Incident Response & Digital Forensics

# Incident Response & Digital Forensics

## Purpose

Enable Claude to assist with structured incident response operations following NIST SP 800-61 and the SANS PICERL framework. Claude generates IR playbooks, guides evidence collection with chain of custody, constructs forensic timelines, interprets memory forensics output, and produces post-incident reports.

---

## Activation Triggers

This skill activates when the user asks about:
- Creating an incident response playbook (ransomware, phishing, breach, etc.)
- Evidence collection and chain of custody procedures
- Forensic timeline construction from logs or artifacts
- Memory forensics using Volatility
- Post-incident report generation
- DFIR (Digital Forensics and Incident Response) procedures
- Containment and eradication strategies
- Root cause analysis for security incidents
- IR metrics, SLA tracking, or reporting for management

---

## Prerequisites

```bash
pip install pyyaml jinja2 pandas python-dateutil
```

**Recommended DFIR tools:**
- `Volatility 3` — Memory forensics framework
- `Autopsy / Sleuth Kit` — Disk forensics
- `plaso / log2timeline` — Supertimeline generation
- `KAPE` — Evidence collection (Windows)
- `Velociraptor` — Enterprise-scale endpoint forensics
- `FTK Imager` — Forensic imaging (Windows)
- `dd / dcfldd / dc3dd` — Disk imaging (Linux)

---

## PICERL Framework Overview

Every IR engagement follows the PICERL lifecycle:

| Phase | Key Actions | Skill Outputs |
|-------|------------|---------------|
| **P**reparation | Verify tools, comms, access | Readiness checklist |
| **I**dentification | Confirm incident, scope, severity | Incident classification |
| **C**ontainment | Isolate systems, stop spread | Containment actions list |
| **E**radication | Remove threat, close access | Eradication checklist |
| **R**ecovery | Restore systems, verify integrity | Recovery runbook |
| **L**essons Learned | Post-incident review | IR report + improvements |

---

## Core Capabilities

### 1. IR Playbook Creation

**When the user asks to create a playbook for a specific incident type:**

Claude generates detailed, role-assigned playbooks in this structure:

**Ransomware Response Playbook (Example):**

```markdown
# IR Playbook: Ransomware Attack
Version: 2.0 | Owner: SOC Manager | Review: Quarterly

## Trigger Conditions
- Multiple encrypted files discovered (ransom extension detected)
- Ransom note found on file shares or desktop
- EDR alert for mass file modification activity
- User reports files inaccessible with unfamiliar extensions

## Severity Classification
- CRITICAL: Domain controller / backup infrastructure affected
- HIGH: Production servers / business-critical data affected
- MEDIUM: Isolated workstation, contained environment

---

## Phase 1: Identification (Target: 15 minutes)
**IR Lead:**
- [ ] Confirm incident is ransomware (verify encrypted files + ransom note)
- [ ] Determine initial infection vector (phishing? RDP? Supply chain?)
- [ ] Identify Patient Zero — first encrypted system
- [ ] Assess scope: How many systems? Which business units?
- [ ] Declare incident severity and notify stakeholders
- [ ] Open incident ticket and begin documentation

**Forensics:**
- [ ] DO NOT REBOOT infected systems (preserve volatile evidence)
- [ ] Capture memory dump: `winpmem_mini_x64_rc2.exe output.raw`
- [ ] Collect running processes: `tasklist /v > processes.txt`
- [ ] Collect network connections: `netstat -ano > netstat.txt`

## Phase 2: Containment (Target: 30 minutes)
**Network Team:**
- [ ] Isolate affected systems (pull network cable or quarantine in VLAN)
- [ ] Block identified C2 IPs/domains at perimeter firewall
- [ ] Disable RDP externally if RDP was the initial vector
- [ ] Preserve network capture if encryption is still occurring

**Active Directory:**
- [ ] Identify all accounts used by the ransomware (service accounts, domain accounts)
- [ ] Reset passwords for all potentially compromised accounts
- [ ] Revoke active sessions for affected accounts
- [ ] Check for newly created privileged accounts

## Phase 3: Eradication
- [ ] Identify all persistence mechanisms (registry, services, scheduled tasks)
- [ ] Remove all malicious artifacts
- [ ] Verify no backdoors remain (check with Autoruns, process scanning)
- [ ] Patch the exploited vulnerability if one was used

## Phase 4: Recovery
- [ ] Restore from clean backup (verified pre-infection)
- [ ] Validate backup integrity before restoration
- [ ] Rebuild from gold image if backup compromised
- [ ] Verify data integrity after restoration
- [ ] Phased return to production

## Phase 5: Lessons Learned (Within 2 weeks)
- [ ] Full incident timeline documented
- [ ] Root cause identified and remediated
- [ ] Detection gaps addressed
- [ ] CSOC playbook updated
- [ ] Management report delivered
```

**Other supported playbook types:**
- Phishing Campaign Response
- Data Breach / Exfiltration
- Business Email Compromise (BEC)
- Insider Threat
- DDoS Attack
- Account Compromise / Credential Stuffing
- Supply Chain Compromise
- Cloud Misconfiguration / Breach

### 2. Evidence Collection & Chain of Custody

**When the user asks to collect forensic evidence:**

**Order of Volatility (most volatile → least volatile):**
```
1. CPU registers and cache
2. Routing tables, ARP cache, process table
3. Memory (RAM) — ALWAYS capture first
4. Temporary file systems, swap space
5. Running processes and open files
6. Network connections and open ports
7. Disk images
8. Log files (local + remote SIEM)
9. Physical media
```

**Evidence Collection Commands:**

```bash
# Windows — Live acquisition
winpmem_mini_x64_rc2.exe memory.raw              # Memory dump
tasklist /svc > processes.txt                     # Running processes
netstat -ano > connections.txt                    # Network connections
wmic process get caption,processid,parentprocessid,commandline > process_full.txt
reg export HKLM reg_hklm.reg                     # Registry
dir /s /a "C:\Users\*\AppData\Roaming