People usually associate “advanced persistent threat” (APT) with malicious outsiders—nation-state or other sophisticated attackers. Generally, once an APT attacker has established an initial foothold, they conduct “low-and-slow”-style attacks involving a prolonged period of reconnaissance and lateral movement. Insider threats are usually thought of as intentional (or sometimes accidental) acts of data theft or other compromise committed by trusted users who know their way around and have legitimate, open access to sensitive assets.
Welcome back to the second installment of our DFIR blog! If you didn’t read Introduction to Digital Forensics and Incident Response check it out.
Let’s get started on our next chapter, Timeline Analysis and Time Stamped Forensics.
A Chapter from Your Favorite Crime Novel
In one of his blog posts, Corey Harrell described timeline analysis as a "great technique to determine the activity that occurred on a system at a certain point in time". When referring to DFIR, we would take it one step further: timeline analysis is necessary for effective incident response.
Practically, conducting digital forensics analysis is the procedure of investigating security alerts or suspicions of malicious activity in a computer network.
I like to think of DFIR as a procedure analogous to a military debriefing.
When fighter pilots return from an operative mission, they immediately conduct a debrief, which covers the objectives, what worked and what didn’t, and exactly how the next mission will be improved upon to complete each objective. Digital Forensics is really no different and here's why ...