This post results from the project “DFIR” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on team collaboration and big data handling in large-scale DFIR cases for globally acting business organizations.
We are officially past the halfway point of our internship, and find ourselves discovering new ideas, considerations, and other small tidbits of information that should be added to our final working document. With a topic as broad and unexplored as this, research keeps popping up that both challenges and reinforces our past preconceived notions of what DFIR truly entails when on a scale as large as this. Both of us come from strong (criminal) Digital Forensic backgrounds, and we are working to bridge the gap between that and (corporate/enterprise) incident response. This has come with its own set of challenges, as despite the namesake of DFIR, the two fields have different priorities despite their overlap in actual content.
For my (Kaya’s) work, I have been working to separate the law aspect of investigation from my portions of the document. With a minor in Criminal Law and white-collar crime, my views on the (often lengthy, methodological) procedures of litigation seeped into areas where quick reaction and on-the-spot decision-making are needed instead. For example, I have been working under the impression that forensic images are the ultimate authority in all investigations, but have quickly realized that it is highly impractical to do full-disk images of every computer (over 20,000 in this scenario) and then analyze them individually when one can just grab items of interest from each after performing some triage to prioritize the most important systems. This shift in thinking has caused me to challenge some past ideas I held about “proper” procedures, and how much of this field is in constant motion because of changes in scope. I have also been working to ensure that every portion of this document has a clear relation to the scenario laid out last week and that each section answers the question of “what to do” versus “how do you do it?”.
For my (Ian’s) work, major overhauls on the documentation of malware analysis during an incident response case have been made. These overhauls include the restructuring of the content to fit within the NIST publications for malware-based incidents. The NIST publication for malware incidents follows the four steps of preparation, detection and analysis, remediation, and post-incident activity. These stages contain information regarding the recommendations, methods, and considerations for DFIR teams during a large-scale malware incident as mentioned in our scenario in the previous blog post.