DFIR, Digital Forensics, Incident Response, Triage. Are they all the same?

calendar Apr 3, 2023 · 2 min read · Incident Response Digital Forensics Opinion  ·
Share on: linkedin copy

Over recent months i have noted that the term Digital Forensics although labelled the same can have a different meaning to the viewer.

Organisations embrace the aforementioned terms but do not have the same definition from organisation to organisation. This is one of the areas I discuss in my lectures.

Oxford Dictionary defines 'forensics' as the following:

Relating to or denoting the application of sicentific methods and techniques to the investigaiton of crime (This can likely be applied to any structured investigiation)

Or

Scientific tests or techniques used about the detection of crime.

In my opinion, this merely means that the term forensics covers how a conclusion was reached and that the methods applied were repeatable and scientifically sound to support or refute the hypothesis of events.

If this is applied to the digital world, 'digital forensics' appears to mean an action rather than a method. For example, parsing prefetch files to identify application execution is considered digital forensics and not the only source to identify execution.

However, in my view, this is merely computer science. How these were obtained and parsed and any drawn conclusion based on the understanding of science would be goverend more by forensic disiplines. By extension understanding of computer science will directly impact digital forensic practitioners dilligence and competency as will knowledge of Law.

Although organisations can deploy digital forensic tools this does not make the use of them digital forensic practitioners. Triage is heavily based on computer science and digital forensics may help with parsing or recoving that data but this does not make it a digital forensics role. Granted due to the level of computer science knowledge digital forensics practitioners have many transferable skills within information security especially with incident response.

Knowing principles of digital forensics and applying them to computer science, legal framework and investigaitve doctorine may explain why the term Digital Forensic Incident Responder was coined and often seems centered around tools rather than forensic science. At least from an in incident response space however this is leading to a number of digital forensic experts that depend on tools and process rather than understanding and investigative strategy.

This divergance leads to a number of IR analysts, DFIR, digital forensic practioners being labelled or categorised the same but not necessarily equally competant in a variable of circumstances.

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat - Sun Tzu