Cyber Forensics & Incident Response

Cyber Forensics and Incident Response (often called DFIR – Digital Forensics & Incident Response) is a critical domain in cybersecurity focused on detecting, responding to, investigating, and preventing cyber attacks.

Cyber Forensics & Incident Response

Cyber (Digital) Forensics

 What is Cyber Forensics?

Cyber Forensics is the process of identifying, collecting, preserving, analyzing, and presenting digital evidence from cyber incidents in a legally admissible manner.

 Objectives:

  • Find what happened
  • Identify how it happened
  • Determine who did it
  • Collect evidence for legal proceedings

Types of Digital Forensics:

  1. Computer Forensics
    • Hard disks, deleted files, logs
  2. Mobile Forensics
    • WhatsApp chats, call logs, app data
  3. Network Forensics
    • Packet capture, traffic analysis (Wireshark)
  4. Cloud Forensics
    • AWS, Google Cloud logs, SaaS data
  5. Malware Forensics
    • Reverse engineering malicious software

Digital Forensics Process:

  1. Identification
    • Detect incident and affected systems
  2. Preservation
    • Secure data (no tampering)
    • Maintain chain of custody
  3. Collection
    • Acquire data using tools (FTK, EnCase, Autopsy)
  4. Examination
    • Recover deleted files, extract artifacts
  5. Analysis
    • Timeline analysis, user activity tracking
  6. Presentation
    • Prepare forensic report for court or organization

CH1: Intro to Digital Forensics - Professor Busch's CFS Resources

Common Tools:

  • FTK (Forensic Toolkit)
  • EnCase
  • Autopsy
  • Magnet AXIOM
  • Cellebrite UFED
  • Wireshark

Incident Response (IR)

Objectives:

  • Stop the attack quickly
  • Reduce damage
  • Recover systems
  • Prevent future incidents

Incident Response Lifecycle:

1. Preparation

  • Security policies
  • Incident Response Team (IRT)
  • Tools & training

2. Detection & Analysis

  • Identify unusual activity
  • Alerts from SIEM, IDS, antivirus
  • Example: Suspicious login, malware detection

View of FINDINGS OF FORENSIC ARTIFACTS FROM APPLE SMARTWATCH: IMPLICATIONS FOR DIGITAL EVIDENCE
							| Journal of Digital Security and Forensics

3. Containment

  • Isolate infected system
  • Block malicious IPs
     Prevent spread

4. Eradication

  • Remove malware
  • Patch vulnerabilities

5. Recovery

  • Restore systems
  • Monitor for reinfection

6. Lessons Learned

  • Analyze incident
  • Improve security

 What is Incident Response?

Incident Response is the structured approach to handling cyber attacks in real time to minimize damage and recover quickly.

Relationship Between Forensics & Incident Response

Incident Response Cyber Forensics
Focuses on stopping attack Focuses on investigation
Real-time action Post-incident analysis
Minimizes damage Provides legal evidence

Segurança e Compliance | Data Guide

Both work together:

  • IR handles “what to do now”
  • Forensics explains “what happened”

Key Concepts You Must Know

  • Chain of Custody → Evidence integrity
  • Volatile vs Non-Volatile Data
  • Live Forensics → Analysis on running system
  • Timeline Analysis → Sequence of events
  • Indicators of Compromise (IoCs)
  • SIEM & SOAR Tools

Follow cyberdeepakyadav.com on

 FacebookTwitterLinkedInInstagram, and YouTube

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow