidence they collect; investigators may also assess and document:
- Analogical evidence—comparable incidents or events that may be relevant to understanding the case in question.
- Anecdotal evidence—stories and accounts from other parties that may support theory when analyzing a situation. Anecdotal evidence is not admissible in court but can nonetheless be useful during an investigation.
- Circumstantial evidence—a type of indirect evidence that makes inferences based on a series of facts, typically to draw conclusions in connection with a crime. This may also be understood as a hypothesis based on known facts, and may also be useful during an investigation.
- Character evidence—this includes individual expert testimony that may help prove intent, motive, and opportunity. It could also include expert testimony about an attack.
How do you store digital evidence?
In theory, gathering digital evidence should be as simple as pulling out a hard drive infected with ransomware. In practice, it’s not quite so simple.
Some types of digital evidence are deemed volatile, or non-persistent, because the data is only accessible when that device is plugged in or connected to power. Non-volatile or persistent digital evidence, meanwhile, is stored permanently in memory. This may include read-only memory, data in flash memory, or even data on a CD-ROM or other disc.
In many cases, investigators cannot and will not power down affected technology in order to preserve digital evidence.
Because of these challenges, DFIR investigators will typically start by duplicating a hard drive via drive imaging, a process that creates a bit-to-bit perfect duplicate of a drive affected by an attack. As a rule, investigators will operate exclusively on this duplicate drive when conducting an investigation. This allows them to explore and test hypotheses on the drive without impacting the actual evidence.
The imaging process will also generate cryptographic hash values, which are used to further verify the authenticity of a drive image. Wherever possible, evidence gathered will be stored in a secure location where it can be preserved and accessed for reference later, with added physical security to ensure no item can be compromised.
The challenges of DFIR investigations
Because DFIR is a multidisciplinary field that combines soft skills with specialized technical ones, team members will generally have a unique mix of skills, traits, and experience they bring to bear in their role.
By no means a complete list, those skills and experience may include:
- File system forensics—understanding how to apply digital forensics basics via software agents to analyze machines on a file system, including remote devices.
- Memory forensics—being able to analyze volatile forms of evidence like system memory for signs of compromise is extremely useful, especially for certain malware strains that aren’t detectable on disk.
- Network forensics—did an infection begin as a malicious email or link? Understanding how to analyze network activity remains a highly useful skill in the digital forensics world.
- Malware triage—reverse-engineering malware can help DFIR teams identify particular strains and better address the damage these attacks cause.
- Log analysis—log analysis is frequently automated to save time but remains a highly valuable skill for detecting abnormal activity on a system.
- Software development—technology is always changing at a rapid pace; having a solid understanding of software development can help DFIR teams better understand what they’re protecting. Being able to code and script can be a game-changing skill.
- Communication—good communication is a vital component of incident response, whether it’s with team members, affected organizations, or management.
- Teamwork—DFIR teams are never working alone. Incident response is a high-stress situation that requires team members to understand how to delegate tasks to each other and coordinate their efforts in service of a common goal.
- Analytical thinking—being able to gather information, challenge your own assumptions, and test theories can help teams reach better conclusions. It’s a challenging soft skill to build, but immensely valuable for DFIR.
This is a long list of skills and areas of expertise, and organizations are often hard-pressed to find qualified individuals with relevant experience that will also be a good fit for your business.
Many organizations are turning to external consultants or third-party providers to handle their digital forensics and incident response needs.
Getting started with DFIR
Our team of experienced cybersecurity experts can work with you to help you build your capabilities and ensure your organization can recover in the event of an attack—while making sure you’re able to track down who targeted you.
Interested in taking the first step? Check out our Incident Response Planning page to learn more about how Field Effect can help you prepare for and conduct DFIR investigations.