Digital Forensics and Incident Response (DFIR) is a term for the application of digital forensic techniques to cyber security. It is the collection and preservation of digital evidence to either defend against a cyberattack, or conduct an investigation into one.
DFIR focuses first on containment of a threat. Then the elimination of the malware, unauthorized access, or other causes of the threat can be addressed. The incident can then be assessed, and preventive measures suggested and implemented. EnCase Endpoint Investigator is a tool commonly used for DFIR projects.
Common DFIR techniques on Windows systems include:
1. Review of the Application Compatibility Cache - to check what programs where run on a Windows operating system. The cache is designed to allow software written for earlier versions of Windows to run in the current version.
2. Extracting text from binary files - a search can be run for email addresses; IP addresses; and other information with regular expressions.
3. Event log parsing - event logs are stored in the same format on Windows. During DFIR their various data elements should be processed simultaneously.
4. Review of Prefetch files - the files stored at C:\Windows\Prefetch can be analyzed to show which programs have been run on a Windows computer.
5. Review of Shadow Volumes - deleted and wiped files can be recovered from these periodic back-ups.
6. Shellbag artifacts - these indicate when a folder was accessed.
7. Recycle Bin artifacts - contain information on the time a file was deleted and its original location.
8. Jumplist - hold information on which files have been opened by which applications.
9. Windows timeline - Windows 10 has a timeline showing which files and applications have been opened for the past 30 days.
10. NFTS file system - include records of when a system has been booted and changes have been made to individual files.
11. Windows registry - its files can be processed automatically.
12. LNK - shortcut .lnk files show when files have been opened.