AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Day 4 – Excerpt from Chapter 4 – User Causality in the context of DFIR

Day 4 – Excerpt from my newly released book, “Diving In – An Incident Responder’s Journey: A Guide for Executives, Lawyers, Insurance, Brokers & Audiences Eager to Learn” which you can get your copy here -> https://www.amazon.com/Diving-Responders-Executives-Insurance-Audiences/dp/B0CCCHTN8R

User causality in the context of Digital Forensics science refers to the relationship between a user’s actions (cause) and the resulting impact on a digital system (effect) which fundamentally underpins Locard’s Exchange Principle. Understanding this cause-and-effect relationship is a key baseline from which Digital Forensic and Incident Response investigators should operate from.

When threat actors attempt to compromise a system, they perform a series of actions designed to further their access, exploit vulnerabilities, or exfiltrate data. Any of these actions has a specific effect on the targeted system through which they operate, such as obtaining elevated privileges, simply logging into systems with authorized credentials, installing software or executing malware, and even leveraging tooling to steal information and leave the network with it. In this context, user causality defines what threat actors leave behind as their digital fingerprints (or footprints) during every intrusion and what incident responders like myself systematically analyze to identify and document the timeline of the crime.

Digital Forensic investigators rely upon their training, experience, and understanding of digital cause-and-effect relationships to scientifically and defensibly reconstruct chain of events that led to a security incident…{read more inside the next chapter of my new book}

Related Posts