#status/done

Core Principles of DFIR

  1. Everything is the result of some action: Nothing happens on a computer system without something happening, things do not simply happen by themselves.
  2. Locard's Exchange Principle[1]: When two objects come into contact with each other, material is exchanged between them. This applies to the digital realm, as well; when two computers come into "contact", "material" or data regarding the connection and interaction is exchanged between them. Some artifact of the activity will be created, and many continue to exist for a significant period of time.
  3. Direct and Indirect Artifacts
    • Direct: When something happens on an endpoint like when a program is executed, or when a user interacts with the endpoint in some way, there are artifacts that are created as a direct result of that interaction. Think of this as a video camera pointed directly at the "scene of the crime", recording direct interactions between the threat actor and the target victim.
    • Indirect: Those artifacts are created as a result of the program or threat actor interacting with the ecosystem or "environment". A great way to think of indirect artifacts is having video cameras near the scene of a crime, but not pointed directly at the scene itself. There may be a video camera across the street or around the corner, pointed in a different direction, but it captures video of the threat actor arriving in a car, and then leaving several minutes later.

[2]

Relevant Note(s):

  1. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8544144/#:~:text='Locard's Exchange Principle'%20in%20forensic,–1966)%2C%20a%20criminologist. ↩︎

  2. http://windowsir.blogspot.com/2023/06/dfir-core-principles.html ↩︎