DFIR

• Digital Forensics and Incident Response

Digital Framework and Information Response

Data Forensics and Incident Recovery

Digital Forensics and Incident Recovery

• Containment

• Preparation

• Eradication

Detection

Any physical evidence collected from a crime scene

• Any data collected from digital devices such as computers

Any testimony given in court

Any document written by hand

• It documents findings and conclusions

It identifies the goals, limitations, and boundaries of the investigation

It involves preserving digital evidence

It organizes collected data for analysis

Power off the compromised systems immediately.

Isolate and quarantine the compromised systems.

CPU registers and cache

Temporary File Systems

Remote Logging and Monitoring Data

RAM

Data Carving

Data Parsing

Data Analysis

Sigma

FTK Imager

ElasticSearch/OpenSearch

Autopsy

Detailed analysis and reporting of an entire system

Quickly assessing the scope and severity of an incident

Preserving all evidence for long-term storage

Identifying and mitigating active threats in real-time