What is digital forensics and incident response (DFIR)?

What is DFIR?

Digital forensics and incident response, or DFIR, combines two cybersecurity fields to streamline threat response while preserving evidence against cybercriminals.

DFIR integrates two discrete cybersecurity disciplines: Digital forensics, the investigation of cyberthreats, primarily to gather digital evidence for litigating cybercriminals; and incident response, the detection and mitigation of cyberattacks in progress. Combining these two disciplines helps security teams stop threats faster, while preserving evidence that might otherwise be lost in the urgency of threat mitigation.

Think Newsletter

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

https://www.ibm.com/privacy

What is digital forensics?

Digital forensic experts investigate and reconstruct cybersecurity incidents by collecting, analyzing and preserving digital evidence—traces left behind by threat actors, such as malware files and malicious scripts. These reconstructions allow experts to pinpoint the root causes of attacks and identify the culprits.

Digital forensic investigations follow a strict chain of custody or formal process for tracking how evidence is gathered and handled. The chain of custody allows investigators to prove that evidence wasn’t tampered with. As a result, evidence from digital forensics investigations can be used for official purposes like court cases, insurance claims, and regulatory audits.

The National Institute of Standards and Technology (NIST)  outlines four steps for digital forensic investigations:

1.Data collection

After a breach, forensic investigators collect data from operating systems, user accounts, mobile devices and any other hardware and software assets that threat actors may have accessed. Common sources of forensic data include:

  • File system forensics: Data found in files and folders that are stored on endpoints.
  • Memory forensics: Data found in a device’s random access memory (RAM).
  • Network forensics: Data found by examining network activity like web browsing and communications between devices.
  • Application forensics: Data found in the logs of apps and other software.

To preserve evidence integrity, investigators make copies of data before processing it. They secure the originals so that they cannot be altered and the rest of the investigation is carried out on the copies.
2.Examination

Investigators comb through the data for signs of cybercriminal activity, such as phishing emails, altered files and suspicious connections.
3.Analysis

Investigators use forensic techniques to process, correlate, and extract insights from digital evidence. Investigators may also reference proprietary and open-source threat intelligence feeds to link their findings to specific threat actors.
4.Reporting

Investigators compile a report that explains what happened during the security event and, if possible, identifies suspects or culprits. The report may contain recommendations for thwarting future attacks. It can be shared with law enforcement, insurers, regulators and other authorities.
Security Intelligence | 14 January | Episode 16

Your weekly news podcast for cybersecurity pros

Whether you're a builder, defender, business leader or simply want to stay secure in a connected world, you'll find timely updates and timeless principles in a lively, accessible format. New episodes on Wednesdays at 6am EST.
Watch the latest podcast episode

What is incident response?

Incident response focuses on detecting and responding to security breaches. The goal of incident response is to prevent attacks before they happen and to minimize the cost and business disruption of attacks that occur.

Incident response efforts are guided by incident response plans (IRP), which outline how the incident response team should deal with cyberthreats. The incident response process has six standard steps:

  1. Preparation: Preparation is the ongoing process of assessing risks, identifying and remediating vulnerabilities (vulnerability management) and drafting IRPs for different cyberthreats.

  2. Detection and analysis: Incident responders monitor the network for suspicious activity. They analyze data, filter out false positives and triage alerts.

  3. Containment: When a breach has been detected, the incident response team takes steps to stop the threat from spreading through the network.

  4. Eradication: Once the threat has been contained, incident responders remove it from the network—for example, by destroying ransomware files or booting a threat actor from a device.

  5. Recovery: Once incident responders have removed all traces of the threat, they restore damaged systems to normal operations.

  6. Post-incident review: Incident responders review the breach to understand how it happened and prepare for future threats. 

Benefits of DFIR

When digital forensics and incident response are conducted separately, they can interfere with one another. Incident responders can alter or destroy evidence while removing a threat from the network, and forensic investigators may delay threat resolution as they search for evidence. Information may not flow between these teams, making everyone less efficient than they could be.

DFIR fuses these two disciplines into a single process carried out by one team. This yields two important advantages:

Forensic data collection happens alongside threat mitigation. During the DFIR process, incident responders use forensic techniques to collect and preserve digital evidence while they’re containing and eradicating a threat. This ensures that the chain of custody is followed and valuable evidence isn’t altered or destroyed by incident response efforts.

Post-incident review includes examination of digital evidence. DFIR uses digital evidence to dive deeper into security incidents. DFIR teams examine and analyze the evidence they’ve gathered to reconstruct the incident from start to finish. The DFIR process ends with a report detailing what happened, how it happened, the full extent of the damage and how similar attacks can be avoided in the future.

Resulting benefits include:

  • More effective threat prevention. DFIR teams investigate incidents more thoroughly than traditional incident response teams do. DFIR investigations can help security teams better understand cyberthreats, create more effective incident response playbooks and stop more attacks before they happen. DFIR investigations can also help streamline threat hunting by uncovering evidence of unknown active threats.

  • Little or no evidence is lost during threat resolution. In a standard incident response process, incident responders may err in the rush to contain the threat. For example, if responders shut down an infected device to contain the spread of a threat, any evidence that is left in the device’s RAM will be lost. Trained in both digital forensics and incident response, DFIR teams are skilled at preserving evidence while resolving incidents.

  • Improved litigation support. DFIR teams follow the chain of custody, which means the results of DFIR investigations can be shared with law enforcement and used to prosecute cybercriminals. DFIR investigations can also support insurance claims and post-breach regulatory audits.

  • Faster, more robust threat recovery. Because forensic investigations are more robust than standard incident response investigations, DFIR teams may uncover hidden malware or system damage that would have otherwise gone overlooked. This helps security teams eradicate threats and recover from attacks more thoroughly.

DFIR tools and technologies

In some companies, an in-house computer security incident response team (CSIRT), sometimes called a computer emergency response team (CERT), handles DFIR. CSIRT members may include the chief information security officer (CISO), security operations center (SOC) and IT staff, executive leaders and other stakeholders from across the company.

Many companies lack the resources to carry out DFIR on their own. In that case, they may hire third-party DFIR services that work on retainer.

Both in-house and third-party DFIR experts use the same DFIR tools to detect, investigate and resolve threats. These include:

  • Endpoint detection and response (EDR): EDR integrates endpoint security tools and uses real-time analytics and AI-driven automation to protect organizations against cyberthreats that get past antivirus software and other traditional endpoint security technologies.

  • Extended detection and response (XDR): XDR is an open cybersecurity architecture that integrates security tools and unifies security operations across all security layers—users, endpoints, email, applications, networks, cloud workloads and data. By eliminating visibility gaps between tools, XDR helps security teams to detect and resolve threats faster and more efficiently, limiting the damage that they cause.
Related solutions
Data security and protection solutions

Protect data across multiple environments, meet privacy regulations and simplify operational complexity.

         Explore data security solutions
    IBM Guardium

    Discover IBM Guardium, a family of data security software that protects sensitive on-premises and cloud data.

     

             Explore IBM Guardium
      Data security services

      IBM provides comprehensive data security services to protect enterprise data, applications and AI.

             Explore data security services
      Take the next step

      Protect your data across its lifecycle with IBM Guardium. Secure critical enterprise data from both current and emerging risks, wherever it lives.

             Explore IBM Guardium Book a live demo