Journey into IR Methodology

This page is my dumping ground for me to organize the cyber investigation methodology I am using with my blog posts. As a result, the methodology only reflects the activities I mention in my blog so this is not a complete process. However, the methodology will be continuously updated as I progress through my journey. Even though this page is a location for me to dump information, I think this page could be a benefit to my readers because it can be used as a guide to the cyber investigation process I am referencing in some of my posts.

This investigation methodology is not supposed to be a checklist for an investigation but instead it is to be used as a guide for an investigation. This means not all of the activities listed below will be used on every investigation since each case is different.

Note: I have used numerous sources to create this methodology. To view these sources please visit the associated blog post.


I. Preparation

Description: Covers all of the activities which would occur before working on a case such as staff training and case management

Related blog posts: Overall DF Investigation Process


II. Identification

Description: The digital forensic investigation is initiated and the scope of the investigation is determined

Related blog posts: Overall DF Investigation Process and End to End Digital Investigation


III. Collection

Description: When the identification and collection of any items that could be evidentiary value occurs

Related blog posts: Overall DF Investigation Process and End to End Digital Investigation


IV. Analysis

Description: When data is examined to identify evidence relevant to the case and the identified evidence is analyzed in order to develop a set of conclusions

Related blog posts: Overall DF Investigation Process and End to End Digital Investigation

      A. Analysis of individual events (or individual cases)

          Description: Examines isolated events and data sources to locate 
          evidence and determine the relevance of the evidence the case

          Related blog posts: End to End Digital Investigation

               1. System Examination

                    Related blog posts: Initial Examination Steps & First Challenge,
                    How was the System Infected? Part 2,
                    Anatomy of a Drive-by Part 2
                    Finding the Initial Infection Vector ,
                    Man versus AntiVirus Scanner, and
                    Finding An Infection Vector After IT Cleaned the System

                         a) Examine the master boot record

                               Related blog posts: Obtaining Information about the Operating System

                         b) Obtain information about the operating system and its configuration

                               Related blog posts: Obtaining Information about the Operating System

                              (1) General Operating System Information

                              (2) User Account Information

                              (3) Software Information

                              (4) Networking Information

                              (5) Storage Locations Information 

                         c) Examine the volatile data

                              Related blog posts: Is the System Infected? and
                              Dual Purpose Volatile Data Collection Script

                              (1) Review the open ports and network connections

                              (2) Review the running processes

                              (3) Review the system hooks

                              (4) Review the loaded dynamic-link libraries (DLLs)

                              (5) Review the open files

                              (6) Review the loaded drivers

                              (7) Review the strings associated with a process or
                                   driver o interest

                         d) Examine the files on the system that were identified in volatile data

                         e) Hash the files on the system

                         f) Examine the programs ran on the system

                             Related blog posts: Second Look at Prefetch Files,
                             Combining Techniques, Second Look at Prefetch Files,
                             and NTOSBOOT Prefetch File

                         g) Examine the auto-start locations

                              Related blog posts: Anatomy of a Drive-by Part 1

                         h) Examine the host-based logs

                         i) Examine file system artifacts

                              Related blog posts: Re-Introducing $UsnJrnl

                         j) Malware searches

                         k) Perform a timeline analysis

                              Related blog posts: What’s a Timeline,
                              Building Timelines – Thought Process Behind It,
                              Building Timelines – Tools Usage,
                              Reviewing Timelines with Excel
                              Reviewing Timelines with Calc, and
                              Layering Data

                         l) Examine web browsing history

                         m) Examine user profiles of interest

                              (1) Review user account activity

                              (2) Review user account network activity

                              (3) Review user account file and folder access

                         n) Examine specific artifacts
  
                               (1) System restore points / volume shadow copies

                               Related blog posts: Ripping Volume Shadow Copies – Introduction,
                               Ripping VSCs – Practitioner Method,
                               Ripping VSCs – Practitioner Examples,
                               Ripping VSCs – Developer Method,
                               Ripping VSCs – Developer Examples,
                               Examining VSCs with GUI Tools,
                               More About Volume Shadow Copies,
                               Ripping VSCs – Tracking User Activity, and
                               Volume Shadow Copy Timeline

                         o) Perform a keyword search

                         p) Examine suspected malicious files

                               (1) Java file analysis

                               Related blog posts: (Almost) Cooked Up Some Java and
                               Malware Root Cause Analysis

                               (2) Executable analysis

                               Related blog posts: From Malware Analysis to Portable Clam AV

      B. Preliminary correlation

          Description: The evidence located through the examination of the
          various data sources is correlated into a chain of evidence

          Related blog posts: End to End Digital Investigation

      C. Event normalization

           Description: Combining of evidentiary data into the same terminology
         that can be used in the correlation process. Adjusting the times to
         account for a time skew is an example of normalization.

         Related blog posts: End to End Digital Investigation

      D. Event deconfliction

          Description: Combining of multiple copies of evidence into a single
        evidentiary event in order to eliminate duplicates

        Related blog posts: End to End Digital Investigation

      E. Second level correlation

          Description: Correlating the evidence which has been normalized into a
        chain of evidence

        Related blog posts: End to End Digital Investigation

      F. Timeline analysis

         Description: A timeline is built using the chain of evidence

        Related blog posts: End to End Digital Investigation

      G. Chain of evidence construction

          Description: The chain of evidence is constructed by verifying if each
        piece of evidence links to the next piece of evidence in the chain

        Related blog posts: Broken Chain and End to End Digital Investigation

      H. Corroboration

         Description: Primary evidence is corroborated with secondary evidence

       Related blog posts: End to End Digital Investigation


V. Reporting

Description: When the evidence and conclusions are presented

Related blog posts: Overall DF Investigation Process


VI. Archiving

Description: When the log term storage of case materials occurs

Related blog posts: Overall DF Investigation Process

Labels: