Incident Response & Digital Forensics (IRDF)

  1. Data Collection

    • Dump memory (tactical, not continuous)

    • Logs collection

  2. Pattern Identification

    • Find patterns in the collected data

  3. Profile Creation

    • Build a profile based on the identified patterns

  4. Focus on Key Indicators

    • High beacon volume between IPs

    • Data size

  5. In-depth Analysis

    • Focus on a field of interest

    • Process analysis:

      • Process Tree

        • Who begat who? (PID and Parent PID)

      • Command Line

        • Analyze command line arguments

      • Parent Process

        • Identify parent process information

    • Network connection analysis:

      • Established Connection

      • Closed Connection

      • SYN_Sent (Close and re-established connection)

      • Beacon

        • Identify beacon activity

  6. Tuning Opportunities

    • No false positives, only tuning opportunities for improvement

PreviousOverviewNextIntro to Windows

Last updated