This table holds a glossary of Terminology linked to DF, IR and DFIR activities.
| Discipline | Term | Description |
|---|---|---|
| DF | Acquisition / Imaging (Bit for Bit) | Forensically exact copy of a drive or memory. |
| DF | Write Blocker | Prevents altering evidence during collection. |
| DF | Chain of Custody | Record of who handled evidence, when, and how. |
| DF | Hash (MD5/SHA 256) | Digital fingerprint proving a file/image is unchanged. |
| DF | Volatile Data | Data lost on power off (RAM, network connections, processes). |
| DF | Memory Acquisition | Capturing RAM to analyze malware, keys, and live artifacts. |
| DF | Timeline / Super Timeline | Ordered view of activity across artifacts and sources. |
| DF | Artifact of Execution | Any trace showing a program ran (e.g., Prefetch, Amcache). |
| DF | MFT / USN Journal | NTFS indexes and change journals to reconstruct file activity. |
| DF | Prefetch | Windows hints showing prior program launches and frequency. |
| DF | Registry Hives | SYSTEM, SAM, NTUSER.DATrich system and user histories. |
| DF | Event Logs (EVTX) | Windows logs for security, system and applications. |
| DF | LNK (Shortcuts) | Shortcut files recording target paths and last access. |
| DF | ShimCache / Amcache | Caches with historical app executions and installs. |
| DF | SRUM | Database logging app/network usage over time. |
| DF | Jump Lists | Recent files/app activity tied to specific programs. |
| DF | Browser Artifacts | History, cookies, downloads; useful for phishing trails. |
| DF | Pagefile / Hiberfile | On disk memory snapshots preserving secrets/artifacts. |
| DF | File Carving | Recovering files from raw bytes without filesystem metadata. |
| DF | PCAP / NetFlow / Zeek | Network captures and summaries that reconstruct traffic. |
| DF | YARA | Pattern matching rules to identify malware or data in images. |
| DF | Triage | Rapid, targeted collection of high value evidence first. |
| IR | Event / Alert / Incident | Observable activity tool notification confirmed problem. |
| IR | IOC (Indicator of Compromise) | Concrete artifact: hash, IP, domain, filename, mutex, etc. |
| IR | IOA (Indicator of Attack) | Behavioral pattern suggesting malicious intent. |
| IR | TTPs (MITRE ATT&CK) | The ‘how’: tactics, techniques, and procedures adversaries use. |
| IR | Kill Chain / Attack Lifecycle | Stages from recon to actions on objectives for defense planning. |
| IR | Dwell Time | How long attackers stayed before detection. |
| IR | MTTD / MTTR | Mean time to detect / respond; key performance metrics. |
| IR | Containment | Immediate steps to stop spread (isolate hosts, revoke tokens). |
| IR | Eradication | Removing malware, backdoors, and attacker access. |
| IR | Recovery | Restoring systems/data and validating cleanliness. |
| IR | Root Cause Analysis (RCA) | Determining how the incident started and why it succeeded. |
| IR | Threat Hunting | Proactive search for hidden threats using hypotheses and telemetry. |
| IR | Blast Radius | Scope of impact: systems, identities, and data affected. |
| IR | Playbook / Runbook | Standardized response steps; strategic vs. procedural. |
| IR | Severity / Priority (SEV) | Impact level guiding urgency and resourcing. |
| IR | Communications Plan | Who is told what, when execs, legal, regulators, customers. |
| IR | Legal Hold | Preserving data for litigation/regulatory requirements. |
| IR | Lessons Learned | Post incident improvements to people, process, and tech. |
| IR | Retainer / Surge Team | Pre arranged IR experts ready to engage rapidly. |
| IR | War Room | Central command channel for decisions and coordination. |
| IR | Detection Engineering | Designing analytics to catch attacker behaviors reliably. |
| IR | Enrichment | Adding context (geo, WHOIS, reputation) to raw alerts. |
| DFIR | Scoping | Defining whats affected and what to investigate first. |
| DFIR | Evidence Preservation | Ensuring data needed later isn t lost during response. |
| DFIR | IOC Sweep | Searching environment for known bad indicators at scale. |
| DFIR | Hypothesis Driven Hunting | Forming/testing likely attacker paths using evidence. |
| DFIR | Intel Led Response | Using threat intel to predict and block attacker next steps. |
| DFIR | EDR / SIEM / SOAR | Endpoint detection, log analytics, and automated response. |
| DFIR | Tooling Gaps | Missing visibility that hindered detection/response. |
| DFIR | Control Gaps | Missing or weak preventive controls that allowed the incident. |
| DFIR | Containment Strategy | Decide where to ‘burn’ IOCs vs. observe, based on risk. |
| DFIR | Purple Teaming | Offense and defense collaborate to co design detections. |
| DFIR | Tabletop Exercise | Walk through simulation to pressure test roles and plans. |
| DFIR | Asset Criticality | Business importance that drives response priority. |
| DFIR | Data Classification | Sensitivity categories (public, internal, confidential, secret). |
| DFIR | Playbook Validation | Testing that procedures actually work on real data. |
| DFIR | Readiness Assessment | Pre incident check of capabilities, coverage, and SLAs. |
Blue-Lab 
Leave a comment