• English
Home / Services / Digital Forensics And Incident Response / DFIR


Eight Steps of Numen DFIR are as follows:

  • Preparation Plan

  • Threat Identification

  • Rapid Containment

  • Threat Eradication

  • Business Recovery

  • Improvement Solution

  • Compromise Assessment

  • Delivering Report

  • 1.Preparation

    The detection is originated by the DFIR team of Numen Cyber Labs. To prepare for successful incident management, the team has developed a set of checklist/playbooks for each step, and in the whole process, these experienced threat analysts and researchers use a wide variety of commercial and open source DFIR toolkits, threat intelligence data sources and others.

  • 2. Identification

    Identification is done through review of log files, in forensic log review, the systems which were involved in the compromise are investigated for additional evidence. In addition to log review, investigation may also include looking through the hard drive and the memory stack at the time of the compromise. The important consideration at this point is not to disrupt any potential evidence of the incident.

  • 3. Containment

    Containment is the most important COA (Course of Action) during incident response. The primary focus of DFIR is to limit damage and prevent further escalation or breaches. Activities related to containment are going to be very specific to the actual incident, effective containment strategies include inventory assets, detect, deny, disrupt, degrade, deceive, and destroy, etc.

  • 4. Eradication

    The team remove the known existing threats from the networks. Usually, to eradicate the affected systems by replacing them with clean and unaffected systems. The team must ensure that all the affected systems are completely removed to avoid further damage caused by the cyberattack.

  • 5. Recovery

    Recovery is the testing of the fixes in the eradication phase and the transition back to normal operations. Vulnerabilities are remediated, compromised accounts have passwords changed or are removed altogether and replaced with other more secure methods of access. Functionality is tested and day to day business resumes.

  • 6. Improvement

    It’s arguably the most important to prevent future incidents. Lessons Learned involves reviewing the steps that were taken during each phase and improving both your incident response capability and your security footprint are the important take-aways from this phase.

  • 7. Compromise Assessment

    This phase is optional depending on the customer's requirements. Compromise assessments (CA) are designed to systematically scan your entire system and identify any vulnerabilities, potential risks, abnormal user behavior, as well as any indicators of past compromises.

  • 8. Delivering Report

    The DFIR team will deliver complete report after entire response process, including the incident timeline, response process, detection methods, detailed threat analysis, recovery, and solution of unknown cyberthreats.

Back to Top