I don’t like checklists in #DFIR.
Rather, I don’t like how checklists are used in #DFIR. Too often, they’re used as a replacement for learning and knowledge, and looked at as, “…if I do just this, I’m good…”. Nothing could be further from the truth, which is why even in November 2023, we still see analysts retrieving just the Security, Application, and System Event Logs from Windows 10 & 11 endpoints.
I’m also not a fan of lists in #DFIR. Rather than a long list of links with no context or insight, I’d much rather see just a few links with descriptions of how useful they are (or, they aren’t, as the case may be…), and how they were incorporated into an analysis workflow.
SRUM DB
Shanna Daly recently shared some excellent content regarding SRUMDB, excellent in the sense that it was not only enjoyable to read, but it was thorough in its content, particularly regarding the fact that the database contents are written on an hourly basis. As such, this data source is not a good candidate for being included in a timeline, but it is an excellent pivot point.
This is where timelines and artifact constellations cross paths, and lay a foundation for validation of findings. Most analysts are familiar with ShimCache and AmCache artifacts, but many still mistakenly believe that these are “evidence of execution”; in fact, the recently published Windows Forensics Analysts Field Guide states this, as well. So, what happens is that analysts will see an entry in either artifact for apparent malware and declare victory, basing their finding on that one artifact, in isolation. All either of these artifacts tells us definitively is that file existed on the endpoint; we need additional information, other elements of the constellation, to confirm execution. So, there’s Prefetch files…unless you’re examining a server. One place to pivot to for validation is the SRUM DB, which Shanna does a thorough job of addressing and describing.
Dev Drive
Grzegorz recently tweeted regarding Windows “dev drive” (This article has been indexed from Windows Incident Response