Forensic Triage

intermediate35 minWriteup

Quick forensic analysis during incidents

Learning Objectives

  • Perform quick triage
  • Collect volatile evidence
  • Identify IOCs
  • Determine scope of incident

Forensic Triage is rapid analysis during an incident to quickly understand what happened. Unlike full forensic investigation (which takes days/weeks), triage gives you answers in minutes/hours. The goal: determine scope, identify IOCs, and guide containment.

Think of triage like an ER doctor doing a quick assessment. They don't run every test immediately - they check vitals, ask key questions, and decide what's urgent. Similarly, forensic triage checks key artifacts to understand the situation fast.

Triage vs Full Forensics

Triage: Quick assessment during active incident. Focus on speed and actionable intel. Full forensics: Thorough investigation for legal proceedings or deep analysis. Focus on completeness and chain of custody.

Order of Volatility

1Order of Volatility - Collect Most Volatile First:
2 
3MOST VOLATILE (Collect ASAP!)
4─────────────────────────────────────────────────────────────────
51. CPU Registers, Cache, RAM (Memory)
6   └── Lost on power off
7   └── Contains: Running processes, network connections,
8       encryption keys, malware in memory only
9 
102. Network State
11   └── Current connections, ARP cache, routing
12   └── Lost when connections close
13 
143. Running Processes
15   └── What's executing now
16   └── Lost on process termination
17 
184. Open Files / Network Connections
19   └── What's being accessed
20   └── Changes constantly
21 
22LESS VOLATILE
23─────────────────────────────────────────────────────────────────
245. Disk / Storage
25   └── Persists through reboot
26   └── But can be modified/deleted
27 
286. Removable Media
29   └── May be removed from scene
30 
317. Logs (Remote)
32   └── Should be preserved elsewhere
33 
348. Backups / Archives
35   └── Historical state
36 
37Key Principle: Collect in order of volatility!
38Memory before disk. Process before power off.

Memory is Critical

Modern malware often runs only in memory ("fileless"). If you power off without memory capture, you lose the malware entirely. Always capture memory before shutdown if possible!

Memory Triage

bash
1606070;"># Memory Acquisition Tools
2 
3606070;"># Windows - Live Memory Capture
4606070;"># DumpIt (free, simple)
5DumpIt.exe
6606070;"># Creates memory.dmp in current directory
7 
8606070;"># WinPMEM (Rekall project)
9winpmem_mini_x64.exe memory.raw
10 
11606070;"># Belkasoft RAM Capturer (GUI, free)
12606070;"># FTK Imager (GUI, free)
13 
14606070;"># Linux
15606070;"># LiME (Linux Memory Extractor)
16insmod lime.ko 606070;">#a5d6ff;">"path=/tmp/memory.lime format=lime"
17 
18606070;"># Memory Analysis with Volatility
19─────────────────────────────────────────────────────────────────
20606070;"># Volatility 3 (current version)
21vol -f memory.dmp windows.info
22vol -f memory.dmp windows.pslist      606070;"># Running processes
23vol -f memory.dmp windows.pstree      606070;"># Process tree
24vol -f memory.dmp windows.cmdline     606070;"># Command lines
25vol -f memory.dmp windows.netscan     606070;"># Network connections
26vol -f memory.dmp windows.malfind     606070;"># Find injected code
27vol -f memory.dmp windows.dlllist     606070;"># Loaded DLLs
28 
29606070;"># Key Questions Memory Answers:
30├── What processes are running?
31├── What network connections exist?
32├── Is there code injection?
33├── What commands were executed?
34├── Are there suspicious DLLs loaded?
35└── What's in clipboard/environment?
bash
1606070;"># Volatility Triage Examples
2 
3606070;"># 1. List processes (look for suspicious names)
4vol -f memory.dmp windows.pslist | grep -iE 606070;">#a5d6ff;">"cmd|power|wscript"
5 
6606070;"># 2. Find suspicious parent-child relationships
7vol -f memory.dmp windows.pstree
8606070;"># Look for: word.exe → cmd.exe → powershell.exe
9 
10606070;"># 3. Network connections (C2 detection)
11vol -f memory.dmp windows.netscan | grep ESTABLISHED
12606070;"># Check for unusual external connections
13 
14606070;"># 4. Command line arguments (what was executed)
15vol -f memory.dmp windows.cmdline
16606070;"># Look for: encoded commands, suspicious arguments
17 
18606070;"># 5. Find injected/hidden code
19vol -f memory.dmp windows.malfind
20606070;"># Detects code injection, hollowing
21 
22606070;"># 6. Dump suspicious process
23vol -f memory.dmp windows.pslist --dump --pid 1234
24 
25606070;"># 7. Scan for known malware strings
26strings memory.dmp | grep -iE 606070;">#a5d6ff;">"password|admin|mimikatz"
27 
28606070;"># 8. Check environment variables
29vol -f memory.dmp windows.envars --pid 1234

Disk Triage

bash
1606070;"># Disk Triage - Key Artifacts
2 
3606070;"># Windows Key Locations
4─────────────────────────────────────────────────────────────────
5C:\Windows\Prefetch\          606070;"># Execution artifacts
6C:\Windows\AppCompat\         606070;"># Application compatibility
7C:\Windows\System32\config\   606070;"># Registry hives
8C:\$MFT                         606070;"># Master File Table
9C:\Users\*\NTUSER.DAT         606070;"># User registry
10C:\Users\*\AppData\           606070;"># User application data
11 
12606070;"># Quick Triage Tools
13─────────────────────────────────────────────────────────────────
14606070;"># KAPE (Kroll Artifact Parser and Extractor)
15kape.exe --tsource C: --tdest E:\Evidence --target !SANS_Triage
16 
17606070;"># Collects:
18├── Event logs
19├── Registry hives
20├── Prefetch files
21├── Browser history
22├── Scheduled tasks
23├── And more...
24 
25606070;"># Registry Analysis (RegRipper)
26rip.pl -r SYSTEM -p services    606070;"># Services
27rip.pl -r SYSTEM -p usbdevices  606070;"># USB history
28rip.pl -r NTUSER.DAT -p userassist  606070;"># Executed programs
29rip.pl -r SAM -p samparse       606070;"># User accounts
30 
31606070;"># Prefetch Analysis
32PECmd.exe -d C:\Windows\Prefetch --csv output.csv
33606070;"># Shows: Program name, execution count, timestamps
34 
35606070;"># Timeline Creation
36MFTECmd.exe -f 606070;">#a5d6ff;">"C:\$MFT" --csv output_mft.csv
37606070;"># Full file system timeline

Key Artifacts

1Key Forensic Artifacts by Question:
2 
3606070;">#a5d6ff;">"WHAT EXECUTED?" (Program Execution)
4─────────────────────────────────────────────────────────────────
5├── Prefetch (.pf files)
6├── UserAssist (Registry)
7├── ShimCache (AppCompatCache)
8├── Amcache.hve
9├── BAM/DAM (Win10+)
10└── RecentApps (NTUSER.DAT)
11 
12606070;">#a5d6ff;">"WHAT FILES WERE ACCESSED?"
13─────────────────────────────────────────────────────────────────
14├── Recent Files (LNK files)
15├── Jumplist
16├── Shellbags
17├── OpenSaveMRU (Registry)
18├── Office Recent Files
19└── $MFT timestamps
20 
21606070;">#a5d6ff;">"WHAT WAS DOWNLOADED?"
22─────────────────────────────────────────────────────────────────
23├── Browser history
24├── Download folder
25├── Zone.Identifier (ADS)
26├── Edge/Chrome cache
27└── Email attachments
28 
29606070;">#a5d6ff;">"DID ATTACKER PERSIST?"
30─────────────────────────────────────────────────────────────────
31├── Run keys (Registry)
32├── Scheduled tasks
33├── Services
34├── Startup folder
35├── WMI subscriptions
36└── DLL search order hijack
37 
38606070;">#a5d6ff;">"WHAT ACCOUNTS WERE USED?"
39─────────────────────────────────────────────────────────────────
40├── SAM (local accounts)
41├── Security event logs (4624/4625)
42├── RDP cache (bitmap)
43├── Credential Manager
44└── LSA Secrets
45 
46606070;">#a5d6ff;">"WHAT WAS CONNECTED?"
47─────────────────────────────────────────────────────────────────
48├── USB devices (SYSTEM registry)
49├── Network shares (NTUSER.DAT)
50├── Wireless networks (registry)
51└── VPN connections

Triage Tools

1Triage Toolkits:
2 
3COLLECTION TOOLS
4─────────────────────────────────────────────────────────────────
5KAPE            │ Artifact collection, highly customizable
6                │ Free (with targets/modules from community)
7 
8Velociraptor    │ Remote collection at scale
9                │ Free, open source, powerful
10 
11CyLR            │ Lightweight collection tool
12                │ Free, runs from USB
13 
14ANALYSIS TOOLS
15─────────────────────────────────────────────────────────────────
16Volatility      │ Memory analysis
17                │ Free, open source, standard
18 
19Autopsy         │ Disk forensics GUI
20                │ Free, open source
21 
22Eric Zimmerman │ Various parsing tools
23Tools          │ MFTECmd, PECmd, RECmd, etc.
24               │ Free, industry standard
25 
26Registry       │ Parses registry artifacts
27Explorer       │ Free
28 
29AUTOMATED TRIAGE
30─────────────────────────────────────────────────────────────────
31Chainsaw        │ Fast Windows log analysis
32                │ Uses Sigma rules
33 
34Hayabusa        │ Fast timeline creation
35                │ Uses Sigma rules
36 
37THOR            │ IOC scanner
38                │ Commercial (Lite free)
39 
40Timeline        │ Creates super timeline
41Explorer        │ Free, Plaso-based

Eric Zimmerman Tools

The "EZ Tools" are essential for Windows forensics. Download them all at ericzimmerman.github.io. Key tools: MFTECmd (MFT parsing), PECmd (Prefetch), RECmd (Registry), EvtxECmd (Event logs).

Linux Triage

bash
1606070;"># Linux Forensic Triage
2 
3606070;"># Key Locations
4─────────────────────────────────────────────────────────────────
5/var/log/           606070;"># System logs
6/etc/passwd         606070;"># User accounts
7/etc/shadow         606070;"># Password hashes
8/home/*/.bash_history  606070;"># Command history
9/tmp/               606070;"># Temporary files
10/etc/crontab        606070;"># Scheduled jobs
11/etc/init.d/        606070;"># Startup scripts
12~/.ssh/             606070;"># SSH keys, known_hosts
13 
14606070;"># Quick Triage Commands
15─────────────────────────────────────────────────────────────────
16606070;"># Currently logged in users
17w
18who
19last
20 
21606070;"># Recent authentication
22tail -100 /var/log/auth.log
23lastlog
24 
25606070;"># Running processes
26ps auxf
27pstree -pa
28 
29606070;"># Network connections
30netstat -tulpn
31ss -tulpn
32lsof -i
33 
34606070;"># Open files
35lsof
36 
37606070;"># Recent files
38find / -mtime -1 -type f 2>/dev/null | head -100
39 
40606070;"># Cron jobs
41crontab -l
42cat /etc/crontab
43ls -la /etc/cron.*
44 
45606070;"># Startup services
46systemctl list-unit-files --type=service
47 
48606070;"># SSH keys (authorized_keys)
49cat /home/*/.ssh/authorized_keys
50 
51606070;"># Memory with LiME
52insmod lime.ko 606070;">#a5d6ff;">"path=/tmp/mem.lime format=lime"

Triage Methodology

Forensic Triage Workflow

1
Secure SceneIsolate system, document state
2
Capture MemoryMost volatile - do first!
3
Collect ArtifactsKAPE or similar for key files
4
Quick AnalysisProcess list, network, autoruns
5
Extract IOCsIdentify malware, C2, accounts
6
ReportDocument findings for IR team
7
DecideFull forensics needed or enough data?

Knowledge Check

Quick Quiz
Question 1 of 3

Why should memory be collected before disk artifacts?

Challenges

Create a Triage Script

Challenge
🔥 intermediate

Write a simple bash script that collects key Linux triage data: current processes, network connections, cron jobs, and last 50 lines of auth.log. Save output to a file.

Need a hint? (4 available)

Key Takeaways

  • Triage is fast assessment - answers key questions in minutes, not days
  • Collect in order of volatility: memory first, then disk
  • Memory reveals running processes, connections, and fileless malware
  • Key Windows artifacts: Prefetch, Registry, Event Logs, MFT
  • KAPE collects artifacts; Volatility analyzes memory
  • Document everything - triage findings guide response actions