DFIR: Rise of the Next Step

This post results from the project “DFIR” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on team collaboration and big data handling in large-scale DFIR cases for globally acting business organizations.

Tool testing is in full swing, and we couldn’t be more excited to get moving into some more hands-on work. This past week, we laid out the groundwork for our personalized plans of attack, with each of us taking on a separate project based upon our interests from within the scope of the document. We met up with Professor Ali Hadi to get his expert opinion on the project’s direction and see if he had any recommended avenues to pursue. 

For my (Kaya’s) portion, he recommended I look into a new and upcoming enterprise forensic tool (which will remain unnamed for the time being). Initially, my plan was to create a file server with a long list of programs combined to meet all of the following requirements:

  • Centralized Storage for Disk Images and Files
    • Built-in hashing
    • Built-in indexing of files
    • Built-in auditing
    • The ability for (secure) remote connection 

The original plan was that all of this would be viewable through some form of web portal or dashboard and that an investigator would be able to search for a file/image and get detailed records of the hash when it was uploaded, what other analysts have interacted with it, and if they left any notes. While doing research, I found plenty of programs that, when combined, would meet all of the requirements. I would have to find a way to throw together a dashboard of some sort, but overall I was hopeful that this was approachable and testable within the last month of this internship. Since being introduced to this program, I have learned that a lot of this has already been done through the tool I mentioned already. My research came up pretty empty with comprehensive solutions, which is why I am grateful that Professor Ali was able to point me in this direction. Due to the new status of the tool, public information and reviews are few and far between, making me even more excited to dive into it more and learn the capabilities and limitations of this program. These last few weeks should be challenging, engaging, and educational!

In my (Ian’s) portion, I have been chugging along in research of the malware centralization options available to the consumer market. Much like in Kaya’s portion, these solutions must meet the requirements of:

  • Centralizing and Collaborating with Malware
    • Multiple Users need to access
    • Securely store and contain the malware samples
    • Be able to search/index/or filter through the malware samples 
    • Be able to integrate other software or tools through the use of modular configurations
    • Optional: Have built-in methods of communication
    • Optional: Be able to perform automated analysis

Proceeding forward, I will be testing out some of the programs that meet some or all of the above requirements in virtual machines. These tests will include ease of installation, usability, the potential for remote capabilities, the functionality of the program, and all of the features available. Throughout these tests, I will also be documenting the installation process, what tests I will perform, and the results of said tests. The past few weeks have been riddled with hard work, revisions, and many hours of research. I am excited to be applying this knowledge and moving forward with my portion of the project. 

Follow us for more updates on this project!  For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written by Kaya Overholtzer ‘22 //Digital Forensics & Cybersecurity & Ian Eubanks ’21 // Computer & Digital Forensics

More Partners
The End: DFIR
Winding Down: CMMC Setbacks, MCSP Experience, and the Future
CMMC A to Z: Personnel, Physical Protection, and Recovery