DFIR Checklists

Created: 26.05.2023

Here I am collecting checklists that might be helpful when conducting an investigation.

First Response

Incident Response (SANS)

See the full checklist…
  • πŸ₯’ Preparation
    • πŸ“ Compile a list of all your assets (servers, networks, applications etc.)
    • πŸ“ˆ Rank them by the level of importance.
    • πŸ‘ Monitor their traffic patterns and create baselines.
    • πŸ«‚ Create a communication plan (who to contact, how, and when based on each incident type). Incident Handler Communications and Facilities (contacts, on-call info, reporting mechanism, issue tracking, smartphones, encryption soft, war room, secure storage).
    • 🚧 Determine which security events and at what thresholds should be investigated.
    • πŸ“– Create one incident response plan and playbooks for each type of incident that are most likely to happen or can inflict the most damage.
    • πŸ“– Create an Incident Response Policy.
  • Identification (πŸ”¬πŸ§ͺ DF *)
    • 🚨 Discover. Discovery and classification (Where is the sensitive data?), Entitlements reporting (Who can access), Vulnerability Assessment (How to secure it?).
    • πŸ”Ž Investigate.
    • β›“ Harden. Reconfigure, mask, encrypt (How to protect sensitive data?)
    • πŸ‘€ πŸ—‘ Monitor and Protect. Activity monitoring, Blocking quarantine, dynamic data masking
    • Repeat.
  • Containment (πŸ”¬πŸ§ͺ DF *)
  • Eradication (πŸ”¬πŸ§ͺ DF *)
  • Recovery (πŸ”¬πŸ§ͺ DF *)
  • Lessons Learnt (πŸ”¬πŸ§ͺ DF *)

πŸ”¬πŸ§ͺ Digital Forensics process can take place at any stage of the incident response process.

Digital Forensics

See the full checklist…
  • πŸ€” Identification/Assessment (aka Preparation)
    • Define scope
    • Sterilise the target media (more here)
  • 🧹 Collection
    • πŸƒπŸΌ First response
      • Sanitise the target disk that will be used to copy evidence to
      • Prepare all the toolkits that will be needed.
      • Start filling out the Chain of Custody form; each piece of evidence is assigned a unique ID (see below for examples).
      • All photos were taken before touching the scene.
      • Ensure that the Internet, Bluetooth, and AirDrop are all turned off on the machine used to acquire the image (* in case of physical acquisition).
      • Connect the write blocker to the PC, and the evidence drive to the write blocker (power + data cables) or launch a software write blocker on the acquirer machine (see below for how-to) (* in case of physical acquisition).
      • Calculate the hash of the evidence drive (pre-hash). Document it.
      • Image the evidence.
      • Calculate the hash of the original evidence again, validate the hash and document it.
      • Calculate the **hash of the image taken (post-hash) and ensure it matches the above ones taken previously.
    • 🀏🏼 Acquisition (live or dead).
      • Physical storage. Mind the order of volatility, see RFC here.
        • Cache, registers (CPU). πŸ›  Debuggers (OllyDbg, gdb, x64dbg etc)
        • ARoTa MeKSaPTa. ARP cache, routing table, memory, kernel statistics, process table. Mnemonics: ARoTa MeKSaPTa
          • Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route – this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
            • Windows route print
            • UNIX netstat -rn
          • ARP cache: arp -a
          • Process table. The list of processes currently running + metadata.
            • UNIX ps
            • Windows. Task Manager (GUI) or tasklist (-> csv).
          • Kernel stats. πŸ›  RAMMap, part of the Sysinternals suite for Windows, and memmap in the Linux world. Tracks the page usage (physical RAM chunks), mappings of those pages.
        • Temporary files. Malware likes these folders because it’s often already full of garbage.
          • Linux /tmp.
          • swap (UNIX)
          • pagefile (Windows)
        • Disk.
        • Logs. Monitoring data and remote logging pertaining to the computer in question. SIEMs and other log storages.
        • Physical configurations, network topology.
        • Archival media. CDs, backups, USBs.
      • Logical backup
    • πŸ—³ Evidence Preservation
      • Copy original, operate on the copy.
      • Calculate hashes at each stage (unless it’s cloud evidence)
      • Use hardware write-blockers or software write-blockers
      • Make sure min number of files is created.
      • Register timestamps before opening files.
    • πŸ“‡ Documentation.
  • πŸ”¬πŸ§ͺ Examination & Analysis
    • 🦠 Malicious Process
      • Network
      • Files
      • Processes
    • πŸ‘₯ User
      • Is there malicious user activity (account takeover, insider threat)?
    • βš™οΈ OS Configs
      • Are there mal configs (services enabled, disabled logging)?
    • πŸ—œ Hardware
      • Are there mal hardware changes (firmware, BIOS)?

Toolkit Assembly For Physical Acquisition

Expand …
  • A PC technician’s toolkit 🧰 (screwdrivers πŸͺ›, squeezers, scissorsβœ‚οΈ, portable batteries πŸ”‹, etc.) to be able to remove HDD, lockdown cables etc.) βœ…
  • Digital camera πŸ“Έ that embeds timestamps on the photos. πŸ“ Take photos; the more, the better!
  • Video camera πŸ“Ή. πŸ“ Take a video; the longer, the better.
  • For labelling and documenting (labels, markers, pens, πŸ–Š, evidence tape 🚧).
  • They are transporting and managing evidence πŸ’Ό (Faraday bag, Anti-static bag, evidence log, large envelopes βœ‰οΈ, gloves🧀, sanitiser).
  • Documents (chain of custody, notes πŸ—’, warrants/subpoenas).
  • Digital forensics specifics (forensics software, write blockers, laptop πŸ’», sterilise target media, flash drives for live/dead acquisition, bootable, Apple USB Type-C wires).


Expand… Something here