DFIR (Digital Forensics and Incident Response)

The DFIR process

DFIR follows a structured lifecycle, commonly based on the NIST SP 800-61 framework or the PICERL model:

1. Preparation

Before an incident occurs: establish an incident response plan, define roles and escalation procedures, deploy detection tooling (MXDR, SIEM, EDR), and train the team through crisis simulation exercises. Preparation also includes pre-staging forensic tools and establishing relationships with external DFIR providers.

2. Identification and detection

Recognising that an incident has occurred. This comes from automated alerts (SIEM correlation rules, EDR detections, anomaly detection), user reports, or external notifications (NCSC, law enforcement, third-party researchers). The first 60 minutes after detection – the ‘golden hour’ – are critical for evidence preservation.

3. Containment

Isolating affected systems to prevent the attack from spreading while preserving forensic evidence. Short-term containment (network isolation, account disabling) happens immediately. Long-term containment (rebuilding clean systems, applying patches) follows once the scope is understood. The critical rule: contain without destroying evidence.

4. Evidence collection and analysis

The forensics phase. DFIR analysts collect and analyse:

• Memory forensics – capturing volatile data (running processes, network connections, encryption keys, malware in memory) before it is lost. RAM is the most perishable evidence source
• Disk forensics – bit-for-bit imaging of storage devices for file system analysis, deleted file recovery, timeline reconstruction, and artefact extraction
• Network forensics – analysing packet captures, firewall logs, DNS queries, and network flow data to trace attacker movement and data exfiltration
• Malware analysis – reverse engineering malicious software to understand its capabilities, command-and-control infrastructure, and attribution indicators

All evidence collection follows a chain of custody procedure, documenting who collected what, when, how, and ensuring evidence integrity through cryptographic hashing. Without a proper chain of custody, forensic evidence is inadmissible in legal proceedings.

5. Eradication

Removing the attacker’s presence from the environment. This includes eliminating malware, closing backdoors, revoking compromised credentials, and patching the vulnerability that enabled the initial compromise. Eradication must be complete. Partial eradication means the attacker returns.

6. Recovery

Restoring affected systems to normal operations. Validating that systems are clean, monitoring for signs of re-compromise, and gradually lifting containment controls. Recovery is verified, not assumed.

7. Post-incident review

Documenting lessons learned: how the incident occurred, how it was detected, what worked in the response, what didn’t, and what changes are needed to prevent recurrence. The post-incident report feeds back into the preparation phase, improving detection rules, response procedures, and training scenarios.

When you need DFIR

DFIR is needed in three situations:

• Active breach – ransomware deployment, data exfiltration detected, compromised accounts, or signs of persistent attacker access. The priority is containment and evidence preservation
• Suspected compromise – unusual activity, unexplained system behaviour, or intelligence suggesting your organisation has been targeted. Investigation needed before declaring an incident
• Regulatory or legal requirement – a data breach triggers GDPR notification obligations (72 hours), ICO reporting, insurance claims, or law enforcement involvement. All require forensically sound evidence

DFIR and CREST CSIR

CREST offers a specific accreditation for incident response: the CSIR (CREST Simulated Incident Response) certification. Organisations with CREST CSIR-accredited teams demonstrate that their incident response capability has been independently tested against realistic attack scenarios. When selecting a DFIR provider, CREST CSIR accreditation is one of the strongest trust signals available.

Cyberfort and DFIR

We provide DFIR through our incident response service. Our team holds CREST CSIR accreditation and delivers containment, forensic investigation, and recovery across ransomware, data breach, insider threat, and supply chain compromise incidents. Our MXDR service provides the continuous monitoring that feeds into rapid incident detection, and our crisis simulation exercises test your team’s ability to execute the DFIR process under pressure before a real incident forces them to. Discuss your incident response readiness →

Related glossary terms

• CREST Certification – accreditation body offering CSIR certification for incident response teams
• MXDR – managed detection and response, providing the continuous monitoring that enables rapid DFIR activation
• Cyber Crisis Simulation – exercises that test DFIR readiness through simulated breach scenarios
• MITRE ATT&CK – the adversary tactics framework used during forensic analysis to map attacker techniques
• Zero Trust – the architecture principle that limits blast radius, making DFIR containment faster and more effective

External references

• Wikipedia: Digital forensics – overview of forensic disciplines and methods
• Wikidata: Q3246940 – canonical entity identifier
• NIST SP 800-61r2: Computer Security Incident Handling Guide – the definitive incident response framework
• CREST: Incident Response – CREST’s incident response accreditation scheme

Frequently asked questions