Chapter 37 Key Takeaways: Incident Response and Digital Forensics

Core Concepts

  1. Structured frameworks save lives. NIST SP 800-61 and SANS PICERL provide proven incident response frameworks. Preparation is the most important phase -- build capability, write playbooks, conduct exercises, and establish communication channels before incidents occur.

  2. Collect volatile evidence first. The order of volatility dictates evidence collection priority: CPU registers, then memory, then network state, then running processes, then disk, then external media. Capture memory before any containment action that might change system state.

  3. Chain of custody is non-negotiable. Document who handled evidence, when, and what they did with it. Use write blockers for disk imaging. Hash everything. Without proper chain of custody, evidence may be inadmissible in legal proceedings.

  4. Memory forensics reveals what disk forensics cannot. Running processes, network connections, injected code, encryption keys, and credentials exist only in volatile memory. Volatility 3 is the essential tool for extracting and analyzing these artifacts. Use malfind for code injection, compare pslist with psscan for hidden processes.

  5. Windows generates extraordinary forensic artifacts. Prefetch proves program execution. Amcache provides executable hashes. ShellBags record folder browsing. Event logs capture authentication, process creation, and service installation. Registry hives store persistence mechanisms and user activity. Know where to find each artifact and what it proves.

  6. Timeline analysis tells the story. Correlating artifacts from memory, disk, network, and logs into a chronological timeline is the most powerful forensic technique. Use Plaso/log2timeline to create super timelines and trace attacks from initial access through exfiltration.

  7. Network forensics provides the communication picture. Wireshark for packet analysis, Zeek for structured log generation, and SIEM platforms for log correlation at scale. Look for C2 beaconing, DNS tunneling, lateral movement traffic, and data exfiltration.

  8. Malware analysis answers critical questions. Static analysis (strings, headers, YARA) provides quick triage. Dynamic analysis (sandbox execution) reveals behavior. Both inform IOC development and attribution. Always analyze malware in isolated environments.

Practical Skills

  • Capture memory images with WinPmem and LiME
  • Analyze memory with Volatility 3 (pslist, psscan, netscan, malfind, cmdline, registry)
  • Collect triage artifacts with KAPE
  • Parse Windows artifacts with Eric Zimmerman's tools (PECmd, AmcacheParser, SBECmd, MFTECmd)
  • Build forensic timelines with Plaso/log2timeline
  • Analyze network captures with Wireshark and Zeek
  • Write and use YARA rules for malware detection
  • Conduct basic static and dynamic malware analysis
  • Create incident response playbooks for common incident types
  • Document chain of custody for forensic evidence

Common Mistakes to Avoid

  • Modifying evidence before creating forensic copies
  • Powering off a system before capturing memory (destroying volatile evidence)
  • Isolating a network before capturing evidence of active connections
  • Failing to document chain of custody from the moment evidence is collected
  • Analyzing original evidence instead of forensic copies
  • Rebuilding compromised systems without determining root cause
  • Restoring from backups without verifying they pre-date the compromise
  • Neglecting post-incident lessons learned and process improvement

Key Tools and Frameworks

  • Volatility 3: Memory forensics framework
  • KAPE: Rapid triage artifact collection
  • Autopsy/Sleuth Kit: Disk forensic analysis
  • Eric Zimmerman's Tools: Windows artifact parsing
  • Plaso/log2timeline: Super timeline generation
  • Wireshark/Zeek: Network forensics
  • YARA: Malware pattern matching
  • NIST SP 800-61 / SANS PICERL: Incident response frameworks
  • Velociraptor: Endpoint forensics at scale