Autopsies of Recent DFIR Investigation Reports

1 min read

Preparing for Incident Response Can Save Organizations up to $1.23M During a Breach*

In his presentation to BlueHat Seattle, John-Luke Peck, D-CISO and Senior Security Consultant at Critical Insight, reviews in hindsight and retrospect several recent incident response engagements performed recently by Critical Insight's Incident Response team. All presented examples and incidents described in this presentation have been de-identified to maintain and protect privacy and operational security.

As a prediction for 2020, John-Luke describes the importance of remote DFIR services and what organizations need to do prepare their environments for remote digital forensics and virtual incident response. An important note is that this presentation was made in late 2019 - and John-Luke predicts at 20:20 that the time for remote DFIR has arrived.


Remote Digital Forensics and Incident Response (DFIR) Report Requirements

The "autopsies" that John-Luke covers are enlightening. From considering what went well to what did not go well during the various engagements, he highlights the particular data, services, and support available from Microsoft & Office 365, and AzureAD. Furthermore, he covers how they were and were not able to be leveraged during the various engagements, which were performed virtually.

Data requirements were also discussed, and what organizations need to do to prepare for virtual incident response and digital forensics investigations conducted remotely. John-Luke explains how he dealt with data that was and wasn't there, including:

  • Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable the collection of the data
  • The data & services available were successfully used during response efforts

Lessons Learned from Office 365, AzureAD, and Incident Response

John Luke also highlighted the following:

  • Lessons learned about Office365/AzureAD and Incident Response
  • How Office365, AzureAD, and ATP services and data were used in the response efforts
  • Recommendations for Office365/AzureAD tenants to assess cybersecurity risks & build DFIR capabilities before an incident occurs

Source: 2019 Cost of a Data Breach Report,