DFIR

Investigate security incidents by analyzing event logs, network captures, and filesystem artifacts. Detect and reconstruct AD attack chains.

Techniques

Workflow

1. Inventory evidence — List all artifacts (EVTX, pcap, MFT, prefetch, registry)
2. Parse structured data — EVTX with python-evtx, pcap with tshark, MFT with analyzeMFT
3. Identify attack indicators — Key Event IDs, suspicious traffic patterns, anomalous files
4. Correlate across sources — Match timestamps, IPs, LogonIDs, and process IDs across artifacts
5. Reconstruct timeline — Build chronological attack chain with UTC timestamps
6. Answer investigative questions — Map findings to specific incident response queries

Tools

pip install python-evtx windowsprefetch analyzeMFT
brew install wireshark p7zip hashcat

Quick Reference: Key Event IDs

Reference

• windows-event-analysis.md — EVTX parsing patterns and AD attack detection
• network-forensics.md — PCAP analysis for NTLM, LLMNR, relay detection
• filesystem-forensics.md — MFT, Prefetch, VSS artifact analysis

Critical Rules

• Answer formatting: When forensics questions ask for "the value" of a code variable (e.g., PHP $shell), include language-specific string delimiters and terminators (e.g., 'value'; not just value). Check placeholder hints for format clues.
• For malicious Office OOXML, inspect more than VBA streams: attackers may split staged Base64 or script content across drawing/object descriptors, shared strings, named cells, and hidden UserForm control captions/values.
• When a VBA byte array starts with an fnstenv/pop decoder stub, convert signed integers to raw bytes and test a Shikata-style rolling XOR decode before treating the shellcode as corrupt.
• For legacy Excel BIFF/XLS malware, inspect BOUNDSHEET records for hidden or very hidden worksheets and specifically check for Excel 4.0 macro sheets; changing the hidden-state byte or parsing the sheet directly can expose staged strings and flag fragments that never appear in normal workbook views.
• For webshell traffic in PCAPs, recover static keys from the uploaded server-side code first, then decrypt operator tasking before chasing later payloads; if a dropped XOR key file is referenced by a shellcode stage, verify where the encoded region actually starts instead of XORing the whole blob from offset zero.
• PowerShell stager pattern (in-place reverse + base64 + IEX): when a stage-1 PS script does [array]::Reverse($charArr) followed by FromBase64String("$charArr"), the -join line is often a red herring — string interpolation of a char array uses $OFS=' ' and FromBase64String tolerates whitespace. Reverse the original base64 string (not the joined-with-spaces version) and decode to get stage 2.
• Multi-fragment flag exfil: forensic challenges may split a flag across (a) a hardcoded $partN in the malware that is defined but never referenced (often base64'd), and (b) a field of the captured C2 POST body. Decrypt the body with the static AES key from the leaked stage-2 source (PowerShell Encrypt-String puts IV‖ciphertext then base64-wraps); inspect every JSON field for further base64.
• All timestamps in UTC — convert from local time zones in pcap/logs. AM/PM trap: 12:XX AM = 00:XX (midnight), 12:XX PM = 12:XX (noon). 12 AM ≠ 01:00.
• Parse EVTX with python-evtx (XML namespace: http://schemas.microsoft.com/win/2004/08/events/event)
• Use tshark for pcap (not scapy for large files) — filter with -Y display filters
• Decompress Win10 prefetch (MAM\x04 header) with dissect.util.compression.lzxpress_huffman
• For AES-encrypted ZIPs (compression method 99), use 7z not unzip