🕵️♂️ DFIR (Digital Forensics & Incident Response)
📖 What is DFIR?
Digital Forensics and Incident Response (DFIR) combines the disciplines of forensics and incident handling.
It focuses on identifying, collecting, analyzing, and preserving digital evidence while responding to security incidents such as intrusions, malware, and insider threats.
📌 Modules Completed
- DFIR: An Introduction
- Windows Forensics 1
- Windows Forensics 2
- Linux Forensics
- Autopsy
- Redline
- KAPE
- Volatility
- Velociraptor
- TheHive Project
- Intro to Malware Analysis
- Unattended
- Disgruntled
- Critical
- Secret Recipe
📄 Reference Material
- Windows Forensics Cheat Sheet (PDF) – Key forensic tools and workflows for Windows systems.
- Linux Forensics Cheat Sheet (PDF) – Important Linux forensics commands, log locations, and investigation tips.
🎯 Skills Gained
- Collecting and analyzing Windows and Linux forensic artifacts
- Using tools like Autopsy, Redline, Volatility, and KAPE for forensic analysis
- Memory forensics and malware triage
- Leveraging Velociraptor for live incident response
- Case management and collaboration using TheHive Project
- Performing end-to-end forensic investigations in simulated incidents
📑 Case Studies
-
Unattended (Windows Forensics)
Investigated unauthorized access by analyzing Windows event logs, registry hives, and user activity.
Read Full Case Study → -
Disgruntled (Insider Threat)
Performed forensic analysis of file access and system artifacts to detect data exfiltration by a malicious insider.
Read Full Case Study → -
Secret Recipe (Comprehensive DFIR Case)
End-to-end investigation of a simulated breach involving malware, insider threat, and lateral movement.
Used multiple forensic tools (KAPE, Autopsy, Velociraptor) to collect artifacts, analyze evidence, and report findings.
Read Full Case Study →
✅ Lessons Learned
- DFIR investigations require correlating evidence across multiple sources (logs, memory, disk).
- Tools like Autopsy and Redline accelerate analysis but still require analyst interpretation.
- Memory forensics with Volatility is key to uncovering hidden malware activity.
- Collaboration tools like TheHive streamline incident tracking and reporting.
- Simulated case studies (Unattended, Disgruntled, Critical, Secret Recipe) helped build real-world DFIR workflows.
🔗 Navigation
- Back to Portfolio Home