Incident Response & Digital Forensics (IRDF)

A generic workflow for IRDF

For a more in-depth understanding of Incident Response & Digital Forensics workflows, tools, and techniques review the Core SOC resources on the Black Hills InfoSec Discord & the checklist from Zeltser.

John Strands Core SOC Skills:https://discord.com/channels/861923838911578143/1400880029151531210

Follow on Log Reviw : https://zeltser.com/security-incident-log-review-checklist/

1. Data Collection

   • Dump memory (tactical, not continuous)

   • Logs collection

2. Pattern Identification

   • Find patterns in the collected data

3. Profile Creation

   • Build a profile based on the identified patterns

4. Focus on Key Indicators

   • High beacon volume between IPs

   • Data size

5. In-depth Analysis

   • Focus on a field of interest

   • Process analysis:

     • Process Tree

       • Who begat who? (PID and Parent PID)

     • Command Line

       • Analyze command line arguments

     • Parent Process

       • Identify parent process information

   • Network connection analysis:

     • Established Connection

     • Closed Connection

     • SYN_Sent (Close and re-established connection)

     • Beacon

       • Identify beacon activity

6. Tuning Opportunities

   • No false positives, only tuning opportunities for improvement