Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

What is Digital Forensics and Incident Response (DFIR)?


The modern science of forensics is grounded in a fundamental idea known as Locard’s exchange principle. Simply stated, the perpetrator of a crime will both leave and take things that can be used as evidence against them. Physical crimes often rely on evidence such as footprints, fibers, or DNA to tie a criminal to the crime scene. In the world of cybercrime, digital forensics is used to gather the same types of evidence that connect a criminal (also known as a threat actor) to a cyber crime. Forensic evidence collection and examination typically starts with incident response (IR), where a security or operations incident, like a system outage, has been reported. Incidents may be caused by unexpected circumstances such as a natural disaster, hardware failure, or cyber criminals.

The process of responding to an incident yields clues as to the root cause of the incident. Hence, we often combine the names digital forensics and incident response (DFIR) to capture the practice of both investigating incidents and capturing any digital forensic evidence relevant to a cyberattack. While cyberattacks can cause cyber incidents, the terms attack, event, and incident all have different meanings in the world of DFIR and information security.

You shall not pass

The practice of IR now relies on automated tools like endpoint detection and response (EDR) software, which runs a small app (called an agent) on workstations and servers to detect suspicious activity like viruses or system intrusions. Rather than simply generating an alert and then waiting for a human to respond, these EDR programs can shorten the response time and help contain a malware outbreak faster and more effectively, reducing the impact on an organization. For example, a ransomware outbreak that is detected on one machine can be analyzed in real-time, and the EDR agents on all other workstations and servers can proactively prevent the ransomware infection from spreading and taking hold. This contains the damage to just a few machines, rather than letting ransomware run rampant through the network. DFIR procedures are typically focused on fixing the immediate problem to restore normal operations, investigating the root cause of the incident, and preventing it from occurring in the future.

Software that works 24x7 and can quickly analyze massive volumes of data can be very advantageous to organizations when attempting to identify the root cause. However, delegating this constant vigilance to a software program also frees up human resources to focus on other challenging problems like social engineering, where the complexity makes software solutions a less than ideal fit.

Delving deep

As part of its monitoring and response duties, an EDR agent is also a constant guard capable of capturing evidence before an incident or attack occurs. EDR agents monitor key elements of an information system like process executions, log files, and system behaviors (startup, shutdown, user logins, etc.). Just as a human guard can monitor the entrance and exit of a building for suspicious activity, the EDR agent can identify if an unexpected or unauthorized system event occurred and record the alert.

This logged data is invaluable for IR activities; it can also be useful for forensic investigations and possibly even litigation if appropriately handled. Digital forensics, just like physical crime scene investigations and evidence handling, is a highly specialized field that requires specific skills and training to acquire expertise. Evidence must be handled to ensure unimpeachable integrity — if it is to be relied upon in a litigation case, it must be free from any tampering or alteration which could render it inadmissible or questionable.

When performing a forensic investigation, a DFIR practitioner will often analyze critical sources of information (forensic artifacts) to reconstruct the events of an incident. These artifacts may include any of the following, looking for either indicators of compromise (IOCs) or to gather the who, what, and when details:

  • Computer filesystems, where timestamps, the presence/absence of files, or even evidence like specific user IDs can be indicative of an attack.

  • Memory forensics, where IOCs can be detected if programs or data are fileless, volatile, or have been manipulated and the information is still held in memory.

  • Log analysis, which can be used to reconstruct the details of an incident or attack, assuming that sufficient information (like user IDs, actions taken, and timestamps) are being logged in the first place.

Partner spotlight: SentinelOne

In addition to being a Coalition partner, SentinelOne is an award-winning cybersecurity leader that provides an endpoint protection and  EDR solution. The speed, sophistication, and scale of cybersecurity threats continue to evolve, far exceeding the capabilities of the first generation endpoint protection and EDR solutions. When attackers pierce prevention measures, detection and response must happen autonomously, in real-time at the endpoint, with or without a network connection. SentinelOne Singularity, a combination of endpoint protection and EDR functionality, provides next-gen prevention and EDR capabilities in a single Sentinel agent to achieve autonomous EPP at machine speed.

During Coalition Security Week 2021, Jared Phipps, SVP of Worldwide Solutions Engineering of SentinelOne, joined us in a fireside chat to discuss how SentinelOne is a strong preventative measure that can replace traditional antivirus solutions for many organizations.

Coalition also leverages SentinelOne to scale incident response. Our in-house incident responders use this EDR tool as the first step in a forensic investigation. Often, SentinelOne will help to guide the forensic team to the attack vector. This is made possible by alerting on suspicious files or behavior.

For example, should a ransomware infection spawn from a malicious document on a workstation, the EDR detection and reporting can shortcut directly to the malicious document, allowing investigators to retrieve deeper artifacts from the targeted endpoint for comprehensive analysis.

Additional tips

Download the Coalition Cybersecurity Guide for more cybersecurity best practices and tips to begin mitigating your organization’s risk.