In this walk through, we will be going through the DFIR (An Introduction) room from Tryhackme. This room will cover the introduction of DFIR, some basic concepts used in the DFIR field, the Incident Response processes used in the industry and some of the tools used for DFIR. So, let’s get started.
Task 1 – Introduction
Task 2 – The need for DFIR
Question 1 – What does DFIR stand for?
Digital Forensics and Incident Response
Question 2 – DFIR requires expertise in two fields. One of the fields is Digital Forensics. What is the other field?
Incident Response
Task 3 – Basic concepts of DFIR
Question 1 – Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion?
THM{DFIR_REPORT_DONE}
Task 4 – DFIR Tools
Task 5 – The Incident Response process
Question 1 – At what stage of the IR process are disrupted services brought back online as they were before the incident?
Recovery
Question 2 – At what stage of the IR process is the threat evicted from the network after performing the forensic analysis?
Eradication
Question 3 – What is the NIST-equivalent of the step called “Lessons learned” in the SANS process?
Post-Incident Activity
Task 6 – Conclusion
Also Read: Tryhackme – CTF collection Vol.1
So this was “DFIR” room for you. We covers the basics of Digital Forensics and Incident Response methodology, gone through some of the tools that are actively used in the industry and completed a series of tasks to test the theory we have learned through out the room. This was an introductory room but keep learning about the field on your own, i will also be covering some Blue Team stuff more in the future but till then, “Keep learning”.