# Incident Response & Digital Forensics (IRDF)

For a more in-depth understanding  of Incident Response & Digital Forensics workflows, tools, and techniques review the Core SOC resources on the Black Hills InfoSec Discord  & the checklist from Zeltser. 

**John Strands Core SOC Skills:**[**https://discord.com/channels/861923838911578143/1400880029151531210**](https://discord.com/channels/861923838911578143/1400880029151531210) 

**Follow on Log Reviw :** [**https://zeltser.com/security-incident-log-review-checklist/**](https://zeltser.com/security-incident-log-review-checklist/) 

1. **Data Collection**
   * Dump memory (tactical, not continuous)
   * Logs collection
2. **Pattern Identification**
   * Find patterns in the collected data
3. **Profile Creation**
   * Build a profile based on the identified patterns
4. **Focus on Key Indicators**
   * High beacon volume between IPs
   * Data size
5. **In-depth Analysis**
   * Focus on a field of interest
   * Process analysis:
     * **Process Tree**
       * Who begat who? (PID and Parent PID)
     * **Command Line**
       * Analyze command line arguments
     * **Parent Process**
       * Identify parent process information
   * Network connection analysis:
     * **Established Connection**
     * **Closed Connection**
     * **SYN\_Sent** (Close and re-established connection)
     * **Beacon**
       * Identify beacon activity
6. **Tuning Opportunities**
   * No false positives, only tuning opportunities for improvement