You have just been notified by a “TLA” (Three Letter Agency), a law enforcement agency, that your organization has suffered a data breach. Depending on your Threat Management Maturity level, you will either approach this methodically or ad-hoc. A TLA notification will generally involve leveraging the expertise of an Incident Response team, either your internal team, or a trusted third party, such as Cisco Security Incident Response Services.

Now that you have the notification, how are you going to further investigate? If you have rehearsed for a TLA notification through table-top exercises, you know to immediately activate your organization’s incident response plan. The result of a data breach to your organization can be a massive hit to your financials, impact branding, loss in consumer confidence, and involve legal or compliance obligations. During Incident Response activities, you will need to answer questions about the incident and historical artifacts that may, or may not be available on the endpoint. Attacker methodologies continue to evolve with anti-forensic techniques, such as timestomping and clearing event logs. Do you have the skills in-house to quickly and correctly triage any suspected compromised systems?

According to the Cisco 2017 Annual Cybersecurity Report, 50% of the respondents stated they used system log analysis, 36% of the respondents stated they used disk forensics, and 34% of the respondents stated they used memory forensics as a process to analyze compromised systems. All of these processes are critical to incident response. Most organizations either do not have a digital forensic capability, or fully outsource digital forensic capabilities to a 3rd party. This means that time to collection (“TTC”) critical host artifacts can be days, weeks, or even never, leading to loss of time-sensitive, or dynamic artifacts.

Figure 1: Processes to Analyze Compromised Systems

Digital forensics is required during Incident Response and will continue as new compromised systems are identified. Digital forensics also supports root cause analysis, which is required for your organization to recover from an incident. The National Institute of Standards and Technology (NIST) maintains a series of documents called the 800-Series Special Publications (SP). One document titled “NIST Special Publication 800-86: Guide to Integrating Forensic Techniques into Incident Response”, which describes the forensic process as follows:

Figure 2: NIST 800-86 Forensic Process

The NIST 800-series documentation provides guidelines, references, and recommendations for creating various computer security frameworks. These frameworks allow organizations to build out functioning capabilities, such as integrating forensic techniques during Incident Response.

As a senior incident responder with the Cisco Security Incident Response Services team, I have worked with many customers that have fallen victim to a data breach. Oftentimes and during the early hours of Incident Response, there are often “DIY” (do-it-yourself) processes that customers perform on compromised systems, prior to engaging with an external Incident Response team. While customers have the purest intentions to quickly remediate and get back to business as usual, oftentimes these DIY actions destroy volatile forensic artifacts that the attacker left behind in the environment. Specifically, I am referring to Locard’s exchange principle in forensic science, which states: “the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that can be used as forensic evidence.”

Figure 3: Triage Forensics Process

Fortunately, there are some forensically sound methodologies that you can perform to preserve digital evidence and save your organization on costs, legal/compliance issues, and even brand reputation long-term. A colleague and I will be teaching this Triage Forensics methodology (see Figure 3 above) at Cisco Live! US 2017: LTRSEC-2051 Triage Forensics. If you are an information security, network security, or an IT professional-that-wears-many-hats, and you are looking to wow your boss with new forensic super-powers, our instructor-led lab course is for you! Four (4) hours of technical, hands-on labs giving you the skills to go back to your organization prepared to be the superhero in the event your new Triage Forensics super-powers are needed for an Incident Response.


In the Preparation phase, students will learn why every successful Incident Response starts with preparation. Training, table-top exercises, budget, communication plans, processes, and even creating your own Incident Response Go-Bag with a gamified approach!


During Preservation, students will learn about rules of evidence, chain of custody, and proper note-taking. A hands-on lab exercise includes capturing physical memory, creating a forensic image (logical vs physical), and targeted artifact collection.


Over 50% of the course is lab intensive, where students will spend time performing basic forensic analysis on common artifacts critical to early incident response. Each lab is designed around common artifacts left behind by an attacker and quick-wins students will be able to implement into their organization’s incident response workflow upon return from Cisco Live US!

Reporting and Communication

Reporting and Communication rhythms are very important during the Incident Response. Generally, reporting is the last phase of the forensic process. Students learn the sections of an Incident Response report, and how to effectively communicate highly-technical material to the executive. Incident reports can be used as a tool to drive security budgets, allowing the organization’s threat management model to further mature.

Calling All SuperHeroes! Get the education, connections, and inspiration you need to be a Triage Forensics SuperHero! Come see Bruno Mars at Cisco’s Annual Customer Appreciation Event, and make sure you register for LTRSEC-2051: Triage Forensics!

We on the Cisco Security Incident Response Services team are standing ready to assist your organization maneuver treacherous waters during an incident and also those calm seas with our proactive Incident Response services portfolio.


Brad Garnett

Director/GM, Incident Response