dfirnotes

GIAC Gold project & paper: paper draft, examples, scripts, resources

Paper Abstract

Free and open source scientific notebook software allows responders to perform analysis and record results simultaneously in an open, flexible, portable format for ease of sharing and reporting. Fully worked samples can improve analyst and responder mentoring and education. Use of notebook templates can encourage good practices, uphold standards, and improve investigative rigor for better DFIR science and better incident response. Suggested configuration options and server platform notes for SIFT3 explain notebook setup for forensics. The proposed workflow and methodology show how DFIR process and techniques are integrated into notebooks and SIFT server environment and a walk through a sample investigation in notebooks illustrates the advantages.

Files

• Paper draft in DOC, txt
• example notebooks:
• win5mem : Volatility memory analysis of WinXP: template, completed, slides
• Rekall demo notebook of @tekdefense Dark Comet analysis, with Jupyter slides
• logos, from openclipart.org originals, Inkscape
• paper graphs and images, full size & crops
• python samples :
• pscsv.py: Volatility process list with csv output
• install, new case scripts
• resources: Articles and conference presentations

License

Original works including paper, scripts, sample notebooks copyleft 2015 @adricnet and available for distribution and reuse under MIT license.

Products including @ipython GitHub, @sans-dfir SIFT3 available under their own licenses.