Journey into IR Methodology
This page is my dumping ground for me to organization the cyber investigation methodology I am using with my blog posts. As a result, the methodology only reflects the activities I mention in my blog so this is not a complete process. However, the methodology will be continuously updated as I progress through my journey. Even though this page is a location for me to dump information, I think this page could be a benefit to my readers because it can be used as a guide to the cyber investigation process I am referencing in some of my posts.
This investigation methodology is not supposed to be a checklist for an investigation but instead it is to be used as a guide for an investigation. This means not all of the activities listed below will be used on every investigation since each case is different.
Note: I have used numerous sources to create this methodology. To view these sources please visit the associated blog post.
I. Preparation
Description: Covers all of the activities which would occur before working on a case such as staff training and case management
Related blog posts: Overall DF Investigation Process
II. Identification
Description: The digital forensic investigation is initiated and the scope of the investigation is determined
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
III. Collection
Description: When the identification and collection of any items that could be evidentiary value occurs
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
IV. Analysis
Description: When data is examined to identify evidence relevant to the case and the identified evidence is analyzed in order to develop a set of conclusions
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
A. Analysis of individual events (or individual cases)
Description: Examines isolated events and data sources to locate
evidence and determine the relevance of the evidence the case
Related blog posts: End to End Digital Investigation
1. System Examination
Related blog posts: Initial Examination Steps & First Challenge,
How was the System Infected? Part 2 and
Anatomy of a Drive-by Part 2
a) Examine the master boot record
Related blog posts: Obtaining Information about the Operating System
b) Obtain information about the operating system and its configuration
Related blog posts: Obtaining Information about the Operating System
(1) General Operating System Information
(2) User Account Information
(3) Software Information
(4) Networking Information
(5) Storage Locations Information
c) Examine the volatile data
Related blog posts: Is the System Infected?
(1) Review the open ports and network connections
(2) Review the running processes
(3) Review the system hooks
(4) Review the loaded dynamic-link libraries (DLLs)
(5) Review the open files
(6) Review the loaded drivers
(7) Review the strings associated with a process or
driver o interest
d) Hash the files on the system
e) Perform a file signature analysis against the files on the
system
f) Examine the files on the system that were identified in
volatile data
g) Search for known malware on the system
h) Examine the auto-start locations
Related blog posts: Anatomy of a Drive-by Part 1
i) Examine the programs ran on the system
j) Perform a timeline analysis
Related blog posts: Building Timelines – Thought Process Behind It,
Building Timelines – Tools Usage,
Reviewing Timelines with Excel, and
Reviewing Timelines with Calc.
k) Perform a keyword search
l) Examine the host-based logs
m) Examine the executables of interest
B. Preliminary correlation
Description: The evidence located through the examination of the
various data sources is correlated into a chain of evidence
Related blog posts: End to End Digital Investigation
C. Event normalization
Description: Combining of evidentiary data into the same terminology
that can be used in the correlation process. Adjusting the times to
account for a time skew is an example of normalization.
Related blog posts: End to End Digital Investigation
D. Event deconfliction
Description: Combining of multiple copies of evidence into a single
evidentiary event in order to eliminate duplicates
Related blog posts: End to End Digital Investigation
E. Second level correlation
Description: Correlating the evidence which has been normalized into a
chain of evidence
Related blog posts: End to End Digital Investigation
F. Timeline analysis
Description: A timeline is built using the chain of evidence
Related blog posts: End to End Digital Investigation
G. Chain of evidence construction
Description: The chain of evidence is constructed by verifying if each
piece of evidence links to the next piece of evidence in the chain
Related blog posts: Broken Chain and End to End Digital Investigation
H. Corroboration
Description: Primary evidence is corroborated with secondary evidence
Related blog posts: End to End Digital Investigation
V. Reporting
Description: When the evidence and conclusions are presented
Related blog posts: Overall DF Investigation Process
VI. Archiving
Description: When the log term storage of case materials occurs
Related blog posts: Overall DF Investigation Process
This investigation methodology is not supposed to be a checklist for an investigation but instead it is to be used as a guide for an investigation. This means not all of the activities listed below will be used on every investigation since each case is different.
Note: I have used numerous sources to create this methodology. To view these sources please visit the associated blog post.
I. Preparation
Description: Covers all of the activities which would occur before working on a case such as staff training and case management
Related blog posts: Overall DF Investigation Process
II. Identification
Description: The digital forensic investigation is initiated and the scope of the investigation is determined
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
III. Collection
Description: When the identification and collection of any items that could be evidentiary value occurs
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
IV. Analysis
Description: When data is examined to identify evidence relevant to the case and the identified evidence is analyzed in order to develop a set of conclusions
Related blog posts: Overall DF Investigation Process and End to End Digital Investigation
A. Analysis of individual events (or individual cases)
Description: Examines isolated events and data sources to locate
evidence and determine the relevance of the evidence the case
Related blog posts: End to End Digital Investigation
1. System Examination
Related blog posts: Initial Examination Steps & First Challenge,
How was the System Infected? Part 2 and
Anatomy of a Drive-by Part 2
a) Examine the master boot record
Related blog posts: Obtaining Information about the Operating System
b) Obtain information about the operating system and its configuration
Related blog posts: Obtaining Information about the Operating System
(1) General Operating System Information
(2) User Account Information
(3) Software Information
(4) Networking Information
(5) Storage Locations Information
c) Examine the volatile data
Related blog posts: Is the System Infected?
(1) Review the open ports and network connections
(2) Review the running processes
(3) Review the system hooks
(4) Review the loaded dynamic-link libraries (DLLs)
(5) Review the open files
(6) Review the loaded drivers
(7) Review the strings associated with a process or
driver o interest
d) Hash the files on the system
e) Perform a file signature analysis against the files on the
system
f) Examine the files on the system that were identified in
volatile data
g) Search for known malware on the system
h) Examine the auto-start locations
Related blog posts: Anatomy of a Drive-by Part 1
i) Examine the programs ran on the system
j) Perform a timeline analysis
Related blog posts: Building Timelines – Thought Process Behind It,
Building Timelines – Tools Usage,
Reviewing Timelines with Excel, and
Reviewing Timelines with Calc.
k) Perform a keyword search
l) Examine the host-based logs
m) Examine the executables of interest
B. Preliminary correlation
Description: The evidence located through the examination of the
various data sources is correlated into a chain of evidence
Related blog posts: End to End Digital Investigation
C. Event normalization
Description: Combining of evidentiary data into the same terminology
that can be used in the correlation process. Adjusting the times to
account for a time skew is an example of normalization.
Related blog posts: End to End Digital Investigation
D. Event deconfliction
Description: Combining of multiple copies of evidence into a single
evidentiary event in order to eliminate duplicates
Related blog posts: End to End Digital Investigation
E. Second level correlation
Description: Correlating the evidence which has been normalized into a
chain of evidence
Related blog posts: End to End Digital Investigation
F. Timeline analysis
Description: A timeline is built using the chain of evidence
Related blog posts: End to End Digital Investigation
G. Chain of evidence construction
Description: The chain of evidence is constructed by verifying if each
piece of evidence links to the next piece of evidence in the chain
Related blog posts: Broken Chain and End to End Digital Investigation
H. Corroboration
Description: Primary evidence is corroborated with secondary evidence
Related blog posts: End to End Digital Investigation
V. Reporting
Description: When the evidence and conclusions are presented
Related blog posts: Overall DF Investigation Process
VI. Archiving
Description: When the log term storage of case materials occurs
Related blog posts: Overall DF Investigation Process
Labels:
