How long does DFIR triage take?

Minutes to a few hours per host, depending on collection method. Tools like KAPE can collect the standard triage artefact set in under 10 minutes and parse them in under 5.

What artefacts are in a standard Windows DFIR triage?

Amcache (presence), Prefetch (execution), Security event log (logon/process), Sysmon (real-time process / network / image-load), the SYSTEM registry hive (ShimCache, services), recent USER profiles' NTUSER.DAT, browser history, and recent MFT entries. KAPE's '!SANS_Triage' compound target collects this set.

Why is triage different from full forensic analysis?

Triage answers 'is this host compromised?' fast. Full analysis answers 'exactly what did the attacker do, when, and how?' over days. Triage uses a fixed playbook of high-yield artefacts; full analysis adds disk imaging, memory analysis, and deeper artefact coverage.

Where does Amcache fit in DFIR triage?

First or near-first. Amcache gives hash + path + publisher for every PE on the host in one file, parseable in seconds. The 'unsigned PE in user-writable path' filter on Amcache surfaces commodity malware in minutes.

What's the relationship between triage and incident response?

Triage is the first phase of incident response. After triage confirms compromise, IR phases continue with containment, eradication, recovery, and lessons-learned. Triage feeds the rest of the IR process.

What is DFIR triage? (glossary)

DFIR triage is the rapid first-pass examination of a suspected-compromised host to determine, within minutes to a few hours, whether the system shows evidence of compromise. It uses a small set of high-yield artefacts collected and parsed quickly, in contrast to full-disk imaging followed by deep analysis.

The shape of a good triage:

Collect a fixed artefact set fast.
Parse with established CSV-producing tools.
Filter each artefact with the canonical triage filter for that artefact (e.g. Amcache's "unsigned PE in user-writable path").
Hash-pivot anything suspicious against VirusTotal and internal threat intel.
Time-bound the incident window with the surviving suspicious indicators.

Whole-host triage takes minutes to hours, not days.

The standard Windows triage artefact set#

Artefact	What it answers
Amcache	Was this PE binary present? With what hash and when?
Prefetch	Did this PE binary execute, and when?
Security event log (4624 / 4625 / 4648 / 4688)	Who logged on, who failed, with what credentials? What processes started, with what command line?
Sysmon (if deployed)	Real-time process / file / network / image-load telemetry.
SYSTEM hive	ShimCache (loader-touched binaries), services.
NTUSER.DAT (per user)	UserAssist, RunMRU, RecentDocs.
SOFTWARE hive	Auto-runs, installed software.
Browser history	Initial-access vector for phishing / drive-by.
Recent MFT	File-system creates around incident window.

KAPE's !SANS_Triage compound target collects this set in one invocation. Velociraptor's Windows.Forensics.Triage does the same remotely.

Why Amcache is the triage workhorse#

Three properties make Amcache the natural first stop:

One file, all PE presence. Amcache.hve covers every PE binary the appraiser saw — in one place.
Hashes for VirusTotal. Direct SHA-1 lookups; many detections take seconds.
Survives deletion. Even if the attacker wiped their tools, Amcache holds the evidence.

The "unsigned PE in user-writable path" filter on the Unassociated entries produces a small list per host — typically under 50 rows on a typical infected workstation — and most rows either match a known TI hash or are quickly explained.

For the full Amcache-driven triage playbook, see Hunting commodity malware with Amcache.

Amcache.hve — the triage workhorse.
Prefetch — the execution-evidence artefact paired with Amcache.
ShimCache — the kernel-loader cache.
SRUM — the resource-usage long-window artefact.

What is DFIR triage? (glossary)

The standard Windows triage artefact set#

Why Amcache is the triage workhorse#

Related terms#

Related posts