Chris Sanders π π§ Investigation Scenario π
An employee is suspected of having communicated company information to an outside person. You have an image of their hard drive.
What do you look for to investigate whether an incident occurred and its extent?
This is an intentionally broad scenario with limited evidence available. There are many ways information could have been communicated, so it helps to think about the most likely scenarios and where evidence of their happening might manifest.
There's a debate about the most likely mechanism of communication, and several ways that might have happened are mentioned: e-mail, chat, USB drive, and so on. It depends a lot on the network. The big challenge here is that there's no time bounding for the potential incident.
Having a time range within which to work in investigations is one of the best allies an analyst can have. We have so much data to deal with that limiting searches by time is the best way to filter down to a manageable amount of data.
Absent a time range, you're exploring ideas about the potential mechanism of communication. An idea I like is identifying executed applications and building a model of typical applications that might be used for communication, and then diving further based on what you find there.
Many investigations, particularly those without specific leads, involve figuring out where to take the first bite and then narrowing down the data into reasonably bite-sized chunks.
With most investigations, you want to let your ideas and investigative questions lead the actions, then pursue data to answer/prove/disprove ideas and reveal more leads. You don't want to haphazardly dive into data without a plan, hoping something reveals itself.
My response of the week goes to @13reak for identifying two strategies based on whether the time frame is known. https://infosec.exchange/@13reak/112286073675099993
That's a solid example of identifying a key data point and approaching the investigation based on what you know. He'll win a free month in my Analyst Skills Vault: https://www.networkdefense.co/skillsvault/
Speaking of endpoint communication, do you know what communication tools your users rely on most often? What would you expect to see, and what would surprise you?
Thatβs something to think aboutβ¦ π #InvPath #DFIR #SOC
13reak (@[email protected])
@chrissanders88 If timeframe is known: Amcache to see which apps were used. Then taking it from there: email, messengers, browser (history), other used apps. If timeframe unknown: installed apps then save process.
13reak 
If timeframe is known: Amcache to see which apps were used. Then taking it from there: email, messengers, browser (history), other used apps.
If timeframe unknown: installed apps then same process.
@13reak You'll be my response of the week. Good thinking! DM me your email address and I'll set you up with a free month in my Analyst Skills Vault https://networkdefense.co/skillsvault
AND Analyst Skills Vault
The AND Analyst Skills Vault is a subscription-based service that provides access to our growing collection of standalone video lessons built by domain experts. We add new lessons monthly for security analysts, forensic investigators, malware analysts, threat hunters, intelligence analysts, and other defensive security practitioners.
I didn't even know there was something to win 
I simply like the scenarios you're posting!
Thanks a lot
@13reak I appreciate you!