Keep the F in DFIR: The Importance of Digital Forensics in Incident Response

OVERVIEW

In recent years, blue teamers have greatly benefited from advanced security tools such as EDRs and XDRs. While these tools provide valuable visibility and containment mechanisms during DFIR investigations, over-reliance of these tools in DFIR investigations may lead to an incomplete picture of the incident. In this presentation, we will discuss how traditional forensic analysis methods can provide a more holistic look at an incident and reduce gaps in visibility.

Our presentation will provide an overview of challenges encountered when using EDR tools such as telemetry retention, OS compatibility, deployment scope and the lack of forensic artifacts that track interactive activity by an attacker. Next, we will introduce several forensic artifacts such as Amcache, Shellbags, Windows UAL etc. that provide deeper, historical visibility into attacker activity. Using forensic artifacts introduced in this presentation, blue teamers will be able to piece together and timeline crucial pieces of evidence on systems that provide insight into historical process executions, file/folder access, lateral movement, etc. Finally, we will introduce real-life case studies where forensic methods have proved vital in incident response investigations.

Attendees of this presentation will gain a better understanding of forensic artifacts and how they can be utilized in incident response investigations. They will also learn about free and open-source tools available to parse these artifacts at scale.