DFIR stands for Digital Forensics and Incident Response. This field covers the collection of forensic artifacts from digital devices such as computers, media devices, and smartphones to investigate an incident. This field helps Security Professionals identify footprints left by an attacker when a security incident occurs, use them to determine the extent of compromise in an environment, and restore the environment to the state it was before the incident occurred.

DFIR helps security professionals in various ways, some of which are summarized below:

• Finding evidence of attacker activity in the network and sifting false alarms from actual incidents.
• Robustly removing the attacker, so their foothold from the network no longer remains.
• Identifying the extent and timeframe of a breach. This helps in communicating with relevant stakeholders.
• Finding the loopholes that led to the breach. What needs to be changed to avoid the breach in the future?
• Understanding attacker behavior to pre-emptively block further intrusion attempts by the attacker.
• Sharing information about the attacker with the community.

As the name suggests, DFIR requires expertise in both Digital Forensics and Incident Response. Dividing these two fields this way, the following skillset is needed to become a DFIR professional:

• Digital Forensics: These professionals are experts in identifying forensic artifacts or evidence of human activity in digital devices.
• Incident Response: Incident responders are experts in cybersecurity and leverage forensic information to identify the activity of interest from a security perspective.****

DFIR professionals know about Digital Forensics and cybersecurity and combine these domains to achieve their goals. Digital Forensics and Incident Response domains are often combined because they are highly interdependent. Incident Response leverages knowledge gained from Digital Forensics. Similarly, Digital Forensics takes its goals and scope from the Incident Response process, and the IR process defines the extent of forensic investigation.

Basics Concepts of DFIR

Artifacts:

Artifacts are pieces of evidence that point to an activity performed on a system. When performing DFIR, artifacts are collected to support a hypothesis or claim about attacker activity. For example, if we are to claim that the attacker used Windows registry keys to maintain persistence on a system, we can use the said registry key to support our claim. In this case, the mentioned registry key will be considered an artifact. Artifact collection is, therefore, an essential part of the DFIR process. Artifacts can be collected from the Endpoint or Server's file system, memory, or network activity.