Journey into IR Methodology
This page is my dumping ground for me to organize the cyber investigation methodology I am using with my blog posts. As a result, the methodology only reflects the activities I mention in my blog so this is not a complete process. However, the methodology will be continuously updated as I progress through my journey. Even though this page is a location for me to dump information, I think this page could be a benefit to my readers because it can be used as a guide to the cyber investigation process I am referencing in some of my posts.
This investigation methodology is not supposed to be a checklist for an investigation but instead it is to be used as a guide for an investigation. This means not all of the activities listed below will be used on every investigation since each case is different.
Note: I have used numerous sources to create this methodology. To view these sources please visit the associated blog post.
I. Preparation
Description: Covers all of the activities which would occur before working on a case such as staff training and case management
Related blog posts: Overall DF Investigation Process
II. Identification
Description: The digital forensic investigation is initiated and the scope of the investigation is determined
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
III. Collection
Description: When the identification and collection of any items that could be evidentiary value occurs
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
IV. Analysis
Description: When data is examined to identify evidence relevant to the case and the identified evidence is analyzed in order to develop a set of conclusions
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
A. Analysis of individual events (or individual cases)
Description: Examines isolated events and data sources to locate
evidence and determine the relevance of the evidence the case
Related blog posts: End to End Digital Investigation
1. System Examination
Related blog posts: Initial Examination Steps & First Challenge,
How was the System Infected? Part 2,
Anatomy of a Drive-by Part 2,
Finding the Initial Infection Vector ,
Man versus AntiVirus Scanner, and
Finding An Infection Vector After IT Cleaned the System
a) Examine the master boot record
Related blog posts: Obtaining Information about the Operating System
b) Obtain information about the operating system and its configuration
Related blog posts: Obtaining Information about the Operating System
(1) General Operating System Information
(2) User Account Information
(3) Software Information
(4) Networking Information
(5) Storage Locations Information
c) Examine the volatile data
Related blog posts: Is the System Infected? and
Dual Purpose Volatile Data Collection Script
(1) Review the open ports and network connections
(2) Review the running processes
(3) Review the system hooks
(4) Review the loaded dynamic-link libraries (DLLs)
(5) Review the open files
(6) Review the loaded drivers
(7) Review the strings associated with a process or
driver o interest
d) Examine the files on the system that were identified in volatile data
e) Hash the files on the system
f) Examine the programs ran on the system
Related blog posts: Second Look at Prefetch Files,
Combining Techniques, Second Look at Prefetch Files,
and NTOSBOOT Prefetch File
g) Examine the auto-start locations
Related blog posts: Anatomy of a Drive-by Part 1
h) Examine the host-based logs
i) Examine file system artifacts
Related blog posts: Re-Introducing $UsnJrnl
j) Malware searches
k) Perform a timeline analysis
Related blog posts: What’s a Timeline,
Building Timelines – Thought Process Behind It,
Building Timelines – Tools Usage,
Reviewing Timelines with Excel,
Reviewing Timelines with Calc, and
Layering Data
l) Examine web browsing history
m) Examine user profiles of interest
(1) Review user account activity
(2) Review user account network activity
(3) Review user account file and folder access
n) Examine specific artifacts
(1) System restore points / volume shadow copies
Related blog posts: Ripping Volume Shadow Copies – Introduction,
Ripping VSCs – Practitioner Method,
Ripping VSCs – Practitioner Examples,
Ripping VSCs – Developer Method,
Ripping VSCs – Developer Examples,
Examining VSCs with GUI Tools,
More About Volume Shadow Copies,
Ripping VSCs – Tracking User Activity, and
Volume Shadow Copy Timeline
o) Perform a keyword search
p) Examine suspected malicious files
(1) Java file analysis
Related blog posts: (Almost) Cooked Up Some Java and
Malware Root Cause Analysis
(2) Executable analysis
Related blog posts: From Malware Analysis to Portable Clam AV
B. Preliminary correlation
Description: The evidence located through the examination of the
various data sources is correlated into a chain of evidence
Related blog posts: End to End Digital Investigation
C. Event normalization
Description: Combining of evidentiary data into the same terminology
that can be used in the correlation process. Adjusting the times to
account for a time skew is an example of normalization.
Related blog posts: End to End Digital Investigation
D. Event deconfliction
Description: Combining of multiple copies of evidence into a single
evidentiary event in order to eliminate duplicates
Related blog posts: End to End Digital Investigation
E. Second level correlation
Description: Correlating the evidence which has been normalized into a
chain of evidence
Related blog posts: End to End Digital Investigation
F. Timeline analysis
Description: A timeline is built using the chain of evidence
Related blog posts: End to End Digital Investigation
G. Chain of evidence construction
Description: The chain of evidence is constructed by verifying if each
piece of evidence links to the next piece of evidence in the chain
Related blog posts: Broken Chain and End to End Digital Investigation
H. Corroboration
Description: Primary evidence is corroborated with secondary evidence
Related blog posts: End to End Digital Investigation
V. Reporting
Description: When the evidence and conclusions are presented
Related blog posts: Overall DF Investigation Process
VI. Archiving
Description: When the log term storage of case materials occurs
Related blog posts: Overall DF Investigation Process
This investigation methodology is not supposed to be a checklist for an investigation but instead it is to be used as a guide for an investigation. This means not all of the activities listed below will be used on every investigation since each case is different.
Note: I have used numerous sources to create this methodology. To view these sources please visit the associated blog post.
I. Preparation
Description: Covers all of the activities which would occur before working on a case such as staff training and case management
Related blog posts: Overall DF Investigation Process
II. Identification
Description: The digital forensic investigation is initiated and the scope of the investigation is determined
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
III. Collection
Description: When the identification and collection of any items that could be evidentiary value occurs
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
IV. Analysis
Description: When data is examined to identify evidence relevant to the case and the identified evidence is analyzed in order to develop a set of conclusions
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
A. Analysis of individual events (or individual cases)
Description: Examines isolated events and data sources to locate
evidence and determine the relevance of the evidence the case
Related blog posts: End to End Digital Investigation
1. System Examination
Related blog posts: Initial Examination Steps & First Challenge,
How was the System Infected? Part 2,
Anatomy of a Drive-by Part 2,
Finding the Initial Infection Vector ,
Man versus AntiVirus Scanner, and
Finding An Infection Vector After IT Cleaned the System
a) Examine the master boot record
Related blog posts: Obtaining Information about the Operating System
b) Obtain information about the operating system and its configuration
Related blog posts: Obtaining Information about the Operating System
(1) General Operating System Information
(2) User Account Information
(3) Software Information
(4) Networking Information
(5) Storage Locations Information
c) Examine the volatile data
Related blog posts: Is the System Infected? and
Dual Purpose Volatile Data Collection Script
(1) Review the open ports and network connections
(2) Review the running processes
(3) Review the system hooks
(4) Review the loaded dynamic-link libraries (DLLs)
(5) Review the open files
(6) Review the loaded drivers
(7) Review the strings associated with a process or
driver o interest
d) Examine the files on the system that were identified in volatile data
e) Hash the files on the system
f) Examine the programs ran on the system
Related blog posts: Second Look at Prefetch Files,
Combining Techniques, Second Look at Prefetch Files,
and NTOSBOOT Prefetch File
g) Examine the auto-start locations
Related blog posts: Anatomy of a Drive-by Part 1
h) Examine the host-based logs
i) Examine file system artifacts
Related blog posts: Re-Introducing $UsnJrnl
j) Malware searches
k) Perform a timeline analysis
Related blog posts: What’s a Timeline,
Building Timelines – Thought Process Behind It,
Building Timelines – Tools Usage,
Reviewing Timelines with Excel,
Reviewing Timelines with Calc, and
Layering Data
l) Examine web browsing history
m) Examine user profiles of interest
(1) Review user account activity
(2) Review user account network activity
(3) Review user account file and folder access
n) Examine specific artifacts
(1) System restore points / volume shadow copies
Related blog posts: Ripping Volume Shadow Copies – Introduction,
Ripping VSCs – Practitioner Method,
Ripping VSCs – Practitioner Examples,
Ripping VSCs – Developer Method,
Ripping VSCs – Developer Examples,
Examining VSCs with GUI Tools,
More About Volume Shadow Copies,
Ripping VSCs – Tracking User Activity, and
Volume Shadow Copy Timeline
o) Perform a keyword search
p) Examine suspected malicious files
(1) Java file analysis
Related blog posts: (Almost) Cooked Up Some Java and
Malware Root Cause Analysis
(2) Executable analysis
Related blog posts: From Malware Analysis to Portable Clam AV
B. Preliminary correlation
Description: The evidence located through the examination of the
various data sources is correlated into a chain of evidence
Related blog posts: End to End Digital Investigation
C. Event normalization
Description: Combining of evidentiary data into the same terminology
that can be used in the correlation process. Adjusting the times to
account for a time skew is an example of normalization.
Related blog posts: End to End Digital Investigation
D. Event deconfliction
Description: Combining of multiple copies of evidence into a single
evidentiary event in order to eliminate duplicates
Related blog posts: End to End Digital Investigation
E. Second level correlation
Description: Correlating the evidence which has been normalized into a
chain of evidence
Related blog posts: End to End Digital Investigation
F. Timeline analysis
Description: A timeline is built using the chain of evidence
Related blog posts: End to End Digital Investigation
G. Chain of evidence construction
Description: The chain of evidence is constructed by verifying if each
piece of evidence links to the next piece of evidence in the chain
Related blog posts: Broken Chain and End to End Digital Investigation
H. Corroboration
Description: Primary evidence is corroborated with secondary evidence
Related blog posts: End to End Digital Investigation
V. Reporting
Description: When the evidence and conclusions are presented
Related blog posts: Overall DF Investigation Process
VI. Archiving
Description: When the log term storage of case materials occurs
Related blog posts: Overall DF Investigation Process
Labels:
Posts
