Incident Response & Forensics Lab

Master the IR lifecycle, forensic investigation phases, evidence collection, and analysis tools based on NIST SP 800-61.

IR Lifecycle

Forensics

Order of Volatility

IOC Detection

Analysis Tools

Playbooks

NIST Incident Response Life Cycle

REF: NIST SP 800-61R2 — Computer Security Incident Handling Guide

PHASE 1

Preparation

Harden systems, write policies

PHASE 2

Detection & Analysis

Identify and triage incidents

PHASE 3

Containment

Limit scope and magnitude

PHASE 4

Eradication & Recovery

Remove cause, restore systems

PHASE 5

Post-Incident

Lessons learned, improve

Digital Forensics Investigation Phases

Standard forensic methodology for digital evidence handling

Identification

Secure scene, identify evidence scope

Collection

Gather evidence with legal scrutiny

Analysis

Create copies, verify integrity

Reporting

Document methods and findings

Key Forensic Concepts

Chain of Custody

Record of evidence handling from collection through presentation in court. Documentation reinforces integrity.

Forensic Image

Bit-for-bit copy of storage media used for analysis. Original evidence remains preserved.

Hash Verification

Generate file hashes to detect unintended changes and verify evidence integrity.

Memory Dump

Snapshot of RAM contents capturing running processes, passwords, and volatile data.

Order of Volatility

REF: RFC 3227 — Guidelines for Evidence Collection and Archiving

CPU Registers & Cache

Most volatile — disappears in nanoseconds when power lost

System Memory (RAM)

Routing table, ARP cache, process table, kernel statistics

Swap / Virtual Memory

Temporary file systems and pagefile contents

Persistent Storage

HDDs, SSDs, flash drives — file system and free space

Remote Logging

Network topology, monitoring data, SIEM logs

Archival Media

Backups, tapes — least volatile, longest retention

Indicators of Compromise (IOC)

SIEM

Security Information & Event Management — aggregates logs and correlates events across sources

SOAR

Security Orchestration & Automated Response — uses playbooks for automated remediation

IDS/IPS

Creates log entries when rules match. Outputs: Unified, Syslog, CSV, Tcpdump

FIM

File Integrity Monitoring — detects unauthorized changes to critical files

DLP

Data Loss Prevention — enforces data classification and transfer policies

NetFlow

Network flow analysis — metadata and statistics about traffic patterns

Event Classification (Triage)

TRUE POSITIVE

Correctly Identified

Alert fired, and it IS a real security issue

FALSE POSITIVE

Incorrectly Identified

Alert fired, but it's NOT a real issue

TRUE NEGATIVE

Correctly Ignored

No alert, and there IS no issue

FALSE NEGATIVE

Missed Detection

No alert, but there IS a real issue (worst case)

Forensic Analysis Tools

Wireshark

Graphical packet capture and protocol analysis

tcpdump

Command-line packet capture for Linux

Volatility

Memory forensics and analysis framework

exiftool

Read and write file metadata

nmap

Network discovery and security scanning

Aircrack-ng

Wi-Fi security assessment suite

Incident Response Playbooks

Ransomware

Isolate > Preserve > Analyze > Recover

Data Exfiltration

Notify > Investigate > Contain > Report

Social Engineering

Reset > Replace > Retrain > Monitor