Execute a full DFIR workflow before moving to reading resources.

Opening Framing

Throughout this course, you've built skills in forensic methodology, evidence acquisition, file system analysis, Windows and Linux forensics, memory analysis, network forensics, log analysis, malware investigation, timeline construction, and professional reporting. Now it's time to bring everything together.

Real investigations don't come labeled by skill area. A breach investigation might require disk forensics to find the malware, memory forensics to understand its behavior, network forensics to identify C2 communication, log analysis to trace lateral movement, and timeline analysis to reconstruct the complete attack chain. The capstone challenges you to apply all these skills to a realistic scenario.

This week presents a simulated security incident requiring full investigation methodology. You'll receive evidence from multiple sources and must determine what happened, how it happened, what was impacted, and what should be done. Your deliverable is a professional forensic report documenting your complete investigation.

Key insight: Investigations are iterative. Initial findings lead to new questions, which lead to new analysis, which reveals more findings. Follow the evidence wherever it leads.

1) Investigation Methodology Review

Before diving into the capstone, review the complete forensic methodology that guides professional investigations:

NIST Forensic Process (SP 800-86):

┌─────────────────────────────────────────────────────────────┐
│ 1. COLLECTION                                               │
│    - Identify potential evidence sources                    │
│    - Acquire evidence (forensically sound)                  │
│    - Document chain of custody                              │
│    - Verify integrity (hashing)                             │
├─────────────────────────────────────────────────────────────┤
│ 2. EXAMINATION                                              │
│    - Process evidence to extract relevant data              │
│    - Use forensic tools appropriately                       │
│    - Document procedures and findings                       │
│    - Maintain evidence integrity                            │
├─────────────────────────────────────────────────────────────┤
│ 3. ANALYSIS                                                 │
│    - Correlate data from multiple sources                   │
│    - Build timeline of events                               │
│    - Identify attack vectors and techniques                 │
│    - Determine scope and impact                             │
├─────────────────────────────────────────────────────────────┤
│ 4. REPORTING                                                │
│    - Document findings clearly                              │
│    - Support conclusions with evidence                      │
│    - Provide actionable recommendations                     │
│    - Tailor to audience                                     │
└─────────────────────────────────────────────────────────────┘

Investigation Questions Framework:

Key Questions Every Investigation Must Answer:

WHAT happened?
- What systems were affected?
- What data was accessed/stolen/modified?
- What malware/tools were used?
- What was the business impact?

HOW did it happen?
- What was the initial access vector?
- How did the attacker move laterally?
- How was persistence established?
- How was data exfiltrated?

WHEN did it happen?
- When did the initial compromise occur?
- What was the timeline of attack progression?
- When was the attack detected?
- What was the dwell time?

WHO was responsible?
- Can attribution be determined?
- What threat actor characteristics are evident?
- Internal or external threat?
- Targeted or opportunistic?

WHY did defenses fail?
- What security controls were bypassed?
- What visibility gaps existed?
- What could have detected this earlier?
- What should be improved?

Evidence Source Integration:

Multi-Source Analysis Strategy:

Start with Known Indicators:
1. Alert or detection that triggered investigation
2. Reported suspicious activity
3. Known malware hash or IP

Expand to Related Evidence:
┌─────────────────┬──────────────────────────────────────────┐
│ If you find...  │ Also examine...                          │
├─────────────────┼──────────────────────────────────────────┤
│ Malware file    │ Prefetch, Amcache, memory, network logs  │
│ Suspicious IP   │ Firewall logs, DNS, proxy, all hosts     │
│ Compromised user│ All systems user accessed, email logs    │
│ Lateral movement│ Source and destination systems fully     │
│ Data staging    │ Network for exfiltration, cloud logs     │
└─────────────────┴──────────────────────────────────────────┘

Iterate Until Complete:
- Each finding may reveal new leads
- Document decision points
- Know when to stop (diminishing returns)

Completeness Checklist:
□ Initial access identified
□ Lateral movement mapped
□ Persistence mechanisms found
□ Data access determined
□ Exfiltration assessed
□ Timeline constructed
□ All affected systems identified
□ IOCs extracted
□ Attribution assessed (if possible)

Tool Selection Guide:

Tools by Analysis Type:

Disk Forensics:
- Autopsy (GUI analysis)
- Sleuth Kit (command line)
- FTK Imager (acquisition)
- Eric Zimmerman tools (Windows artifacts)

Memory Forensics:
- Volatility 3 (analysis)
- WinPMEM / LiME (acquisition)

Network Forensics:
- Wireshark (packet analysis)
- NetworkMiner (extraction)
- Zeek (logging)
- tshark (scripted analysis)

Log Analysis:
- Splunk / ELK (SIEM)
- grep/awk/sed (command line)
- Timeline Explorer (visualization)

Timeline:
- Plaso/log2timeline (super timeline)
- Timesketch (collaborative)

Malware:
- PEStudio (static analysis)
- YARA (detection rules)
- Online sandboxes (dynamic)

Reporting:
- Word processor
- Screenshot tools
- Diagramming tools

Key insight: No single tool does everything. Professional investigators combine multiple tools, validating findings across different methods.

2) Capstone Scenario

You are a digital forensics examiner responding to a security incident at Acme Corporation, a mid-sized financial services company:

INCIDENT BACKGROUND:

Date: Monday, March 15, 2024

Acme Corporation's Security Operations Center (SOC) received
an alert from their EDR solution indicating suspicious 
PowerShell activity on a workstation belonging to an 
accountant (ACCT-WS-042). Initial triage revealed potential 
data exfiltration.

You have been engaged to conduct a full forensic investigation
to determine:
1. How was the system initially compromised?
2. What actions did the attacker take?
3. Was any data exfiltrated? If so, what?
4. Are other systems affected?
5. What recommendations should be implemented?

ENVIRONMENT:
- Windows 10 workstations
- Windows Server 2019 file servers  
- Active Directory domain: ACME.LOCAL
- Cisco ASA firewall with logging
- Splunk SIEM (90-day retention)
- CrowdStrike Falcon EDR

TIMELINE OF KNOWN EVENTS:
- March 15, 14:32 UTC: EDR alert triggered
- March 15, 14:45 UTC: SOC escalated to IR team
- March 15, 15:00 UTC: Workstation isolated from network
- March 15, 15:30 UTC: Memory captured
- March 15, 16:00 UTC: Disk imaged
- March 15, 16:30 UTC: You received evidence

Available Evidence:

EVIDENCE INVENTORY:

E-001: Disk Image
- Source: ACCT-WS-042 (C: drive)
- Format: E01
- Size: 120 GB
- SHA256: [provided with evidence]
- Acquired: 2024-03-15 16:00 UTC

E-002: Memory Dump  
- Source: ACCT-WS-042
- Format: Raw
- Size: 16 GB
- SHA256: [provided with evidence]
- Acquired: 2024-03-15 15:30 UTC

E-003: Firewall Logs
- Source: Cisco ASA
- Format: Syslog export
- Timeframe: 2024-03-01 to 2024-03-15
- Contains: All traffic to/from ACCT-WS-042

E-004: SIEM Export
- Source: Splunk
- Format: CSV
- Contains: Windows Security events for ACCT-WS-042
- Timeframe: 2024-03-01 to 2024-03-15

E-005: EDR Alerts
- Source: CrowdStrike Falcon
- Format: JSON export
- Contains: All alerts for ACCT-WS-042
- Timeframe: 2024-03-01 to 2024-03-15

E-006: Email Headers
- Source: Exchange Online
- Contains: Recent emails to compromised user
- Timeframe: 2024-03-10 to 2024-03-15

Investigation Scope:

AUTHORIZED SCOPE:

In Scope:
✓ ACCT-WS-042 (full forensic analysis)
✓ Related network traffic
✓ Related log entries
✓ User account activity (j.smith@acme.local)
✓ File server access by compromised account
✓ Malware analysis of any samples found

Out of Scope:
✗ Other workstations (unless evidence shows compromise)
✗ Server forensics (unless lateral movement confirmed)
✗ Physical security investigation
✗ Employee interviews

Authorization:
- Authorized by: Sarah Chen, CISO
- Authorization date: 2024-03-15
- Case number: ACME-IR-2024-0042

Constraints:
- Report due: 5 business days
- Preliminary findings: 24 hours
- Legal hold in place on all evidence

Note: For this capstone, you'll work with practice forensic images. The scenario provides context for realistic investigation methodology application.

3) Investigation Approach

Approach this investigation systematically, documenting your process throughout:

Recommended Investigation Phases:

PHASE 1: Initial Triage (Hours 1-4)
┌─────────────────────────────────────────────────────────────┐
│ Goals:                                                      │
│ - Understand the alert that triggered investigation         │
│ - Identify obvious indicators of compromise                 │
│ - Determine if incident is ongoing                          │
│ - Provide preliminary findings to stakeholders              │
│                                                             │
│ Activities:                                                 │
│ - Review EDR alerts in detail                               │
│ - Quick memory analysis (running processes, network)        │
│ - Check for active C2 connections                           │
│ - Identify malware if present                               │
│                                                             │
│ Deliverable: Preliminary findings briefing                  │
└─────────────────────────────────────────────────────────────┘

PHASE 2: Deep Analysis (Hours 4-24)
┌─────────────────────────────────────────────────────────────┐
│ Goals:                                                      │
│ - Determine initial access vector                           │
│ - Map attacker activity on the system                       │
│ - Identify persistence mechanisms                           │
│ - Extract all IOCs                                          │
│                                                             │
│ Activities:                                                 │
│ - Full memory forensics                                     │
│ - Disk forensics (MFT, prefetch, registry, browser)         │
│ - Malware analysis (static and dynamic)                     │
│ - Email analysis for phishing                               │
│                                                             │
│ Deliverable: Technical findings document                    │
└─────────────────────────────────────────────────────────────┘

PHASE 3: Scope Assessment (Hours 24-48)
┌─────────────────────────────────────────────────────────────┐
│ Goals:                                                      │
│ - Determine if other systems affected                       │
│ - Assess data exposure                                      │
│ - Understand full attack timeline                           │
│                                                             │
│ Activities:                                                 │
│ - Log analysis across environment                           │
│ - Network traffic analysis                                  │
│ - IOC sweep across other systems                            │
│ - Data access analysis                                      │
│                                                             │
│ Deliverable: Scope assessment update                        │
└─────────────────────────────────────────────────────────────┘

PHASE 4: Timeline and Reporting (Hours 48-72)
┌─────────────────────────────────────────────────────────────┐
│ Goals:                                                      │
│ - Build comprehensive timeline                              │
│ - Document all findings                                     │
│ - Develop recommendations                                   │
│ - Prepare final report                                      │
│                                                             │
│ Activities:                                                 │
│ - Create super timeline                                     │
│ - Correlate all evidence sources                            │
│ - Write report sections                                     │
│ - Peer review                                               │
│                                                             │
│ Deliverable: Final forensic report                          │
└─────────────────────────────────────────────────────────────┘

Documentation Requirements:

Maintain Throughout Investigation:

Examiner Notes:
- Time started/stopped each task
- Tools used and versions
- Commands executed
- Findings noted immediately
- Questions raised for follow-up
- Decision points and rationale

Evidence Log:
- Every file examined
- Hash values verified
- Where evidence was stored
- Who accessed evidence

Screenshot Catalog:
- Descriptive filenames
- Case number prefix
- Sequential numbering
- Annotation notes

Finding Tracker:
┌─────┬────────────┬─────────────┬──────────┬───────────────┐
│ ID  │ Finding    │ Evidence    │ Status   │ Follow-up     │
├─────┼────────────┼─────────────┼──────────┼───────────────┤
│ F01 │ Malware    │ E-001, E-002│ Confirmed│ Analyze sample│
│ F02 │ C2 IP      │ E-002, E-003│ Confirmed│ Check all hosts│
│ F03 │ Phishing   │ E-006       │ Suspected│ Get full email│
└─────┴────────────┴─────────────┴──────────┴───────────────┘

Quality Checkpoints:

Self-Review at Each Phase:

After Triage:
□ Can I explain the alert to stakeholders?
□ Have I identified immediate threats?
□ Do I know what to prioritize next?

After Deep Analysis:
□ Do I understand HOW compromise occurred?
□ Have I found all malware/tools?
□ Are persistence mechanisms documented?
□ Are all IOCs extracted?

After Scope Assessment:
□ Do I know WHAT was affected?
□ Can I quantify data exposure?
□ Have I found all lateral movement?

Before Final Report:
□ Can another examiner reproduce my findings?
□ Is every conclusion supported by evidence?
□ Are recommendations actionable?
□ Is the report clear to intended audience?

Key insight: Investigation quality depends on process discipline. Rushed analysis misses evidence; undocumented analysis cannot be defended.

4) Analysis Techniques Summary

Quick reference for techniques covered throughout the course:

DISK FORENSICS CHECKLIST:

Windows Artifacts:
□ MFT analysis (timeline, deleted files)
□ USN Journal (file changes)
□ Prefetch (execution evidence)
□ Amcache (execution, hashes)
□ ShimCache (file existence)
□ Registry (config, persistence, user activity)
□ Event logs (security events)
□ Browser history (downloads, searches)
□ LNK files (file access)
□ Jump Lists (recent files)
□ ShellBags (folder access)
□ Recycle Bin (deleted files)

Key Commands:
$ MFTECmd.exe -f $MFT --csv output/
$ PECmd.exe -d Prefetch --csv output/
$ EvtxECmd.exe -d Logs --csv output/
$ AmcacheParser.exe -f Amcache.hve --csv output/

Memory Forensics Checklist:

MEMORY FORENSICS CHECKLIST:

Process Analysis:
□ pslist - Running processes
□ pstree - Process hierarchy
□ psscan - Hidden processes
□ cmdline - Command arguments
□ dlllist - Loaded DLLs
□ handles - Open handles

Network Analysis:
□ netscan - Connections

Injection Detection:
□ malfind - Injected code
□ ldrmodules - Unlinked DLLs
□ vadinfo - Memory regions

Credential Extraction:
□ hashdump - SAM hashes
□ lsadump - LSA secrets

Key Commands:
$ vol -f memory.raw windows.pslist
$ vol -f memory.raw windows.pstree
$ vol -f memory.raw windows.netscan
$ vol -f memory.raw windows.malfind
$ vol -f memory.raw windows.cmdline

Network and Log Analysis Checklist:

NETWORK FORENSICS CHECKLIST:

Traffic Analysis:
□ Protocol hierarchy (what's in capture)
□ Conversations (who talked to whom)
□ HTTP requests (downloads, C2)
□ DNS queries (C2, tunneling)
□ TLS metadata (certificates)

Extraction:
□ Files transferred
□ Credentials captured
□ Session reconstruction

Key Commands:
$ tshark -r capture.pcap -q -z conv,tcp
$ tshark -r capture.pcap -Y "http.request"
$ tshark -r capture.pcap -Y "dns"

LOG ANALYSIS CHECKLIST:

Windows Events:
□ 4624/4625 - Logon success/failure
□ 4648 - Explicit credentials
□ 4672 - Special privileges
□ 4688 - Process creation
□ 4698/4699 - Scheduled task
□ 7045 - Service installed
□ 4104 - PowerShell script block

Linux Logs:
□ auth.log - Authentication
□ syslog - System events
□ cron - Scheduled tasks
□ bash_history - Commands

Malware and Timeline Checklist:

MALWARE ANALYSIS CHECKLIST:

Static Analysis:
□ File hashes (MD5, SHA256)
□ File type verification
□ VirusTotal lookup
□ Strings extraction
□ PE analysis (imports, sections)
□ Packing detection

Dynamic Analysis:
□ Sandbox execution
□ Network connections
□ File system changes
□ Registry changes
□ Process activity

IOC Extraction:
□ Hashes
□ IPs and domains
□ File paths
□ Registry keys
□ YARA rules

TIMELINE ANALYSIS CHECKLIST:

Creation:
□ Run log2timeline on disk image
□ Include all relevant parsers
□ Export filtered timeline

Analysis:
□ Identify pivot point
□ Filter to relevant timeframe
□ Correlate across sources
□ Document causal relationships
□ Identify gaps

Key Commands:
$ log2timeline.py --storage-file case.plaso image.E01
$ psort.py -o l2tcsv -w timeline.csv case.plaso "date > '2024-03-15'"

These checklists ensure you don't miss critical analysis steps during your investigation.

5) Report Deliverables

Your capstone deliverable is a complete forensic report meeting professional standards:

REQUIRED REPORT SECTIONS:

1. Cover Page
   - Case number: ACME-IR-2024-0042
   - Report date
   - Examiner name
   - Classification: CONFIDENTIAL

2. Table of Contents

3. Executive Summary (1-2 pages)
   - What happened
   - Business impact
   - Key recommendations
   - Written for non-technical audience

4. Authorization and Scope
   - Who authorized
   - What was examined
   - What was out of scope
   - Timeframe

5. Evidence Summary
   - List of all evidence items
   - Acquisition details
   - Hash values
   - Chain of custody references

6. Methodology
   - Tools used (with versions)
   - Procedures followed
   - Standards applied

7. Findings (Main Body)
   - Organized by investigation phase or topic
   - Each finding supported by evidence
   - Screenshots and evidence excerpts
   - Technical detail appropriate for audience

8. Timeline
   - Chronological attack narrative
   - Table format with evidence references
   - Visual timeline graphic

9. Conclusions
   - Summary of what occurred
   - Attribution assessment (if possible)
   - Confidence levels stated

10. Recommendations
    - Prioritized by risk
    - Actionable and specific
    - Assigned owners and timelines

11. Appendices
    - IOC list (hashes, IPs, domains)
    - Detailed tool outputs
    - Evidence catalog
    - Glossary of terms

Report Quality Criteria:

GRADING RUBRIC:

Technical Accuracy (30%):
□ Findings are factually correct
□ Tools used appropriately
□ Analysis methodology sound
□ Timeline accurate

Evidence Documentation (25%):
□ All findings reference evidence
□ Chain of custody maintained
□ Screenshots properly annotated
□ Evidence catalog complete

Report Quality (25%):
□ Clear and professional writing
□ Appropriate for audience
□ Proper structure followed
□ No spelling/grammar errors

Completeness (20%):
□ All investigation questions answered
□ All required sections present
□ Recommendations actionable
□ IOCs extracted and documented

EXCELLENCE INDICATORS:

Distinguished Work:
- Novel analysis techniques applied
- Exceptional evidence correlation
- Insights beyond obvious findings
- Publication-quality documentation

Professional Standard:
- Report could be submitted to client
- Would withstand legal scrutiny
- Enables effective remediation
- Demonstrates mastery of course material

Common Pitfalls to Avoid:

INVESTIGATION PITFALLS:

Analysis Errors:
✗ Tunnel vision (only looking for expected findings)
✗ Confirmation bias (ignoring contradictory evidence)
✗ Skipping steps (assuming without verification)
✗ Tool reliance (not understanding what tools do)

Documentation Errors:
✗ Findings without evidence references
✗ Conclusions without supporting analysis
✗ Missing timestamps or hash values
✗ Inadequate screenshots

Report Errors:
✗ Technical jargon in executive summary
✗ Speculation presented as fact
✗ Recommendations without priority
✗ Missing methodology documentation

Process Errors:
✗ Not maintaining examiner notes
✗ Modifying original evidence
✗ Breaking chain of custody
✗ Missing peer review

Key insight: Your report represents your investigation. Take the time to make it professional, complete, and defensible.

Real-World Context

What Professional Investigators Say:

"The best investigators I've worked with share one trait: they let the evidence guide them rather than forcing evidence to fit their theory. They document obsessively, question assumptions constantly, and know when to ask for help." — DFIR Team Lead, Fortune 500

"Your report is your reputation. I've seen technically excellent analysis destroyed by poor documentation. I've also seen straightforward findings become powerful evidence through meticulous reporting. The report matters as much as the analysis." — Expert Witness, Digital Forensics

"In twenty years of incident response, I've never had an investigation go exactly as planned. The initial hypothesis is usually wrong. What matters is the discipline to follow evidence wherever it leads and document the journey." — Principal Investigator, Consulting Firm

Career Paths in Digital Forensics:

Digital Forensics Career Options:

Corporate:
- Incident Response Analyst
- Digital Forensics Examiner
- Threat Intelligence Analyst
- Security Operations (SOC)

Consulting:
- DFIR Consultant
- Expert Witness
- Forensic Specialist

Law Enforcement:
- Computer Crimes Investigator
- FBI Cyber Division
- State/Local Digital Forensics

Certifications to Pursue:
- GIAC Certified Forensic Examiner (GCFE)
- GIAC Certified Forensic Analyst (GCFA)
- EnCase Certified Examiner (EnCE)
- AccessData Certified Examiner (ACE)
- Certified Computer Examiner (CCE)

Continued Learning:
- SANS DFIR courses
- Vendor-specific training
- CTF competitions
- Open source tool contributions
- Research and publication

This capstone prepares you for real-world forensic work. The skills you've developed are directly applicable to professional digital forensics roles.

Capstone Lab: Full Investigation

Complete a full forensic investigation using the scenario and evidence provided. This is your opportunity to demonstrate mastery of all course material.

Lab Environment:

• SIFT Workstation or equivalent forensic VM
• Practice forensic images (provided or from public sources)
• All tools covered in the course
• Report template

Exercise Steps:

1. Review case scenario and evidence inventory
2. Plan investigation approach and document timeline
3. Conduct initial triage and provide preliminary findings
4. Perform comprehensive disk forensics
5. Analyze memory dump for malware and activity
6. Review logs for authentication and lateral movement
7. Analyze network traffic for C2 and exfiltration
8. Conduct malware analysis on any samples found
9. Build comprehensive super timeline
10. Write complete forensic report

Reflection Questions:

• What was the most challenging aspect of the investigation?
• What would you do differently if starting over?
• What additional evidence would have helped?
• How has this course prepared you for real-world forensics?

Week Outcome Check

By completing the capstone, you should demonstrate ability to:

• Apply complete forensic methodology to realistic scenarios
• Integrate multiple evidence sources into coherent analysis
• Conduct disk, memory, network, and log forensics
• Analyze malware and extract indicators of compromise
• Build comprehensive timelines from multiple sources
• Write professional forensic reports for multiple audiences
• Develop actionable recommendations based on findings
• Document analysis to professional and legal standards

🛡️ Capstone Extension: Enterprise Breach

Extend the capstone into a multi-stage breach investigation (initial access → lateral movement → exfiltration).

• Combine memory, disk, network, and log evidence
• Reconstruct full timeline with pivot points
• Identify root cause and containment actions
• Produce an executive summary + remediation roadmap

🎯 Hands-On Labs (Free & Essential)

Execute a full DFIR workflow before moving to reading resources.

💡 Lab Tip: Keep a running evidence log while you investigate—don’t backfill later.

Resources

Capstone Deliverables

Submit the following deliverables for capstone evaluation: