NIST SP 800-86 Concepts
Guide to Integrating Forensic Techniques into Incident Response
NIST SP 800-86 Overview
NIST Special Publication 800-86 provides guidelines for organizations on establishing and maintaining forensic capabilities for use in internal investigations and for supporting law enforcement. This standard is essential for SOC analysts who need to preserve evidence while responding to incidents.
Why This Standard Matters
Legal Admissibility
Proper evidence handling ensures findings can be used in legal proceedings if needed.
Consistent Process
Standardized procedures ensure all analysts follow the same rigorous methodology.
Evidence Integrity
Chain of custody and hashing protect evidence from tampering allegations.
Incident Learning
Forensic findings improve future detection and prevention capabilities.
NIST SP 800-86 was published in August 2006 and remains the authoritative guide for digital forensics in incident response. While technology evolves, the principles remain constant.
The Forensic Mindset
Digital forensics is not just about tools — it is a disciplined way of thinking. Every action you take on a system changes it. Every file you open modifies its access timestamp. Every command you run creates process artifacts. A forensic investigator must:
Document Everything
Record every action, every tool used, every decision made. Your notes are evidence too. If you didn't write it down, it didn't happen.
Preserve First
Before analyzing, preserve. Before preserving, document the current state. The order is: photograph > document > image > analyze. Never skip steps.
Stay Objective
Report what you find, not what you expect to find. Document exculpatory evidence with the same rigor as incriminating evidence. Your job is truth, not prosecution.
Maintain Chain
Every transfer of evidence must be documented: who had it, when, why. A broken chain of custody can invalidate months of analysis in court.
Where SOC Analysts Fit
As a Tier 1 SOC analyst, you are often the first responder to a security event. Your actions in the first minutes determine whether evidence survives or is destroyed. You may not conduct the full forensic investigation, but you must:
- > Recognize when an event requires forensic preservation (not just remediation)
- > Avoid actions that destroy volatile evidence (don't reboot, don't run antivirus scans)
- > Document your observations before escalating to the IR team
- > Know when to escalate vs. when to handle at your tier
- > Understand that your SIEM notes and screenshots may become court exhibits
The Four-Phase Forensic Process
1. Collection
| Activity | Purpose | Critical Consideration |
|---|---|---|
| Identify sources | Locate all relevant data | Volatile data first (RAM, connections) |
| Acquire data | Create forensic copies | Use write blockers, bit-for-bit imaging |
| Verify integrity | Prove data unchanged | Calculate and document hash values |
2. Examination
Examination transforms raw data into usable information. You never examine the original evidence — always work on forensic copies.
Data Extraction
Extract relevant data from acquired images using forensic tools (Autopsy, FTK, EnCase). Filter out system noise to focus on evidence relevant to the investigation scope.
Hidden Data
Search slack space (unused bytes at end of file clusters), alternate data streams (NTFS ADS), deleted files in unallocated space, and steganographic content hidden in images.
Timeline Creation
Build a chronological sequence using MACB timestamps (Modified, Accessed, Changed, Born). Tools like log2timeline/plaso automate super-timeline creation from multiple sources.
Metadata Analysis
File metadata reveals creation dates, authors, GPS coordinates, software used, and revision history. Use ExifTool for images, olevba for Office macros, pdf-parser for PDFs.
3. Analysis
4. Reporting
| Report Section | Content |
|---|---|
| Executive Summary | High-level findings for management |
| Technical Details | Complete methodology and evidence |
| Timeline | Chronological event reconstruction |
| Conclusions | Findings supported by evidence |
| Recommendations | Actions to prevent recurrence |
Always collect the most volatile evidence first: CPU registers/cache > RAM > Network connections > Running processes > Disk > Logs > Physical media. Data in RAM disappears when power is lost!
SOC Analyst Application
When to Apply Forensic Procedures
Confirmed Compromise
Any confirmed breach requires forensic evidence preservation before remediation.
Legal/HR Requests
Investigations involving employees require legally defensible evidence handling.
Suspected Malware
Preserve system state before removal for analysis and IOC extraction.
Lessons Learned
Post-incident forensics inform detection improvements.
Tier 1 vs Tier 2/3 Responsibilities
| Task | Tier 1 | Tier 2/3 |
|---|---|---|
| Preserve volatile data | Know when to escalate | Execute memory capture |
| Document timeline | Initial observations | Full forensic timeline |
| Chain of custody | Protect scene | Formal documentation |
| Analysis | Escalate findings | Deep-dive investigation |
Don't Touch the Evidence! If you suspect a forensic investigation will follow, document what you see but avoid running commands on the affected system. Each command alters timestamps and potentially overwrites evidence. Escalate and let the forensics team handle acquisition.
Hash Values for Integrity
Knowledge Check
Test your understanding of NIST SP 800-86. Score 80% or higher to pass.
1. What are the four phases of the NIST forensic process?
2. According to the order of volatility, which should be collected FIRST?
3. Why are hash values calculated during evidence collection?
4. What is the primary purpose of chain of custody documentation?
5. When should a Tier 1 SOC analyst apply NIST 800-86 procedures?