Incident Response
When to Activate
- Active security incident requiring investigation
- Memory forensics and artifact extraction
- Disk forensics and timeline reconstruction
- Malware containment and eradication
- Post-incident analysis and reporting
IR Phases
1. Identification & Scoping
# Determine scope of compromise
# Key questions:
# - What systems are affected?
# - What's the initial access vector?
# - How long has the attacker been present?
# - What data may be compromised?
# - Is the attacker still active?
# Quick triage
chainsaw hunt /path/to/evtx/ -s sigma/ --mapping mappings/sigma-event-log-all.yml
hayabusa csv-timeline -d /path/to/evtx/ -o timeline.csv
2. Evidence Collection
# Memory acquisition (before anything else!)
# Windows: winpmem, DumpIt, FTK Imager
# Linux: LiME (insmod lime.ko "path=/evidence/mem.lime format=lime")
# Disk imaging
dd if=/dev/sda of=/evidence/disk.img bs=4M status=progress
# Or: FTK Imager, dc3dd for forensic imaging
# Log collection
# Windows: Event logs, Sysmon, PowerShell logs
# Linux: /var/log/auth.log, /var/log/syslog, journalctl
# Network: PCAP, NetFlow, DNS logs, proxy logs
# Cloud: CloudTrail, Azure Activity Log, GCP Audit Log
# Volatile data (collect before shutdown)
# - Running processes (ps aux / tasklist)
# - Network connections (netstat -anp / Get-NetTCPConnection)
# - Logged-in users (w / query user)
# - Open files (lsof / handle.exe)
# - Loaded modules (lsmod / listdlls)
3. Memory Forensics (Volatility 3)
# Process analysis
vol3 -f mem.raw windows.pslist
vol3 -f mem.raw windows.pstree
vol3 -f mem.raw windows.cmdline
vol3 -f mem.raw windows.netscan
# Malware detection
vol3 -f mem.raw windows.malfind # injected code
vol3 -f mem.raw windows.hollowprocesses # process hollowing
vol3 -f mem.raw windows.svcscan # suspicious services
# Credential extraction
vol3 -f mem.raw windows.hashdump
vol3 -f mem.raw windows.lsadump
vol3 -f mem.raw windows.cachedump
# File extraction
vol3 -f mem.raw windows.dumpfiles --pid PID
vol3 -f mem.raw windows.filescan | grep -i "suspicious"
# Linux memory
vol3 -f mem.raw linux.pslist
vol3 -f mem.raw linux.bash # bash history from memory
vol3 -f mem.raw linux.check_syscall # rootkit detection
4. Timeline Analysis
# Plaso/log2timeline (super timeline)
log2timeline.py /evidence/timeline.plaso /evidence/disk.img
psort.py -o l2tcsv /evidence/timeline.plaso -w timeline.csv
# Filter timeline around incident window
psort.py -o l2tcsv /evidence/timeline.plaso \
--slice "2026-05-15T00:00:00" --slice_size 72 \
-w incident_window.csv
# Key artifacts for timeline:
# - $MFT (file creation/modification)
# - Prefetch (program execution)
# - Amcache (program installation)
# - ShimCache (program execution)
# - USN Journal (file changes)
# - Event logs (logon, process creation, service install)
# - Browser history (initial access)
# - Registry (persistence, configuration)
5. Containment
# Network isolation
# - Block C2 IPs/domains at firewall
# - Isolate affected hosts (VLAN change, host firewall)
# - Disable compromised accounts
# - Revoke compromised credentials/tokens
# Endpoint containment
# - Kill malicious processes
# - Remove persistence mechanisms
# - Block malicious hashes (AppLocker, WDAC)
# - Deploy EDR containment (isolate host)
# Cloud containment
# - Revoke IAM keys
# - Disable compromised service accounts
# - Block malicious IPs in security groups
# - Enable enhanced logging
6. Eradication & Recovery
# Remove all attacker artifacts:
# - Malware binaries
# - Persistence mechanisms (registry, scheduled tasks, services)
# - Backdoor accounts
# - Modified system files
# - Webshells
# Verify clean state:
# - Full AV/EDR scan
# - Integrity check against known-good baseline
# - Review all persistence locations
# - Check for additional backdoors
# Recovery:
# - Restore from clean backups (pre-compromise)
# - Rebuild compromised systems
# - Reset all credentials
# - Patch exploited vulnerabilities
# - Enhance monitoring
IOC Extraction
# Network IOCs
# - C2 IP addresses and domains
# - User-Agent strings
# - JA3/JA4 hashes
# - URI patterns
# - DNS query patterns
# Host IOCs
# - File hashes (MD5, SHA256)
# - File paths and names
# - Registry keys/values
# - Mutex names
# - Service names
# - Scheduled task names
# - Named pipes
# Behavioral IOCs
# - Process trees (parent-child relationships)
# - Command-line patterns
# - Network connection patterns
# - File access patterns
Reporting Template
## Incident Report: [Title]
### Executive Summary
[1-2 paragraphs: what happened, impact, current status]
### Timeline
| Time (UTC) | Event | Source | Details |
|------------|-------|--------|---------|
| ... | ... | ... | ... |
### Attack Chain (MITRE ATT&CK)
- Initial Access: [technique]
- Execution: [technique]
- Persistence: [technique]
- ...
### Affected Systems
| Host | Role | Compromise Level | Status |
|------|------|-----------------|--------|
| ... | ... | ... | ... |
### IOCs
[Structured list of all indicators]
### Root Cause
[What allowed the attack to succeed]
### Recommendations
1. Immediate actions
2. Short-term improvements
3. Long-term strategic changes
### Lessons Learned
[What went well, what didn't, process improvements]
Advanced: Memory Forensics Deep Dive
Volatility 3 Advanced Plugins
# Rootkit detection
vol3 -f mem.raw windows.ssdt # System Service Descriptor Table hooks
vol3 -f mem.raw windows.callbacks # Kernel callback modifications
vol3 -f mem.raw windows.driverirp # IRP hook detection
vol3 -f mem.raw windows.modscan # Hidden kernel modules (walk unlinked)
# Process injection detection
vol3 -f mem.raw windows.malfind # Executable, non-image memory (injected code)
vol3 -f mem.raw windows.hollowprocesses # Process hollowing detection
vol3 -f mem.raw windows.vadinfo --pid PID # Virtual Address Descriptor analysis
# Network forensics from memory
vol3 -f mem.raw windows.netstat # Active and closed connections
vol3 -f mem.raw windows.netscan # Scan for connection objects
# Registry from memory (may contain keys deleted from disk)
vol3 -f mem.raw windows.registry.hivelist
vol3 -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
# Extracting executables from memory
vol3 -f mem.raw windows.pslist --pid PID --dump # Dump process executable
vol3 -f mem.raw windows.dlllist --pid PID --dump # Dump loaded DLLs
# Volatility 3 custom plugin for specific IOCs
vol3 -f mem.raw windows.cmdline | grep -i "powershell\|cmd\|certutil"
vol3 -f mem.raw windows.envars --pid PID # Environment variables
Linux Memory Forensics
# Linux-specific analysis
vol3 -f mem.raw linux.pslist # Process list
vol3 -f mem.raw linux.pstree # Process tree
vol3 -f mem.raw linux.bash # Bash history from memory
vol3 -f mem.raw linux.lsof # Open files
vol3 -f mem.raw linux.sockstat # Network sockets
# Rootkit detection
vol3 -f mem.raw linux.check_syscall # Syscall table hooks
vol3 -f mem.raw linux.check_modules # Hidden kernel modules
vol3 -f mem.raw linux.tty_check # TTY hooks (keystroke capture)
vol3 -f mem.raw linux.hidden_modules # Modules removed from list
# eBPF program detection (modern rootkits)
vol3 -f mem.raw linux.check_syscall # eBPF kprobes on syscalls
# Manual: scan for BPF program structures in memory
# Look for: bpf_prog structures, BPF maps
Memory Analysis Methodology
# Systematic approach for memory forensics:
# 1. Process Analysis (first pass)
# - List all processes → identify unknown/suspicious
# - Check parent-child relationships → spot reparenting
# - Look for: processes with unusual parents, multiple instances
# of unique processes, process name typosquatting (svchost vs svch0st)
# 2. Network Analysis (connections from memory)
# - Active connections → identify C2
# - Closed connections → hist
