Basic Digital Forensics Process

I’ve shared this on Linkedin just yesterday 22 April 2024, but here I can provide a little more context. Before doing this work, it helps if you’ve followed the NIST Computer Security Incident Handling guide (SP800-61) available from: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

If you can, getting prepared with your team by having processes already in place, tools that you know how to use and dedicated hardware that is not connected to the rest of your network is ideal. The incident responders may or may not be responsible for incident prevention, but they must know how to use their tools.

Here’s a breakdown of the process

  1. Preserve evidence.
    • Leave everything as it is on the host. Once you know there’s a problem, collect the evidence as soon as you can. Logs can be overwritten with time or as they become full. What logs? If you’re on Windows, start with everything here:
      • C:\Windows\System32\winevt\Logs (For Windows XP C:\WINDOWS\system32\config)
  2. Collect evidence
    • Know what tools you’re going to use, and how to use them. It is more efficient to capture a few items for analysis than taking a full copy of the hard drive. Using FTK Imager you can create a custom content image (details are on this blog already).
    • A custom content image is a container (e01) that holds multiple pieces of evidence as files. An example is the collection of the Windows event log directory and everything in it, the NTUSER.dat file which is the user profile on Windows, the main users’ Outlook.PST local mailbox and their Internet History like the Firefox SQLite browser history file ‘places.sql’
    • A memory capture is presented as a ‘mem’ file and is stored inside an AD1 container when capturing from FTK Imager. FTK Imager has been reported to make some modifications to memory during capture as most tools do, but for this purpose, it will yield what you want.
  3. Analyse evidence
    • If you work with live malware on an infected system, a dedicated forensic endpoint is a must. It’s outside the scope of what we’re working on here, but you could use a locked-down and hardened Windows virtual machine, a Linux virtual machine or a separate computer entirely (my preferred approach).
    • What tools can you use for analysing the NTUSER.dat, Outlook.pst mailbox,Firefox browser history and Memory dumps? In order of their collection above:
      • Windows Logs – evtxecmd by Eriz Zimmerman
      • NTUSER.dat – Regripper
      • Outlook.pst – Open in Outlook on Forensic workstation
      • MZHistoryView from Nirsoft
      • Memory – Volatility
  4. Clean-up and reporting
    • As you go through the analysis, capture IOC’s. This is what you will use as part of your threat hunts, and reporting. Crowdstrike has a great template that is very comprehensive. You can get that here: https://www.crowdstrike.com/blog/crowdstrike-releases-digital-forensics-and-incident-response-tracker/
    • Depending on the scale of the infection, you may take the more advanced step of performing a full threat hunt across the environment before blocking individual IOC’s. This is is known as an eradication event. Your organisation will have it’s own threat model and risk matrix to determine what is appropriate. Working with your Governance team is a great idea to make sure you’re aligned.

One comment

Leave a Reply

Discover more from DFIR Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading