Wednesday, June 29, 2016

Incident Response: A-Z

Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes.  I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)!  I have just posted a revised and corrected copy/link below.  Thank you again everyone for all your input, that's what makes community great, enjoy!

I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.

A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.

The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.

Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF:


Tonat said...

In PHASE 1 (p.6), are points 1.1 through 1.3 supposed to be repeated ?

Anonymous said...

Great stuff,just started reading!

Mary Ellen said...

Wow, thank you so much!

Mary Ellen said...


Thank you so much, I've updated it a bit since yesterday, so you may want to grab the latest one: I so appreciate your comments!

bitBucket said...

The link doesnt seem to work anymore?

Mary Ellen said...

Hi BitBucket,

I'm sorry you're having trouble. Try the link: and from there you can click to download the PDF. Let me know if you're still having trouble and I can just email you the PDF.