DFIR: What is Digital Forensics and Incident Response?

This is a guest post by Jessica Hyde. Jessica is the founder of Hexordia and Adjunct Professor at George Mason University. She is involved in community efforts including HTCIA, DFIR Review, Cyber Sleuths Lab, DFRWS, SWGDE, OSAC, & FSI: Digital Investigations. Previous employment includes Magnet Forensics, Basis Technology, EY, American Systems, and as a veteran of the Marine Corps.

Digital Forensics and Incident Response (DFIR), is often used to speak about both the digital forensics and incident response fields—related but separate areas. Let’s delve into what both digital forensics and incident response are and why they are often grouped together.

Digital Forensics – The DF in DFIR

Digital forensics describes the collection, analysis, and reporting of electronic evidence. It covers the entire process: from the moment a piece of digital evidence is identified, to the point at which analysis is completed and disseminated for the purpose of being used in court proceedings.

There have been several similar definitions over the years including the following from the National Institute of Standards and Technology (NIST) “The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data”¹, and from the Scientific Working Group on Digital Evidence (SWGDE) “The process used to acquire, preserve, analyze, and report on evidence using scientific methods that are demonstrably reliable, accurate, and repeatable such that it may be used in judicial proceedings”².

NIST describes two different frameworks for the phases of digital forensics. In the NIST 800-86, the four basic phases described are: collection, examination, analysis, and reporting.¹ More recently, NIST suggests seven steps to a digital forensic investigation, broken down into two larger phases: collection and interpretation. The process starts with collecting potential evidence for the collection phase consisting of the steps:

• 1. Protect
• 2. Acquire
• 3. Ensure

The second phase, interpretation, consists of these steps:

• 4. Recover
• 5. Navigate
• 6. Identify/extract
• 7. Analyze

These steps will be followed by reporting the result via a written report.³ It is important to remember that because the information in digital forensics is intended for judicial purposes, it is critical that the integrity of the data is maintained throughout the steps. Therefore, a special step is even called out to ensure.

Digital forensics is the more inclusive term for what was commonly previously referred to as computer forensics since this type of evidence was historically found as it pertains to computer crimes. However, nowadays digital evidence is present in most other types of crimes—from murders to drug trafficking to domestic violence to Internet Crimes Against Children (ICAC) (some interesting examples of cases utilizing digital forensics are featured in the podcast Digital Forensics In Real Life [DFIRL]⁴.) As a result, the term digital forensics has gained favor as it includes all forms of electronic evidence from computers to mobile phones, to data in the Cloud, to smartwatches and smart TVs.

There are other terms that one may see related to digital forensics, such as “High-Tech Crime” or “High-Technology Crime”. This is an older term that is still in use today, usually in reference to units in law enforcement departments, like the High-Tech Crime Unit, and the professional association High Technology Crime Investigation Association (HTCIA)⁵. Another phrase is “Digital Evidence” as in the Scientific Working Group on Digital Evidence (SWGDE)⁶ and the Digital Evidence Subcommittee of the NIST Organization of Scientific Area Committees (OSAC) for Forensic Science⁷.

Incident Response – The IR in DFIR

Incident response is the practical mitigation of harm from a computer security event. NIST utilizes the terms “Incident Handling” with a shared definition of incident response as “The mitigation of violations of security policies and recommended practices”⁸. The goal in incident response is to reduce harm to an organization. This harm could be in the form of financial loss, reputational loss, data loss or alteration, or the time that a system is down. It is important to remember that not all losses are financial. For example, to a hospital system or a water treatment facility, it could be much more critical that system downtime is kept to an absolute minimum from the incident. In the example of election systems, the most critical needs may be to maintain data integrity. These events could include ransomware, business email compromise (BEC), IP theft, and more.

There are two major frameworks that are utilized in incident response, the NIST framework and the SANS Framework.

The NIST steps are:

1. Preparation
2. Detection and analysis
3. Containment, eradication, and recovery
4. Post-incident activity⁴

The SANS Framework steps are:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned⁹

We can see in both frameworks that there are similar steps. The NIST Computer Security Incident Handling Guide has details about the requirements for an incident response plan.

Incident response can be handled by in-house security teams, outsourced to third-party firms, or a combination of the two. Incident response can involve either corporate environments or organizations such as governments or non-profit organizations. It is important to also remember that there may be legal reporting requirements depending on the jurisdiction and business sector to be considered and may also have a timeliness element.

Digital Forensics Incident Response (DFIR)

We often see the terms digital forensics and incident response grouped together and sometimes abbreviated as DFIR. This is because the tools and methods utilized in digital forensics are often used in incident response. Additionally, incidents being responded to may require notification to law enforcement. NIST reminds us that it is pertinent for incident responders to be trained in and understand digital forensics.¹

With such a close correlation between digital forensics and incident response, it is unsurprising that folks with digital forensics backgrounds sometimes move into incident response roles and vice versa throughout their careers. Both digital forensics and incident response require the collection of data from digital sources and the analysis of that information. However, the end goals are different. In digital forensics, the end goal is to provide digital analysis that can be use in judicial proceedings whereas in incident response the goal is to reduce the harm to an organization caused by a computer security event.

There are several places where you will see the combined term DFIR utilized. This includes websites, events, and even hashtags that support the community of people that work in both digital forensics and incident response. For example, the websites aboutDFIR and DFIR.training both serve as reference sites with information valuable to both digital forensics professionals and incident responders. There are conferences, like the SANS Institute’s DFIR Summit that have content for both digital forensic examiners and incident responders. The DFIR acronym is so synonymous with the field that #DFIR is the primary hashtag associated with both fields on Twitter and LinkedIn. Folks looking for career opportunities would be wise to look up #DFIRJobs on both platforms¹⁰.

What is important to note in the definition and use cases is that digital forensics is limited to when the collection and analysis of digital data is done in support of work for court proceedings. This could be an investigation that may go to court but does not include investigations or analysis that is for purposes other than judicial proceedings such as data retention or data analysis. In some instances, the same tools and skills used by a digital forensics’ professional may be utilized for other tasks including intelligence analysis and incident response.

Sources of Data

As mentioned, there can be a variety of data sources in DFIR. These sources can include traditional computers, mobile devices, Internet of Things devices, and cloud sources.

Traditional computers would include personal computers (PCs), laptops, and desktops, as well as servers, regardless of operating system (OS); namely, Windows, Linux, and Mac OS, as well as other storage media such as external hard drives, flash drives, and floppy disks.

Mobile devices would include modern Android and iOS phones as well as legacy feature phones and other smartphones, such as the Pine Phone or Blackphone. This would also include associated storage such as Subscriber Identity Module (SIM) cards and memory cards.

Internet of Things devices could include smartwatches, cameras, vehicles, unmanned aerial vehicles or drones, smart TVs, cameras, household appliances, video game systems, smart speakers, biomedical devices such as insulin pumps and pacemakers, connected infrastructure, robotic systems, and more.

Cloud sources could include social media and internet service providers; cloud service providers such as Amazon, AWS, and Azure; and data storage sites such as Dropbox, One Drive, iCloud. If data can be electronically stored in a space—physical or virtual—it can be a source of data in an investigation or response.

Necessary Skills

Digital forensics and incident response are multidisciplinary fields requiring a wide range of skills. The most important and sought-after skills include network forensics, incident handling, system forensics, data recovery, investigation techniques, data acquisition, data analysis, cyber threat intelligence, malware analysis, and cloud forensics¹¹. Analysis may also use other skills such as Open-Source Intelligence (OSINT) and malware analysis depending on the type and scope of an investigation.

There are several great resources to learn these skills about digital forensics and incident response. What resource works best for you may depend on where you are in your career and education. While historically folks wound up in the digital forensics field oftentimes because they were in a government or law enforcement agency and happened to be good with computers, that is not the case today. Today there are a variety of higher education programs around the world for learning digital forensics and incident response at both the undergraduate and graduate level. In addition to formal schooling, there are a wide variety of classroom style training programs available online and in person.

Resources

In addition to classroom style programs there are variety of web resources for digital forensics. Two resource sites include the previously mentioned DFIR.training and aboutDFIR. There is also a Forensics Start Me page from Kevin Pagano that shares links to forensic tools, cheat sheets, podcasts, and blogs. There are also YouTube feeds, like DFIR Science and 13 Cubed that share detailed explanatory videos. Information from around the community is curated weekly in thisweekin4n6 by Phill Moore. Another way to stay aware of news in the DFIR community as it happens is by following #DFIR on Twitter. Additionally there are academic peer-reviewed journals that specialize in digital forensics topics such as Forensic Science International: Digital Investigation and Journal of Forensic Sciences.

There are a variety of other platforms to discuss digital forensics and incident response with others in the community. These platforms include the listservs and forums. Forensic Focus has a forum for forensic examiners and incident responders to discuss a variety of different topics. Multiple community organizations host forums and listservs for their members including HTCIA, SANS, and The International Association of Computer Investigative Specialists (IACIS). Additionally, there is a Discord server with approximately 10,000 members discussing information about digital forensics and incident response¹². In addition to virtual environments, there are several conferences that specialize in the digital forensics and incident response space.

Those with or learning digital forensics skills can test their abilities in Capture the Flag contests or CTFs. There are several CTFs in the community including SANS DFIR Netwars Tournaments and annual Magnet Forensics CTFs. Cyber Defenders hosts retired forensics challenges. CTF participants often draft writeups on challenges. Reading those writeups while looking at retired challenges can be very helpful in learning and walking through areas less familiar.

Summary

Digital Forensics and Incident Response are two related fields that utilize similar methods tools and procedures for different purposes. While there are multiple commonalities between Digital Forensics and Incident Response it is important to remember that they serve different purposes. As such the application of tools, techniques, and methods may be different depending on if the intent of the work is for the eventuality of court proceedings as compared to the mitigation of harm from a computer security event. It is important for DFIR professionals to recognize these differences as they move from one area to another to ensure they are using the appropriate best practices. Practitioners should take value from the commonalities between the two fields, but also understand that a best practice in a digital forensics’ scenario may not be optimal for mitigating harm in an incident response and vice versa. Digital forensics and incident response will continue to be referenced together because of their strong commonalities despite their unique missions.

---

1. NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response https://doi.org/10.6028/NIST.SP.800-86
2. Scientific Working Group on Digital Evidence, Digital and Multimedia Evidence (Digital Forensics) as a Forensic Science Discipline https://drive.google.com/file/d/1OBux0n7VZQe7HSgObwAtmhz5LgwvX0oY/view
3. NISTIR 8354-DRAFT Digital Investigation Techniques: A NIST Scientific Foundation Review https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8354-draft.pdf
4. DFIRL https://www.magnetforensics.com/digital-forensics-in-real-life-podcast/
5. High Technology Crime Investigation Association https://htcia.org/
6. Scientific Working Group on Digital Evidence https://www.swgde.org/
7. The Organization of Scientific Area Committees for Forensic Science Digital Evidence Subcommittee https://www.nist.gov/organization-scientific-area-committees-forensic-science/digital-evidence-subcommittee
8. NIST SP 800-61 Computer Security Incident Handling Guide http://dx.doi.org/10.6028/NIST.SP.800-61r2
9. SANS Incident Handler’s Handbook https://www.sans.org/white-papers/33901/
10. Twitter for #DFIR Professionals https://www.magnetforensics.com/blog/twitter-for-dfir-professionals/
11. Hranický, R., Breitinger, F., Ryšavý, O., Sheppard, J., Schaedler, F., Morgenstern, H., & Malik, S. (2021). What do incident response practitioners need to know? A skillmap for the years ahead. Forensic Science International: Digital Investigation, 37, 301184. https://doi.org/10.1016/j.fsidi.2021.301184
12. A Beginner’s Guide to the Digital Forensics Discord Server https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/