DFIR: A New Scope

As we reach the end of the third week of our internship in the Munich Cyber Security Program (led by ComCode), we have continued to research the best tools and practices available to help tackle the problem of doing forensics analysis on terabytes worth of data. Due to the lack of complete and publicly available research into big data forensics, we have conducted extensive research into the more broad categories of digital forensics in the hopes to find tools and techniques that may already exist without the “Big Data” label. Categories such as image forensics, malware forensics, threat intelligence, open-source intelligence, IOC/threat hunting, and more were included in our goal to help find or create a solution. As imagined, this ended up being an overwhelming amount of information. The scope was constantly shifting as new things were discovered, ruled out due to time restraints, or were decided to be too broad to be worth pursuing.

Research has been equally divided between the two of us based upon areas of strength (Ian taking care of Malware Analysis and Threat Intelligence, while Kaya handled Hard Drive/RAM Imaging and Artifact Analysis/Management). This has kept us from going off the deep end with niche research we were largely unfamiliar with. It has also allowed for shared reports to be quickly thrown together, reworked into different formats, and delivered in a legible format. The research has ranged from the broad overview of our preferred topics to the minute details of possible tools and duties which are necessary for that particular area of forensic analysis. This has allowed us to easily switch gears into our new project goal; a comprehensive to-do guide for forensic analysts dealing with a Big Data incident.  

The original plan for this summer was to find a working solution for big data in incident response. Daunting from the beginning, it was decided this past week that the best course of action wouldn’t be to “solve” this, but rather to make a to-do guide for incident response analysts when they walk into a case. A rough draft in progress, we have started outlining best practices, known tools, and methodologies, as well as considerations one has to take while handling an incident. Even without the change in the final product, there have been numerous challenges to our research; the biggest being that both of us come from a more criminal law-related forensic background, while this project requires us to think from a true (network) incident response background. We are working on changing the way we think and view things while adapting to a finalized project end goal that originally wasn’t in the cards. What we got out of this week is that you have to be flexible and be able to shake things off as they happen, because in a field as volatile as this, what you read last week is probably already obsolete or proven otherwise.

Follow us for more updates on this project!

For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

-Written by Kaya Overholtzer ‘22 //Digital Forensics & Cybersecurity & Ian Eubanks
'21 // Computer & Digital Forensics 
More Partners
The State Of Medical Security
The End: DFIR
Delays and Moving Forward