Blue - DFIR: Digital Forensics and Incident Response

DFIR: Digital Forensics and Incident Response is a hugely important important sector of cyber security, where your everyday security analysis is take to the next level. While most security analysts will work out of a SIEM or SOAR platform, Incident Responders and Forensic analysts typically work directly with a potentially compromised device. With this, they are required to not only be familiar with a larger array of tools for analysis, but also a much stricter set of process and procedures as their actions are often subject to legal requirements.

DFIR Resource Collections

DFIR Compendium - The Definitive Compendium Project Digital Forensics & Incident Response
Training
- DFIR Tra ning - Tools, resources, and training classes for DFIR professionals

Incident Response

ATC React - The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques. It can be used for prioritization of Incident Response capabilities development, including skills development, technical measures acquisition/deployment, internal procedures development, etc, as well as gap analysis to determine "coverage" of existing Incident Response capabilities.
BTFM: Incident Response checklist - pg. 109
BTFM: Remediation Tasks - pg. 112
(BTHb: INRE): Incident Response Steps - pg. 5

IR/Malware Scanners

Kansa (Powershell) - A modular incident response framework in Powershell. It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.
Windows Forensic Toolchest - The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.
Veliciraptor - A tool for collecting host based state information.
Meerkat - Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisreconnaissanceance of Windows-based endpoints without requiring a pre-deployed agent.
https://www.cadosecurity.com/cado-community-edition/ - The Cado Community Edition leverages the scale and speed of the cloud to simplify deep-dive investigations. With the free community edition, data can be processed in minutes compared to days when using traditional methods. Stop wasting time, money, or effort. Achieve forensic-level detail without forensic-level effort. Only Cado empowers the security community to investigate and respond at cloud speed.

DFIR Commands

pageInteract with remote machine pageWindows System Enumeration pageWindows Process Information pageWindows DFIR Checks pageWindows DFIR Check by MITRE Tactic pageWindows Event Logs pageWindows Remediation Commands pageIR Event Log Cheatsheet pageLinux DFIR Commands pageMacOS DFIR Commands

Forensics

Triage and Order of Volatility
- (BTHb: INRE): Order of Volatility - pg. 29
- BTFM: Live Triage - pg. 60
bulk-extractor - bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
dumpzilla - Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.
regripper - RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
safecopy - safecopy tries to get as much data from SOURCE as possible, even resorting to device specific low level operations if applicable.

File Carving/Recovery

Foremost: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
ext4magic - ext4magic can extract the information from the journal and restore files in an entire directory tree, if the information in the journal are sufficient.
ext3grep - ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter.
extundelete - extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted.
magicrescue - Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.
myrescue - myrescue is a program to rescue the still-readable data from a damaged harddisk, CD-ROM, DVD, flash drives, etc. It is similar in purpose to dd_rescue (or ddrescue), but it tries to quickly get out of damaged areas to first handle the not yet damaged part of the disk and return later.
recoverdm - recoverdm recover disks with bad sectors. You can recover files as well complete devices. In case it finds sectors which simply cannot be recovered, it writes an empty sector to the output file and continues.
recoverjpeg - recoverjpeg tries to recover JFIF (JPEG) pictures and MOV movies from a peripheral. This may be useful if you mistakenly overwrite a partition or if a device such as a digital camera memory card is bogus.
rifiuti2 - Rifiuti2 analyses recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics.
scalpel - scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
scrounge-ntfs - Scrounge NTFS is a data recovery program for NTFS filesystems. It reads each block of the hard disk and try to rebuild the original filesystem tree into a directory.
undbx - UnDBX is a tool to extract, recover and undelete e-mail messages from MS Outlook Express .dbx files

Forensic Imaging

FTK Imager by AccessData - Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.

ftkimager --list-drives
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01
ftkimager [source] [destination]
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01 --outpass securepasswordinsertedhere

DD utility - Unix disk manipulation tool
- dc3dd - dc3dd is a patched version of GNU dd with added features for computer forensics
- dcfldd - Enhanced version of dd for forensics and security
- ddrescue - Data recovery and protection tool

dd.exe --list
dd.exe if=/dev/<drive> of=Image.img bs=1M
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync

X-ways Imager - Forensic disk imaging tool. Stripped down version of the X-Ways Forensics computer forensics software with just the disk imaging functionality and little more
guymager - The forensic imager contained in this package, guymager, was designed to support different image file formats, to be most user-friendly and to run really fast.

pageMemory Forensics

USB Analysis

MacOS

osxcollector - A forensic evidence collection & analysis toolkit for OS X
automactc - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)
Mac4n6 - Great blog on Mac OS forensics
mac_apt - macOS (& ios) Artifact Parsing Tool

Malware Analysis

In incident response, phishing, or security monitoring scenarios, you will encounter potentially malicious files that will require in depth analysis to certify the nature of the file. These files can be as overt as an executable labeled "virus.exe" or as covert as "resume.doc". There will be instances where even after all of your analysis, you still cannot verify the nature of the document, and therefore should be considered malicious until proven otherwise.

Malware Analysis Toolsets and multi-engine scanners

https://remnux.org/ - REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.
https://github.com/fireeye/flare-vm - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
RATDecoders - Python Decoders for Common Remote Access Trojans
CobaltStrikeParser - Python parser for CobaltStrike Beacon's configuration
ThreatCheck - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.

Resources

BTFM: Malware Analysis - pg. 77
BTFM: Identifying Malware - pg. 80
PTFM: Malware Analysis - pg. 149
BTFM: Malware Attributes Checklist - pg.115

pageSandboxing

Outside of sandboxing, there are a host of other tools available that can perform different types of analysis on malware. There are even a few virtual machine distributions that are dedicated to malware analysis. The foremost of them are Flare-VM and Remnux. These will usually include sandboxing tools like cuckoo, code analysis tools like Snyk and Ghidra, and a host of other handy options.

Remember: it is always advised to perform your malware analysis on a virtual machine, in order to prevent unwanted accidents.

pageFile/Binary Analysis

Reverse Engineering

pageReverse Engineering

PreviousAll of the Best Links and Resources on Cyber Security.NextCyber Intelligence