Skip to content

"Computer Forensics and IR" (by Mandia et al)

Link to Book on Amazon


1. Examine initial lead(s)


2. IOC creation
3. Search environment with IOCs
4. Identify systems of interest
5. Collect evidence
6. Analyse data

Common mistake: only looking for malware

  • But malware is only one tool
  • And when attacker gains credentials, he no longer needs malware


Types of IOCs

  • Network IOCs = Snort rules
  • Malware IOCs = YARA rules
  • Host IOCs = OpenIOC, Cybox (not mature!)

Places we search for IOCs

  • Hosts
  • Packet captures
  • Live traffic
  • Malware samples
  • Logs (Duo, firewall, Carbon Black, etc) - stored in SIEM!
  • Internal threat intel tool
  • External threat intel providers
  • DNS logs

Now you have a list of systems you've found IOCs on…

Categorize attackers' activities on each system

  • Backdoor installed
  • Data stolen
  • etc

Prioritize each system

  • Based on system's owner (eg, CFO vs secretary)
  • Based on what it's used for (Kubernetes server in production vs Raspberry Pi in lab)
  • Interestingly - based on how much we'll learn from this system
  • Ie, whether it's a new kind of malware or the 20th identical rootkit

Preserve evidence

  • Until now, we haven't collected any evidence from the hosts
  • Now, collect live artifacts, memory dump, hard disk image from host (without shutting down PC)
  • Key - Automate the collection process. You want to minimize changes to the system as well as interaction time with system

Collecting live artifacts + memory dumps

  • Windows: use Mandiant Redline for live artifacts, Memoryze for memory dumping
  • UNIX: write a script for live artifacts, LiME for memory dumping
  • MacOS - write a script for live artifacts (try OSXCollector!), Memoryze for memory dumping
  • Can use gcore for dumping individual processes

Analyze data

Some things to analyze:

  • malware
  • live response artifacts
  • disk image
  • packet captures
  • memory dump


  1. Posturing - eg, exchange contact info, designate responsibilities, etc
  2. Tactical - short term - eg, change passwords, block IP addresses, re-image hacked systems
  3. Strategic - long term. go through the attack's kill chain and add a protection against each step

Tracking of significant info during incident

Have a naming scheme for each incident. Some possibilities:

  • INCIDENT-333 (auto-generated)
  • Stormy Seas (user created)
  • MAC-Jan-3-A (unique but descriptive)

Significant information to track:

List of evidence collected

For each piece of evidence, store:

  • Source of data (eg a person - "Jill Matheson" or a system - "WIN-XP-338")
  • Date time of collection
  • Chain of custody

List of affected systems

  • Systems that were hacked into
  • Systems that were accessed without authorization (not the same thing!

Report Writing

  • Know your audience. Are you writing a technical postmortem or a summary for the C-Suite?
  • Just state the facts. Don't interject speculation or opinions.
  • Mandiant writes reports in Word, according to the author