forrester wave report 2023

Close your ransomware case with Open NDR



Corelight now powers CrowdStrike solutions and services



Alerts, meet evidence.



5 Ways Corelight Data Helps Investigators Win



10 Considerations for Implementing an XDR Strategy



Don't trust. Verify with evidence



NDR for Dummies



The Power of Open-Source Tools for Network Detection and Response



The Evolving Role of NDR



Detecting 5 Current APTs without heavy lifting



Network Detection and Response



What Is DFIR (Digital Forensics and Incident Response)?

Learn how advanced digital forensics and incident response, supported by the right investigative tools, can help organizations recover from cyber events and improve their overall defenses.


What is DFIR?

Digital forensics and incident response (DFIR) refers to an extended process of investigating, remediating, documenting, reporting, and analyzing the causes and effects of a cyber incident. As the name suggests, it is a combination of two interdependent areas of expertise, and it may be the responsibility of a single team or a combination of stakeholders.

Digital forensics involves the discovery, collection, preservation, and analysis of all relevant evidence of a cyber crime. The areas of search may include devices, network traffic and logs, hard drives, memory cards, or cloud environments: basically anything that might yield evidence of how criminals or malicious insiders accessed a company's digital environment and what they did afterwards.

Incident response refers to the task of preparing for a breach, responding immediately to an intrusion once detected, containing damage and confirming that bad actors no longer have access, restoring affected systems, and repairing any weaknesses exploited by the attackers.


Why DFIR is important

DFIR is an important discipline that requires advanced tools and expertise.The evidence that's pulled together through DFIR may be required in legal, insurance, or regulatory investigations following a security breach or cyber attack. Increasingly it requires specialized teams or security operations centers (SOCs) that can employ sophisticated tools, such as network detection and response (NDR) or extended detection and response (XDR). Historically considered to be a reactive process, DFIR is now considered an essential part of an overall cybersecurity preparation strategy.

Rapid, efficient, and thorough response to a cyber breach is essential, but it is only one step in the larger process that is DFIR, which must be methodical as well as forward-thinking.

DFIR also helps the organization in these areas:

  • Criminal investigation. The evidence collected through digital forensics and incident response can provide the basis for law enforcement action against criminals whose actions result in data theft, identity theft, or financial losses. DFIR analysis of preserved electronic data can uncover evidence that can aid in apprehending or prosecuting bad actors.
  • Regulations and compliance. Companies in many industries are subject to regulations around their use and protection of data and the security controls they deploy. DFIR can help demonstrate that a company was in compliance despite a breach, or show they are applying due diligence to their remediation efforts.
  • Protection of intellectual property. Digital forensics and incident response can establish exactly what data was compromised in a breach, or make the case for better digital protection of a company's most valuable intellectual property assets.
  • Understanding the incident. Security teams use the DFIR process to piece together details of a breach: the attackers' identity; how they accessed the organization's digital infrastructure; how they moved through the infrastructure; what systems they accessed; what data was exfiltrated or destroyed; confirming that the attackers are no longer present in company systems; and what steps can be taken to prevent their return.

Think Like a Threat Hunter

Watch this threat hunting simulation to learn how to:

  • Overcome blind spots with correlated network and endpoint evidence
  • Leverage the evidence to piece together how a breach happened
  • Hunt, discover, and disrupt adversary attacks





By this definition, the “response” in DFIR includes the initial reaction to a cyber breach, but goes much farther. In a best-case scenario, the response would also include measures for improving the organization's digital defenses that came out of an extensive forensic investigation. By this definition, DFIR does not simply remediate the immediate cause of a breach, but also uncovers other areas of vulnerability and recommends risk reduction actions, thereby preventing other types of cyber attack in the future.


Steps in DFIR

Digital forensics and incident response efforts can be split into two separate workflows, but security teams often execute them concurrently. For our purposes, we have merged the DF and IR tasks into a single framework:

  • Forensics collection.The gathering of forensic evidence is by definition a scientific process or method that assists in the discovery and potential prosecution of a crime. In a security context, forensics also aids analysis and remediation. The evidence collected can help investigators understand what happened and take steps to bolster defenses. The process typically includes analysis of:
    • File systems and memory within any compromised endpoints;
    • Network forensics, which can include packet capture (PCAP), traffic analysis, web browsing analysis, and any other network activity that may reveal how the attackers moved through or into systems.
    • Analysis of logs generated by operating systems, applications, network devices and other system components to discover evidence of anomalous behavior or actions.
  • The subsequent DFIR steps depend on thorough collection of forensic evidence. Without it, security teams will have little confidence that they are creating an accurate picture of the incident, or are able to respond and remediate the affected systems.
    • Triage and investigation. Collected evidence also enables the security teams to zero in on a threat and take steps to address it, even while recording evidence for forensic purposes. Intrusion detection systems that generate alerts and provide additional context from network analysis can reduce the mean time to respond (MTTR) to an attack.
    • Notification and reporting. Once the response team is confident that the attack has been contained, they will need to document all damages, including a list of compromised assets, the types of data that has been compromised, exfiltrated, or destroyed, and the steps that were taken to eliminate the threat. The team will then need to assemble reports for company leadership, law enforcement, insurers, regulators, or any other body that needs a thorough and accurate description of the event.
    • Incident follow-up. The security team should look at the assembled evidence through the lens of improvement and strengthening. What went well in the triage and evidence collection process? How quickly did the team respond and remediate damage? How does the incident reflect on the overall strength of the organization's security? Was the security team able to create a comprehensive picture of the organization's networks, systems, and endpoints? What can the team do to prevent a repeat of the incident or other types of cyber attacks in the future?

Learn DFIR Best Practices

Watch this 2023 SANS Report: Digital Forensics webcast to learn how to:

  • Get started with forensics & incident response
  • Locate actionable endpoint and network evidence





Challenges of DFIR

One of the most challenging aspects of the digital forensics and incident response process is caused by disparate, disconnected evidence. The digital ecosystems of many organizations are increasingly complex, and critical forensic evidence may exist in several unconnected locations. Pulling together all relevant evidence from virtual and physical environments is often time consuming and difficult.

This problem is exacerbated by the fact that attack surfaces of organizations are also expanding, and thereby increasing the locations and methods attackers can exploit while also adding to the time and difficulty of the evidence-collecting process. Furthermore, new tools and applications and updated operating systems require security and forensic teams to constantly refresh their knowledge — a problem that is compounded by the lack of well-trained cybersecurity professionals.


The SOC Visibility Triad enables robust forensics collection

Given the complexity of digital systems and the need for rapid response to breaches, robust forensics collection depends on approaches that integrate a large number of data sources. Comprehensive forensics collection depends on tools and systems that provide fast, deep visibility of the entire environment.

The SOC Visibility Triad, created by Gartner in 2019, is a framework for making endpoints, networks, and logs more transparent while putting security teams in a more proactive position. It combines endpoint detection and response (EDR) with network detection and response (NDR) and security information and event management (SIEM). Together, the three capabilities can assemble real-time data from endpoints, networks, and logs to create a synergy that can extend the effectiveness of each technology.

DFIR teams can benefit by choosing solutions that take an evidence-based approach to forensics and incident response. Evidence is particularly important when monitoring networks, where the sheer volume of traffic makes threat detection and response more challenging every year. As attacks become more sophisticated, detailed evidence is critical to distinguishing normal user behavior from an attacker's lateral movement through a network.

Assembling strong network forensics and DFIR strategies depends on an evidence-based approach to security. This does not simply mean assembling evidence of an attacker's behavior after an event: It also means implementing tools and strategies that can make threat hunting more targeted and effective before a breach occurs. pen-source platforms, such as Zeek®, can translate network traffic into summarized activity logs that expedite the triage and collections efforts of forensics teams.


Build out DFIR and SOC Visibility Triad with Open NDR

Advanced NDR platforms that leverage flexible metadata from network and cloud deployments cover one of the most important areas that DFIR response teams must harvest for evidence of a breach. Combined with EDR and SIEM (or XDR), NDR can help provide the complete picture that DFIR analysts need to remediate a breach, produce accurate reports, and take proactive steps that contain cyber risk going forward.

Corelight's Open NDR Platform, powered by Zeek, provides a commanding view of the network, generating details such as SSH inferences, DNS query/response, file hashes, TLS connection details, and HTTP content. It provides the evidence to support robust, effective digital forensics as well as timely and targeted incident response.

Book a demo

We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.