Logo
RSS Feed

๐Ÿ”Ž Investigation Tactics Techniques and Procedures

๐Ÿ”Ž Detection and Investigation Techniques

One can detect something automatically or look for it. So, the investigation (incident response and digital forensics) can either start from a security alert or threat-hunting. What are artefacts, and how are they different from evidence? What types of artefacts are there, and how to look them out? Let’s dive deeper into what techniques are used to spot the attacker.

๐Ÿค” Analysis Tips and Cheatsheets

Knowing your artefacts and attacks is very useful, but how do you really USE that knowledge to the full potential? This section will combine information from the attacks and artefacts section to suggest possible approached to the investigation.

๐Ÿงผ Media Sterilisation

Before copying evidence or making a disk image, one needs to sterilise the target media to ensure that data on that disk before this operation would not meddle with the evidence data. Several rounds of writing 0s are usually enough.

๐Ÿšซ Write Blockers

During live and dead acquisition, it’s important not to mess up with the evidence. Write blockers protect the evidence from accidental tampering the evidence making sure it will be admissible in court.

๐Ÿ’ฟ Imaging

There are two types of acquisitions: live ๐Ÿ€ and dead โ˜ ๏ธ. Choosing based on the system’s initial state in question is usually preferable. So, for example, if the system is turned on, perform live acquisition first, capturing all volatile data that will be deleted after reboot. Otherwise, jump right to the dead acquisition (if the system is shut down).

๐Ÿ“š Logical Acquisition

This type of acquisition can only happen on a live system. It’s quicker and easier than imaging the drive, but you will miss some data. It’s sometimes the only way to collect data from a mobile device.

๐Ÿฉป Data Recovery

In order to detect and response to incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.

๐Ÿ•ถ๏ธ Anti-Forensics

Attackers will attempt to conceal their presence or even plant bogus artefacts to complicate the investigation and potentially lead to incorrect conclusions.

โฑ๏ธ Timelines And Timestamps

As if investigations needed to be simplified, we must contend with various timestamp formats. There is a wide range of time formats available, and it is crucial to understand the differences to create an accurate timeline.

๐Ÿ”ฌ Malware Analysis