DFIR Glossary

Actions taken to prevent further spread of an attacker within the environment: network isolation, account disablement, token revocation, firewall blocks. Divided into short-term (stop the bleeding) and long-term (stable posture) containment.

Removal of attacker artifacts and footholds from the environment: malware cleanup, backdoor removal, credential rotation, vulnerability patching, and verification that no residual attacker access remains.

Also known as:Lessons Learned, Postmortem

A structured review following an incident to capture what happened, what went well, what did not, and what specific improvements are needed in detection, prevention, and response capabilities.

Restoration of affected systems to normal business operations using clean baselines or rebuilt images, with enhanced monitoring to detect attacker return. Phased reconnection is standard practice for larger incidents.

The initial assessment phase of an incident where responders validate the alert, estimate scope and severity, identify preliminary attack vectors, and decide on the level of investigation warranted.

Windows program-inventory artifact (Amcache.hve) tracking installed and executed applications with SHA-1 hashes, install paths, and first-run timestamps. Complements ShimCache for execution timeline.

See also:shimcache

Documented, unbroken record of who handled, accessed, or transferred evidence from acquisition through analysis to final disposition. Required for legal admissibility of evidence.

Windows Event Log format (Windows Vista+). Binary, structured logs parsed with wevtutil, EvtxECmd, or PowerShell Get-WinEvent. Key forensic sources: Security, System, PowerShell, Sysmon, RDP.

Also known as:Super Timeline

Unified chronological view of filesystem, registry, log, and application events. Built with tools like log2timeline/plaso or Timesketch. The primary analysis artifact for reconstructing attacker activity.

Also known as:Indicator of Compromise

Observable artifact associated with a specific compromise: file hashes, IP addresses, domain names, registry keys, mutex names, or TTP patterns. Used to hunt for the same attacker in other environments.

Also known as:Master File Table, $MFT

The Master File Table in NTFS filesystems. Every file and directory has at least one MFT entry with metadata (timestamps, security descriptor, data attribute locators). Primary source for filesystem timeline reconstruction on Windows.

See also:usn-journal, timestomping

MITRE-maintained knowledge base of adversary tactics and techniques derived from real-world observations. Provides a shared vocabulary for describing attacker behavior and mapping detections.

See also:ttp

Windows performance-optimization artifact in C:\Windows\Prefetch tracking the last 8 execution times of programs (Win10+). Strong evidence of execution even after log rotation.

Also known as:AppCompatCache

Application Compatibility Cache storing executable metadata and last-modification timestamps. Used to infer historical execution and rollback of compatibility shims. Flushed to the SYSTEM hive on clean shutdown.

See also:amcache

Also known as:System Monitor

Microsoft Sysinternals driver and service providing detailed system activity logging: process creation with command line, file-creation events, registry changes, network connections, and image loads. Critical for endpoint forensics when EDR is absent.

Attacker technique of modifying file timestamps (typically $STANDARD_INFORMATION in NTFS) to hide malicious files among legitimate content. Detected by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps.

See also:mft

Also known as:Tactics, Techniques, Procedures

Adversary behavior patterns at three levels of abstraction: high-level goals (Tactics, e.g., Lateral Movement), specific approaches (Techniques, e.g., SMB admin-share abuse), and exact implementations (Procedures, e.g., psexec with specific flags).

See also:mitre-attack

Also known as:$UsnJrnl, Change Journal

NTFS Update Sequence Number journal recording file-level changes (create, delete, rename, data-overwrite). Survives some attacker cleanup and provides event-level evidence independent of log sources.

Also known as:RAM, Live Memory

System memory (RAM) that is lost on reboot. Contains running process state, network connections, encryption keys, loaded modules, and attacker-injected code. Must be captured before reboot or containment action.

AWS service logging management-plane and (optionally) data-plane API calls across an account. The primary AWS audit evidence source; most AWS forensic investigations start from CloudTrail queries.

Identity architecture where an external identity provider (Okta, Entra ID, Ping) authenticates users and issues tokens for downstream cloud services. The identity provider is a high-value target because compromise grants access to many services.

Also known as:Identity and Access Management

Cloud-provider service managing users, roles, and permissions (AWS IAM, Azure RBAC, GCP IAM). The primary authorization boundary for cloud resources; IAM misuse is a dominant cloud attack path.

AWS EC2 Instance Metadata Service version 2. Session-token-based access to instance credentials, mitigating SSRF-based credential theft. Enforcing IMDSv2 is a baseline cloud-hardening control.

Attack where users are tricked into granting an attacker-controlled application persistent OAuth permissions to their account. Survives password resets; must be revoked via admin portal.

Also known as:Security Token Service

AWS service issuing temporary credentials via AssumeRole, GetSessionToken, and federation. Attackers abuse STS to chain role assumptions and move laterally within and across AWS accounts.

Also known as:Unified Audit Log

Microsoft 365 audit log consolidating activity across Exchange, SharePoint, OneDrive, Teams, Azure AD, and other services. Primary M365 forensic source; must be enabled in advance.

IAM pattern where cloud workloads (Kubernetes pods, serverless functions, VMs) authenticate to cloud services using provider-issued short-lived tokens instead of long-lived keys. Reduces credential-theft impact when correctly configured.

Entra ID (Azure AD) policy framework enforcing sign-in conditions (device compliance, MFA, location, risk). Misconfigured Conditional Access is a frequent cloud-identity compromise factor.

Forged Kerberos TGT created by an attacker who has stolen the krbtgt account hash. Grants authentication as any user for any service in the domain until krbtgt is rotated twice with appropriate delay.

See also:krbtgt-reset

Attack requesting Kerberos service tickets (TGS-REP) for accounts with SPNs, then offline-cracking the ticket's encrypted portion to recover the service-account password.

See also:kerberos

Network authentication protocol using tickets issued by a Key Distribution Center (KDC). Windows Active Directory is Kerberos-based; attacker tradecraft includes Golden Ticket, Silver Ticket, Kerberoasting, and AS-REP roasting.

See also:golden-ticket, kerberoasting

Security practice of resetting the krbtgt account password twice with a delay greater than max Kerberos ticket lifetime between resets. Invalidates all existing golden tickets including any the attacker may still hold.

See also:golden-ticket

Also known as:Local Security Authority Subsystem Service

Windows process handling authentication and caching credentials (NTLM hashes, Kerberos tickets). LSASS memory dumping is a dominant credential-theft technique; Credential Guard and LSA Protection mitigate it.

Also known as:Multi-Factor Authentication, 2FA

Authentication requiring two or more independent factors. Phishing-resistant MFA (FIDO2, certificate-based) materially reduces account-compromise risk; SMS and push-notification MFA are increasingly bypassed.

TLS client and server fingerprinting technique. Hash of ClientHello/ServerHello fields identifies the client software without decrypting traffic. Used for C2 detection and malware-family identification.

Network-flow telemetry protocol capturing source/destination, ports, bytes, and packet counts for every conversation. Does not include payload; useful for connection-level forensics and lateral-movement detection.

Also known as:Packet Capture

Raw packet capture format (libpcap). Contains full packet headers and payloads; most evidence-rich network source but large and expensive to retain at scale.

Also known as:Bro

Network analysis framework producing rich, protocol-aware logs (conn.log, http.log, ssl.log, dns.log, etc.) from live traffic or PCAP. Bridge between packet-level and flow-level forensics.

Also known as:Advanced Persistent Threat

Sophisticated, well-resourced adversary characterized by long dwell time, custom tooling, stealthy persistence, and objectives aligned with intelligence or strategic value rather than opportunistic gain.

Also known as:Command and Control, C&C

Attacker infrastructure used to control compromised systems and exfiltrate data. Detected via network anomalies (beaconing, rare domains), endpoint anomalies (unusual child processes), or TI-provided IoCs.

Malware that runs primarily in memory or via legitimate system processes with minimal or no on-disk artifacts. Detection relies on memory forensics, ETW, and behavioral telemetry.

Also known as:Living Off the Land Binary

Legitimate system binary (PowerShell, certutil, bitsadmin, regsvr32, mshta, wmic) abused by attackers for malicious purposes. Signature-based detection fails; detection requires behavioral and context-based analysis. See lolbas-project.github.io.

Malware that encrypts files, databases, or entire systems and demands payment for decryption. Modern variants often combine encryption with data exfiltration (double extortion) and operate as Ransomware-as-a-Service.

Attack where a trusted software vendor, update channel, or dependency is compromised so that downstream customers receive malicious code through a legitimate distribution path.

Regulatory and contractual obligation to notify affected parties (regulators, customers, partners) after a confirmed breach. Timelines and content requirements vary by jurisdiction (GDPR 72h, SEC 4-day rule for material incidents, state breach-notification laws in the US).

Also known as:General Data Protection Regulation

EU data-protection regulation. Requires notification of personal-data breaches to supervisory authorities within 72 hours and, for high-risk breaches, notification to affected individuals.

Preservation obligation triggered when litigation or regulatory proceedings become reasonably anticipated. Suspends normal data-destruction schedules for potentially-relevant evidence.

Legal doctrine covering the intentional or negligent destruction of evidence. Incident-response teams must balance containment and remediation with evidence preservation to avoid spoliation claims.

Also known as:Cloud Access Security Broker

Platform providing SaaS application visibility, shadow-IT detection, DLP for cloud uploads, anomalous access detection, and policy enforcement across third-party SaaS. Critical for hybrid-cloud security programs.

Also known as:Data Loss Prevention

System monitoring and enforcing policy on sensitive data movement across email, endpoint, network, and cloud channels. Foundation for insider-threat and data-exfiltration detection.

Also known as:Endpoint Detection and Response

Endpoint security platform providing process-level telemetry (process creation, file events, registry changes, network connections), real-time detection, and response actions (isolation, process kill). Foundational tooling for modern DFIR.

Open-source runtime security engine (CNCF project) using eBPF to detect anomalous container and Linux host behavior. Commonly deployed in Kubernetes for runtime-threat detection.

Also known as:Kroll Artifact Parser and Extractor

Triage-focused artifact collection and parsing framework (Eric Zimmerman). Widely used to collect high-value Windows forensic artifacts quickly without full-disk imaging.

Open-source agent exposing operating system state as SQL-queryable tables. Cross-platform (Linux, macOS, Windows) and widely used for fleet-wide forensic triage and live-host querying.

Also known as:Security Information and Event Management

Centralized log-aggregation and correlation platform (Splunk, Sentinel, Elastic SIEM, Chronicle). Foundation for long-term log retention, cross-source analysis, and detection-rule execution.

Vendor-neutral detection-rule format (YAML). Converts to SIEM-specific query languages (KQL, SPL, EQL) via sigma-cli, enabling cross-SIEM rule sharing and community-maintained rule repositories.

Also known as:Security Orchestration, Automation, and Response

Platform for automating incident-response playbooks and orchestrating actions across security tools (EDR isolation, SIEM enrichment, ticketing, notification). Reduces response time for repeatable incident types.

Open-source endpoint forensics and monitoring tool with VQL (Velociraptor Query Language). Popular for hunts, remote triage collection, and long-term endpoint monitoring at enterprise scale.

Open-source memory forensics framework (Python). Parses raw RAM captures to enumerate processes, network connections, loaded modules, injected code, rootkits, and encryption keys.

Also known as:Extended Detection and Response

Cross-domain detection platform correlating endpoint, identity, email, cloud, and network telemetry into unified detections. Enables multi-vector attack-chain reconstruction without manual cross-source correlation.