What Is DFIR? Digital Forensics & Incident Response Explained

DFIR stands for Digital Forensics and Incident Response — the combined discipline of detecting, investigating and recovering from cyber incidents while preserving evidence in a way that holds up legally. This guide answers the most common DFIR questions: what the phases are, which tools matter, how chain of custody works in cloud environments, and what a good incident report looks like.

What is DFIR?

Digital Forensics and Incident Response (DFIR) is the discipline of detecting cyber attacks, containing them, eradicating the adversary, recovering operations, and preserving the digital evidence required to understand exactly what happened. DFIR sits at the intersection of incident response (operational) and digital forensics (investigative and often legal).

The DFIR process (NIST and SANS)

Two frameworks dominate: NIST 800-61 (Preparation → Detection and Analysis → Containment, Eradication, Recovery → Post-incident Activity) and SANS PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). They describe the same loop with different phase counts.

1. Preparation

The phase that decides everything. Incident response plan, runbooks, contact list, retainer with a DFIR firm, IR jump kit, baseline EDR coverage, centralized logging, cloud audit logs enabled. If you do this badly, every later phase costs ten times more.

2. Detection and identification

Confirm an incident is real and classify severity. Capture volatile evidence first — memory dumps, current network connections, running processes — before changes destroy state.

3. Containment

Stop the spread without tipping off the attacker. Short-term: network isolation, credential rotation, blocking the C2 domain. Long-term: rebuilding affected segments and rotating secrets at scale.

4. Eradication

Remove the adversary from the environment. Wipe and rebuild compromised hosts; never just "clean" — modern implants survive AV scans.

5. Recovery

Bring systems back to known-good state. Validate with heightened monitoring before declaring the incident closed.

6. Lessons learned

Run a blameless post-mortem within 2 weeks. Output: detection backlog items, process changes, and an updated runbook. If no new detections were written, the post-mortem failed.

Order of volatility

Forensic evidence is collected from most volatile to least volatile so nothing is lost. The canonical order: CPU registers and cache → RAM → network state and routing tables → running processes → temporary files → disk → remote logs → physical configuration. In cloud environments, snapshot the instance and detach volumes before stopping anything.

DFIR tools

• Velociraptor — open-source endpoint hunting and live response.
• GRR Rapid Response — Google's scalable IR framework.
• KAPE — Kroll Artifact Parser and Extractor for triage collection.
• Volatility 3 — memory forensics.
• Plaso / log2timeline — supertimeline generation.
• Autopsy / The Sleuth Kit — disk forensics.
• Chainsaw, Hayabusa — Windows event log triage at scale.
• Arsenal Image Mounter — read-only mounting of forensic images.

Chain of custody

Chain of custody is the documented history of every piece of evidence: who collected it, when, where, with what tool, what hash, who handled it next, and when it was returned or destroyed. If the chain breaks, the evidence may be inadmissible. In practice this means hashing every artifact at collection time, logging every handoff and storing originals on write-blocked, signed media.

Cloud DFIR is different

Cloud incidents change three things: you don't control the hypervisor (so memory acquisition is limited to what the cloud provider exposes), evidence depends on audit logs being enabled before the incident, and the blast radius is identity-shaped, not network-shaped. The first action in any cloud incident is preserving CloudTrail / Activity Log / Audit Log exports — they roll off fast in low-tier configurations.

Ransomware-specific DFIR

Ransomware incidents add three workstreams on top of standard DFIR: identifying the strain and known decryptors, negotiating timelines with the actor (handled by specialists, not by the IT team), and managing notification obligations under GDPR / NIS2 / sector regulation. Paying the ransom is a legal and ethical decision, not a technical one.