Digital Forensics & Incident Response¶
Status: Planned
Standards: ISO/IEC 27037, NIST SP 800-86, SWGDE
Source: archer/dfir/ (not yet created)
The DFIR domain covers post-incident investigation — artifact collection, timeline reconstruction, malware triage, and evidence preservation. It enforces strict read-only discipline; no remediation actions are taken during a forensic session.
Planned Plays¶
| Play | Description |
|---|---|
disk_forensics |
File system analysis, deleted file recovery, metadata extraction |
memory_forensics |
Volatile memory acquisition and analysis (Volatility) |
network_forensics |
PCAP analysis, session reconstruction, IOC extraction |
log_analysis |
Timeline reconstruction from system, auth, and application logs |
malware_triage |
Static and dynamic malware analysis — hashes, strings, behavior |
evidence_preservation |
Chain-of-custody imaging, hash verification, write-blocking |
Notes¶
DFIR is sequenced after threat hunting in the domain roadmap. It shares the minimal-footprint constraint with TH but adds evidence-preservation requirements that affect how the agent interacts with storage.