What is DFIR triage? (glossary)

Triage is the fast pass. Twenty hosts came back from a sweep and the question is which ones get a full investigation. You do not have time to image and timeline all twenty. You collect a small fixed set of artefacts, parse them, run two or three canonical filters, and produce a yes/no per host with enough evidence to defend the call.

That is the whole point. Done right, it takes minutes per host. Done wrong, it produces false confidence either way and you find out three weeks later.

The shape of a good triage#

  1. Collect a fixed set fast. KAPE !SANS_Triage, Velociraptor Windows.Forensics.Triage, or your in-house equivalent.
  2. Parse with CSV-producing tools. Eric Zimmerman's suite, mostly.
  3. Apply the canonical filter for each artefact. For Amcache it is "unsigned PE in user-writable path with IsPeFile = True".
  4. Hash-pivot anything that survives the filter. VirusTotal, internal TI feed, threat intel platform.
  5. Time-bound on the survivors. Pull a window of activity around their KeyLastWriteTimestamp.

The standard Windows kit#

Artefact The question it answers
Amcache Was this PE present, with what hash and when?
Prefetch Did it actually run, and when?
Security event log (EVTX) Who logged on, who failed, what processes started with what command line?
Sysmon Real-time process, file, network, image load.
SYSTEM hive Shimcache, services, autostarts.
NTUSER.DAT UserAssist, RunMRU, RecentDocs, shellbags.
SOFTWARE hive Autoruns, installed software.
Browser history Initial-access vector for phishing or drive-by.
Recent MFT / USN Filesystem creates around the suspected window.

Why Amcache earns its place at the front#

Three reasons. It is one file. It carries hashes you can submit straight to VirusTotal. It survives binary deletion better than anything else in the set. The "unsigned PE in user-writable path" filter on UnassociatedFileEntries.csv typically returns under 50 rows on a typical infected workstation, and most of those either light up on a TI lookup or have an obvious benign explanation (portable apps, dev tools).

For the full Amcache-driven triage playbook, see Hunting commodity malware with Amcache.

Related posts

Back to all posts