Managing a DFIR Knowledge Base
Inspired by The Structure and Taxonomy of a Detection Knowledge Base | by Regan | May, 2024 | Detect FYI to share this Notion DB focused on DFIR which I’ve been working on.
The challenge
I find — especially in intrusion forensics* — the investigations tend to lack a standard approach. We’re not just talking standardisation in the sense of tooling used or process either, we’re talking more about the methodology and knowledge used to drive the engagement.
This presents a challenge whereby things slip through the net, or findings come in later than usually expected which causes a slingshot effect on containment. Part of the issue is that knowledge in DFIR is disparate, not validated, tribal or missing key technical context.
* forensics engagements that aren’t entirely predicated on the idea of litigation.
Enter… The Artefactory
Using Notion’s Database feature, I was able to list as many DF artefacts I can bring to mind, starting with Windows systems. The Notion DB feature than allows you to add custom tags to enrich the knowledge and each row has a page to jump into.
As an example, I’ve been able to create columns such as:
- Tools
- ATT&CK Mapping
- Analysis Objective — At the 2022 SANS DFIR Summit, Gerard Johansen (RedCanary) presented the concept of tying analysis stages to stakeholder questions.
- SANS Artefact Group
- SANS Forensics Category
- If the Artefact is in a KAPE Artefact
- Estimated time to analyse (Good for estimating analysis time if you’re in the commercial world)
Using this to standardise an approach
Now when you’re tasked with ‘Identifying Exfiltration’ or a stakeholder question such as ‘How did they maintain persistence for so long?’, you can use this database structure/schema to guide your investigation and ensure when you’re posed similar questions that your investigation is guided by standardised knowledge that you constantly update.
