This post provides an introduction to DFIR (Digital Forensics and Incident Response) and covers its definition, process, key concepts, tools, and a practical example of investigating a security breach. The post also covers the walkthrough of TryHackMe DFIR.

What is DFIR?

As already mentioned, DFIR stands for Digital Forensics and Incident Response. This field covers the collection of forensic artifacts from digital devices such as computers, media devices, and smartphones to investigate an incident. This field helps Security Professionals identify footprints left by an attacker when a security incident occurs, use them to determine the extent of compromise in an environment, and restore the environment to the state it was before the incident occurred.

DFIR consists of two primary fields:

  • Digital Forensics → Collecting and analyzing evidence from compromised systems.
  • Incident Response → Responding to security incidents and mitigating threats.

The need for DFIR

DFIR helps security professionals in various ways, some of which are summarized below:

  • Finding evidence of attacker activity in the network and sifting false alarms from actual incidents.
  • Robustly removing the attacker,  so their foothold from the network no longer remains.
  • Identifying the extent and timeframe of a breach. This helps in communicating with relevant stakeholders.
  • Finding the loopholes that led to the breach. What needs to be changed to avoid the breach in the future?
  • Understanding attacker behavior to pre-emptively block further intrusion attempts by the attacker.
  • Sharing information about the attacker with the community.

Who performs DFIR?

As the name suggests, DFIR requires expertise in both Digital Forensics and Incident Response. Dividing these two fields this way, the following skillset is needed to become a DFIR professional:

  • Digital Forensics: These professionals are experts in identifying forensic artifacts or evidence of human activity in digital devices.
  • Incident Response: Incident responders are experts in cybersecurity and leverage forensic information to identify the activity of interest from a security perspective. 

DFIR professionals know about Digital Forensics and cybersecurity and combine these domains to achieve their goals. Digital Forensics and Incident Response domains are often combined because they are highly interdependent. Incident Response leverages knowledge gained from Digital Forensics. Similarly, Digital Forensics takes its goals and scope from the Incident Response process, and the IR process defines the extent of forensic investigation.

In Security Operations, the prominent use of Digital Forensics is to perform Incident Response. We will learn the Incident Response process and observe how Digital Forensics helps in the IR process in this task.

Different organizations have published standardized methods to perform Incident Response. NIST has defined a process in their SP-800-61 Incident Handling guide, which has the following steps:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-incident Activity

Similarly, SANS has published an Incident Handler’s handbook. The handbook defines the steps as follows:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

The steps defined by SANS are often summarized as the acronym PICERL, making them easy to remember. We can see that the steps specified by SANS and NIST are identical. While NIST combines Containment, Eradication, and Recovery, SANS separates them into different steps. Post-incident activity and Lessons learned can be comparable, while Identification and Detection and Analysis have the same implications.

DFIR Process (Based on SANS & NIST Frameworks)

DFIR follows a structured process to detect, contain, and recover from security incidents:

1️⃣ Preparation

  • Set up tools and train the IR team.
  • Define Incident Response Plans (IRP).

2️⃣ Identification

  • Detect suspicious activity using IDS, SIEM logs, or network traffic.
  • Example: Splunk alerts show unusual outbound traffic to a C2 server.

3️⃣ Containment

  • Isolate the affected system (disconnect from the network).
  • Prevent malware from spreading (cut C2 communication).

4️⃣ Eradication

  • Remove malware, restore the system to a clean state.

5️⃣ Recovery

  • Rebuild compromised machines from clean backups.
  • Monitor for re-infection.

6️⃣ Lessons Learned

  • Analyze attack impact.
  • Improve security controls to prevent future incidents.

Key DFIR Concepts

1️⃣ Artifacts & Evidence Collection

Artifacts are pieces of evidence that support a hypothesis.
Example: If a Windows machine communicates with a Command & Control (C2) server, we collect:

  • Memory dumps (RAM analysis)
  • Logs (system, network, application logs)
  • Suspicious files (potential malware)

2️⃣ Evidence Integrity & Chain of Custody

To ensure evidence remains unaltered, DFIR specialists:

  • Take hashes (unique digital fingerprints) of collected files.
  • Keep a Chain of Custody to document who handled the evidence.

3️⃣ Order of Volatility

Some data disappears faster than others! So, DFIR follows an order of priority:
1️⃣ RAM (Processes, network connections) 🛑 Lost if the system shuts down!
2️⃣ Running system logs 📜 (Event logs, registry)
3️⃣ Disk images 🖥️ (Stored files, malware samples)

4️⃣ Incident Timeline Creation

Investigators reconstruct events to understand how an attack happened.
Example:
1️⃣ An attacker gains SSH access to a machine after brute-forcing credentials.
2️⃣ The machine downloads Cobalt Strike malware from a suspicious server.
3️⃣ The compromised machine communicates with a C2 server.

Popular DFIR Tools

Forensic Tools (For collecting and analyzing evidence):

  • Eric Zimmerman’s tools (Windows forensics)
  • Autopsy (Disk forensics)
  • Volatility Framework (Memory forensics)
  • Redline (FireEye’s forensic tool)

Incident Response Tools (For detecting and stopping threats):

  • Velociraptor (Endpoint monitoring)
  • Splunk / QRadar (SIEM for log analysis)

TryHackMe DFIR Room Answers

What does DFIR stand for?
Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion?

DFIR requires expertise in two fields. One of the fields is Digital Forensics. What is the other field?

At what stage of the IR process are disrupted services brought back online as they were before the incident?

At what stage of the IR process is the threat evicted from the network after performing the forensic analysis?

What is the NIST-equivalent of the step called “Lessons learned” in the SANS process?

Video Walkthrough | TryHackMe DFIR

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles