Contain, acquire, analyze, recover — with defensible evidence handling.
Module overview
When prevention fails, IR limits damage and forensics reconstructs truth. This module follows the lifecycle (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned), teaches sound acquisition of volatile and disk evidence with chain-of-custody, and builds analysis skill in memory forensics and super-timelines. The worked scenario is a ransomware intrusion.
Lesson 1
Triage, Evidence Order & Acquisition
Deep explanation
Evidence is perishable. The order of volatility dictates collection sequence: CPU/registers and RAM first, then network state, then disk, then backups/archives. Acquisition must be defensible — hash before and after, document chain of custody, and prefer write-blockers for disk. Live triage tools (KAPE, Velociraptor) collect the high-value artifacts (prefetch, event logs, registry hives, browser/MFT) quickly across hosts.
Memory is the crown jewel: it holds running processes, injected code, network connections, and keys that never touch disk. Capture it before pulling the plug.
Examples
Pulling RAM with a verified tool preserves an injected process that disappears on reboot.
KAPE targets collect $MFT, EVTX, Prefetch, and registry hives in minutes for offline analysis.
Commands & tools
# Order of volatility (collect top-down)
# 1) RAM 2) network state 3) disk 4) backups
# Verify integrity before/after (chain of custody)
sha256sum memory.raw > memory.raw.sha256
# Targeted host triage (Velociraptor / KAPE concepts)
kape.exe --tsource C: --target !SANS_Triage --tdest E:\triage --vhdx case01
# Live volatile snapshot (Windows)
Get-NetTCPConnection | Export-Csv netstat.csv
Get-Process | Export-Csv processes.csv
Diagram
IDENTIFY -> CONTAIN -> ACQUIRE (order of volatility)
RAM > net state > disk > backups
|hash| |hash| |hash| <- chain of custody at each step
-> ANALYZE -> ERADICATE -> RECOVER -> LESSONS LEARNED
Hands-on lab
In the lab, take a memory image of a compromised VM (snapshot or provided .raw) and hash it.
Run a KAPE/Velociraptor-style triage collection of EVTX, Prefetch, $MFT, and registry hives.
Record a chain-of-custody log: who, when, tool, hashes before/after.
Confirm the post-acquisition hash matches — evidence is unaltered.
Expected output: A hashed memory image plus a triage package of key artifacts, with a custody log whose before/after hashes match.
What to observe: Containment vs. evidence is a real tension: isolating a host can destroy volatile data. Capture RAM and volatile state before disruptive containment when feasible.
How attackers exploit · how defenders respond
Exploit: Adversaries use memory-only/fileless techniques and clear logs (T1070) precisely to defeat disk-only forensics.
Detect & respond: Centralized/forwarded logs (so local clearing fails), EDR with memory visibility, and forensic readiness baked into preparation.
Red teamOperate in memory, clear local logs, time-stomp files to frustrate timelines.
Blue teamForward logs off-host, capture RAM early, hash everything, maintain custody, and rehearse acquisition.
Real-world scenario
A responder who pulled RAM before isolating a host recovered an injected, file-less implant and its C2 key that a reboot-then-image approach would have lost forever.
Volatility 3 turns a RAM image into answers: running/hidden processes, network connections, injected code, command lines, and loaded modules. Pair it with a super-timeline (Plaso/log2timeline) that fuses filesystem, registry, event log, and browser artifacts into one chronological story. Together they reconstruct the intrusion: patient zero, dwell time, lateral movement, and the moment of encryption.
For ransomware specifically, the timeline pinpoints initial access, the staging of tooling, credential access, deployment mechanism (often GPO/PsExec-style), and scope — which drives both recovery and notification.
Examples
pstree shows a suspicious child of a service process; netscan ties it to a known C2 IP.
A Plaso timeline lines up the first malicious login, tool drop, and mass file-rename within minutes — the encryption event.
Analyze the provided ransomware-case RAM image with Volatility 3 (pslist/pstree/netscan/malfind/cmdline).
Build a Plaso super-timeline from the disk/log artifacts and export to CSV.
Reconstruct the chain: identify initial access, tool staging, and the mass-encryption moment with timestamps.
Write a short IR report: scope, dwell time, root cause, and three concrete preventions.
Expected output: Volatility reveals the malicious process tree and C2 connection; the timeline orders the intrusion from initial access to encryption; your report states scope, dwell time, and fixes.
What to observe: Memory + timeline together convert scattered artifacts into a defensible narrative — the difference between "something happened" and a precise, scoped account.
How attackers exploit · how defenders respond
Exploit: Ransomware crews dwell, harvest credentials, disable backups/AV, and deploy at scale via management tooling.
Detect & respond: Detections for backup/shadow-copy deletion, mass file renames, abnormal PsExec/GPO use, and new service installs; immutable/off-site backups for recovery.
Red teamDisable recovery (delete shadow copies/backups), escalate, deploy broadly, then encrypt.
Blue teamImmutable backups, deletion/mass-rename detections, segmentation to limit blast radius, rehearsed recovery.
Real-world scenario
In real ransomware IR, the super-timeline often shows days of dwell before encryption — exactly the window where backup-deletion and mass-rename detections would have triggered containment.
End-of-module assessment
Tap an answer to check it.
1. Per the order of volatility, you collect first:
Volatile memory is the most perishable and is captured first.
2. Why hash evidence before and after acquisition?
Matching hashes demonstrate the evidence is unchanged.
3. Volatility is primarily used to analyze:
Volatility extracts processes, connections, and injected code from RAM images.
Key takeaways
Follow the lifecycle; collect by order of volatility and hash for chain of custody.
Memory forensics + super-timelines convert scattered artifacts into a defensible narrative.
For ransomware, immutable backups plus deletion/mass-rename detections both prevent and scope the event.
