As someone who works, lives and breathes in the world of Digital Forensics and Incident Response (DFIR), there is one skill that I think is often overlooked. Triage. It is a step we often forget since we want to jump straight into forensic analysis. However, skipping triage often means you have no idea where to start looking.

Surgery without Pre-Op

In my mind, forensic analysis is surgery. Most people would be very uncomfortable going to the doctor and immediately told surgery is necessary right away without Pre-Op. It does happen, but very rarely and for extremely critical scenarios. In most situations, you go through various screenings and questions to ensure the surgery is successful. Even if you are picked up in an ambulance, the first thing they do is triage, so they have as much information as possible to help direct appropriate care at the hospital. My point is, forensic analysis should not be the first thing you do, you should have much more information before getting to this point and this is where scoping and triage comes in.

I’ve talked at length about scoping already so today I’ll be focusing on triage.

Contain and Identify

In my definition, triage is taking steps to contain potential malware and identify leads to better understand an impending threat.

“Triage is taking steps to contain potential malware and identify leads to better understand an impending threat.”

So, what does triage entail, here is a few examples you should consider per the scenario:

Triaging a system

• Review why the system was flagged (alert, notification, error code)
• Document system information (hostname, users, IP, purpose)
• Ensure any potential threats are contained (isolation, file quarantine, disable account)
• Collect forensic evidence (Sign-Ins logs, configuration, Audit logs)
• Review evidence for indicators

Triaging a user

• Review why the user was flagged (alert, notification, error code)
• Document the user profile (usernames, role/title, location, known devices)
• Ensure any potential threats are contained (disable account, restrict access)
• Collect forensic evidence (Logs, forensic artifacts, configuration, memory)
• Review evidence for indicators

Mastering the Art

Triage sounds extremely simple, but you will find yourself scattered during a live incident, so it’s important to keep a cool head and practice if you can. Try it out during a CTF, tabletop exercise or test yourself in a case! Here’s a few things to keep in mind as you go through triage to make yourself shine.

Never stop writing typing!

Your memory sucks! No really, it does. Make sure you are documenting everything you learn as you go through triage. This will be extremely valuable as a reference document during any future forensic analysis. If you need to place to put your notes check out my scoping doc.

Timestamp everything!

Time moves forward, if you forget to note the time, then building a timeline will be very difficult. Here’s a few timestamps you should be sure to document:

• Initial system alert or report timestamp
• When you access the system
• Execution of commands for evidence collection
• Expected/Confirmed end user actions

Ask the right questions!

Keep in mind, the goal is to contain and identify, avoid the temptation to fall down the rabbit hole. If you ever get stuck trying to think of the right question or hypothesis, try using the 5 W’s. Here are some examples to get your mindset in the right place.

• WHO has logged into the system?
• WHAT is the purpose of the system?
• WHERE is the system located within the network? Physically?
• WHEN was the system flagged or reported?
• WHY was the system flagged or reported?

If you haven’t noticed already, you are essentially creating your scoping questions.

Know your limits!

The number of systems/users to triage can differ greatly depending on the incident. Typically, it should start small, ideally one system or user. As you continue your triage, the list of systems or accounts will likely grow. This is why triage is not necessarily quick, however as you continue down the list you should notice trends and similarities. Scoping should help give you a perspective on where to start, but sometimes triage may be more helpful as the first step to start asking the right questions.

Tools can help, but should not be relied on!

There are tons of triage tools and scripts to collect a lot of this information for you. Some of them are built right into Endpoint tools, which makes it even easier. However, make sure you understand HOW these tools are collecting the relevant information and artifacts. In my opinion, you shouldn’t use a tool until you know WHAT it is for and HOW it works. You can’t use a hammer to check your tire pressure. Here’s a few that I’ve used successfully in the past:

• KAPE
• Velociraptor
• Invoke-LiveResponse

There’s tons of other tools, so do some digging and see what fits best for you. Remember to validate and understand what it’s doing first!

Conclusion

Triage is not just performed by DFIR professionals, in fact it is a skillset I believe is much more reasonable for folks like Security Operations Center (SOC), cybersecurity analysts, and even sysadmins. The objective of triage is not necessarily to find all the answers like forensic analysis, it is to provide as much context as possible to generate hypothesis regarding the situation. Many times, triage may be enough to answer questions, but it should not be the primary goal especially early in an investigation.

In reality, a cybersecurity role will do a lot more triage than actual forensic analysis. So, the better you get at triage the more forensics you can do. Which I know is what most of you are really itching for. I guarantee you will have much more real-world experience when it comes to triage, so why not flex those skills a bit. I promise it is what will separate you as a true investigator not just someone who knows what the Prefetch is.

All the best and reach out anytime,

Terryn Valikodath

Twitter: @CyberCoat

Mastodon: @ChocolateCoat@infosec.exchange

LinkedIn: terrynvalikodath

GitHub: https://github.com/chocolatecoat/