January 10, 2022 | Cyber security education
What is digital forensics and incident response (DFIR)?
With contributions from Ted Raymond.
How do you prove that a cyber criminal attacked your business and address the resulting impact? You use digital forensics and incident response.
Digital forensics and incident response (DFIR) is a specialized field focused on identifying, remediating, and investigating cyber security incidents. Digital forensics includes collecting, preserving, and analyzing forensic evidence to paint a full, detailed picture of events. Incident response, meanwhile, is usually aimed at containing, stopping, and preventing an attack.
When combined, digital forensics and incident response get your business back up and running while identifying and closing security vulnerabilities—and it gives you the evidence you need to press charges against the criminals who targeted your operations, or support a cyber insurance claim.
And given just how expensive and damaging a single attack can be, it’s more important than ever to know how to respond to a cyber security incident and what your legal options are if you’re targeted.
In this blog, you’ll learn:
- What DFIR is and why it’s important
- The steps in the DFIR process
- The role of DFIR in cyber security
- What skills and tools are needed for DFIR
Digital forensics and incident response, explained
DFIR is a multidisciplinary set of tasks and processes that seek to stop an active cyber security incident. It fuses traditional incident response (IR) activities—such as response planning and rehearsal, IT architecture documentation, and playbook development—with digital forensics techniques.
While traditional IR will usually carry some investigative elements, DFIR takes it to another level by incorporating a greater emphasis on digital forensics.
What is digital forensics?
Digital forensics is a branch of forensic science that covers digital technology. Analysts focus on the recovery, investigation, and examination of material found on digital devices. The end goal of digital forensics is to gather and preserve evidence to aid in prosecuting cyber crime, should the culprits behind an attack face criminal charges.
There are generally four major reasons why an organization will engage in digital forensics:
- To confirm whether a cyber attack took place or not
- The full impact of a cyber incident is unknown
- The cause behind a cyber attack isn’t known
- Evidence proving a cyber attack took place is required
Like any forensic investigation, speed is critical, especially if an attack or compromise is ongoing. Moving quickly can help stop an active cyber incident.
An active computer, network, or device is continuously producing data that may be crucial to an investigation, even while sitting idle. Over time, the risk that this data is deleted, overwritten, or otherwise altered increases. Many forensic artifacts are highly dependent on the state of a computer in the immediate aftermath of an incident. Forensic investigators need to move quickly to ensure they capture all this information before it is lost.
Do you know the key indicators of a security compromise?
Get this cheat sheet to learn the key indicators of email, mobile device, and host or server compromises, and what to do if you've been compromised.
What is incident response?
Incident response (IR) is a set of activities a business engages in when they’re in the midst of a cyber security incident. For the purposes of IR, a cyber incident can be defined as any event that compromises information confidentiality, integrity, and/or availability—core principles of information security that are often referred to as the “CIA triad.”
IR activities will generally be informed by an IR plan that’s designed to get IT infrastructure back up and running as quickly as possible while mitigating the overall damage of an incident. These frameworks are designed to support recovery efforts, but in a broader sense, they also help organizations build cyber maturity and proficiency. This may help enhance defences, stopping attacks and incidents from affecting businesses in the first place.
Why is DFIR important in cyber security?
For businesses targeted by a cyber security attack, recovery is the top-of-mind concern—but beyond getting back up and running, it’s also important to understand the how and why behind an incident.
DFIR delivers that deeper understanding through a very comprehensive and intricate forensic process. DFIR specialists gather and inspect a wealth of information to determine who attacked them, how they got in, the exact steps attackers took to compromise their systems, and what they can do to close those security gaps.
This information is also frequently used to help build a legal case against the identified attackers. The information is gathered using the digital forensic process, which helps investigators uncover and preserve digital evidence.
What is the digital forensic process?
The digital forensic process is the accepted method investigators follow to gather and preserve digital evidence, with the express intent of maintaining a chain of custody. It consists of three key steps:
- Acquisition: In this step, investigators create an exact duplicate of the media in question, usually using a hard drive duplicator or specialized software tools. The original media is secured to prevent any tampering.
- Analysis: Forensic specialists then analyze the duplicated files or technology, logging all the evidence they discover that supports or contradicts a hypothesis. Ongoing analysis is conducted to reconstruct events and actions in an incident, helping them reach conclusions about what happened and how hackers compromised systems.
- Reporting: Once a digital forensics investigation is completed, the findings and conclusions analysts uncovered are delivered in a report that non-technical personnel can understand. These reports are passed on to those who commissioned the investigation, and usually wind up in the hands of law enforcement.
What types of digital forensics data do analysts collect?
During the acquisition phase of the digital forensic process, analysts look for a variety of forensics data to help them in their investigation:
- Disk images — Generally speaking, a disk image refers to a copy made of a digital storage device. Disk images are bit-for-bit copies of devices, usually of hard disks or hard drives. Sometimes, images may be taken of a USB drive or other type of storage medium.
- Memory images — A computer’s RAM can be recorded by special software, similar to a disk image. Memory images are vital because some advanced techniques or threat actors are undetectable on-disk.
- Application data — If a disk or memory image is unavailable or not relevant, investigators will turn to application data. This includes host logs, network device logs, and software-specific logs.
What is the chain of custody?
According to the National Institute of Standards and Technology (NIST), the chain of custody is a “process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers.”
Basically, the chain of custody is documentation that proves that the evidence used to prosecute a cyber crime is, in fact, legitimate evidence and was not placed fraudulently or edited for malicious purposes.
Why is digital evidence important?
Think of every police procedural story you’ve read or seen on TV. Detectives catch the bad guys by uncovering and documenting evidence that helps them recreate the exact circumstances surrounding a crime. Digital evidence is no different: it comprises significant information transmitted or stored on a digital device during a crime.
Broadly speaking, digital evidence should meet five key criteria:
- It is admissible in court
- It is authentic
- It is complete
- It is reliable
- It is believable
DFIR investigators will gather this information and store it safely to prevent contamination in order to ensure it remains admissible in court. But it’s not the only sort of evidence they collect; investigators may also assess and document:
- Analogical evidence — comparable incidents or events that may be relevant to understanding the case in question.
- Anecdotal evidence — stories and accounts from other parties that may support theory when analyzing a situation. Anecdotal evidence is not admissible in court but can nonetheless be useful during an investigation.
- Circumstantial evidence — a type of indirect evidence that makes inferences based on a series of facts, typically to draw conclusions in connection with a crime. This may also be understood as a hypothesis based on known facts, and may also be useful during an investigation.
- Character evidence — this includes individual expert testimony that may help prove intent, motive, and opportunity. It could also include expert testimony about an attack.
How do you store digital evidence?
In theory, gathering digital evidence should be as simple as pulling out a hard drive infected with ransomware. In practice, it’s not quite so simple.
Some types of digital evidence are deemed volatile, or non-persistent, because the data is only accessible when that device is plugged in or connected to power. Non-volatile or persistent digital evidence, meanwhile, is stored permanently in memory. This may include read-only memory, data in flash memory, or even data on a CD-ROM or other disc. In many cases, investigators cannot and will not power down affected technology in order to preserve digital evidence.
Because of these challenges, DFIR investigators will typically start by duplicating a hard drive via drive imaging, a process that creates a bit-to-bit perfect duplicate of a drive affected by an attack. As a rule, investigators will operate exclusively on this duplicate drive when conducting an investigation. This allows them to explore and test hypotheses on the drive without impacting the actual evidence.
The imaging process will also generate cryptographic hash values, which are used to further verify the authenticity of a drive image. Wherever possible, evidence gathered will be stored in a secure location where it can be preserved and accessed for reference later, with added physical security to ensure no item can be compromised.
What experience and skills are necessary for DFIR?
As touched on above, DFIR is a multidisciplinary field that combines soft skills with specialized technical knowledge. DFIR team members will generally have a unique mix of skills, traits, and experience they bring to bear in their role. By no means a complete list, those skills and experience may include:
- File system forensics — understanding how to apply digital forensics basics via software agents to analyze machines on a file system, including remote devices.
- Memory forensics — being able to analyze volatile forms of evidence like system memory for signs of compromise is extremely useful, especially for certain malware strains that aren’t detectable on disk.
- Network forensics — did an infection begin as a malicious email or link? Understanding how to analyze network activity remains a highly useful skill in the digital forensics world.
- Malware triage — reverse-engineering malware can help DFIR teams identify particular strains and better address the damage these attacks cause.
- Log analysis — log analysis is frequently automated to save time but remains a highly valuable skill for detecting abnormal activity on a system.
- Software development — technology is always changing at a rapid pace; having a solid understanding of software development can help DFIR teams better understand what they’re protecting. Being able to code and script can be a game-changing skill.
- Communication — good communication is a vital component of incident response, whether it’s with team members, affected organizations, or management.
- Teamwork — DFIR teams are never working alone. Incident response is a high-stress situation that requires team members to understand how to delegate tasks to each other and coordinate their efforts in service of a common goal.
- Analytical thinking — being able to gather information, challenge your own assumptions, and test theories can help teams reach better conclusions. It’s a challenging soft skill to build, but immensely valuable for DFIR.
This is a long list of skills and areas of expertise, and organizations may be hard-pressed to find qualified individuals with relevant experience that will also be a good fit for your business. Many organizations are turning to external consultants or third-party providers to handle their digital forensics and incident response needs.
Getting started with DFIR
Our team of experienced cyber security experts can work with you to help you build your capabilities and ensure your organization can recover in the event of an attack—while making sure you’re able to track down who targeted you.
Interested in taking the first step? Check out our Incident Response Planning page to learn more about how Field Effect can help you prepare for and conduct DFIR investigations.