January 21, 2024

Diagramming Attack Path in DFIR Investigations


The video discusses the power and use of attack path diagrams in digital forensics and incident response (DFIR) investigations. It includes a detailed discussion on the process of creating these diagrams, the scenarios they can be used in, and the tools and templates that can aid in their creation.

[0:00:14] - Introduction to Attack Path Diagrams

  • The video introduces the concept of using attack path diagrams in DFIR investigations.
  • The speakers discuss what the video will cover, including when to use attack path diagrams, considerations, and practical scenarios.

[0:01:26] - Brad Slavel's Experience

  • Brad Slavel introduces himself as an incident response lead.
  • He emphasizes the importance of introducing attack path diagrams into investigations and shares his ten years of experience in the field.

[0:01:42] - Dave Pani's Experience

  • Dave Pani introduces himself and shares his ten years of experience in digital forensics and investigations.

[0:01:53] - Goals of Using Attack Path Diagrams

  • The speakers discuss the key goals of using attack path diagrams, including highlighting known and unknown aspects of an incident.
  • They emphasize the effectiveness of attack path diagrams in explaining technical findings to non-technical audiences.

[0:02:48] - Considerations When Creating a Diagram

  • The video covers key considerations when planning to create a diagram, such as understanding the audience, choosing relevant tools, and using different line types, icons, transparency, and custom logos.

[0:04:36] - When to Use Attack Path Diagrams

  • The speakers discuss the significance of using diagrams at any time, especially for sharing findings with organizations, victims, and clients to explain complex technical information clearly.

[0:06:47] - Diagram Tools and Examples

  • The video details various tools that can be used for diagramming attack paths, including pen and paper, PowerPoint, Visio, and custom graphics.
  • Multiple examples of diagrams and their evolution are shared, highlighting the different stages of creating a visual representation of an incident.

[0:14:28] - Example Formats and Customization

  • The speakers discuss standardized formats, such as timelines, color-coded diagrams, icon usage, and number sequencing, to represent the sequence of events in an investigation clearly.

[0:24:40] - Practice and Templates

  • The speakers explain the use of pre-built templates to speed up the diagram process, emphasizing the importance of reusing and modifying existing diagrams to fit different incidents.

[0:26:32] - Conclusion and Practical Use

  • The video concludes with a summary of the various concepts discussed and their practical applications in real-world investigations.


How can different line types be used in attack path diagrams?

Different line types, such as solid and dotted lines, can be used to represent known and unknown aspects of an incident, conveying clarity in the diagram's visual storytelling.

Are attack path diagrams marked with TLP controls?

Yes, diagrams are marked with TLP (Traffic Light Protocol) controls, particularly for sensitive incidents or information sharing within specific industries, to ensure data protection and opsec.

Do the speakers rely on templates to create attack path diagrams?

The speakers often use pre-built templates to speed up the diagram creation process, modifying existing diagrams from previous incidents to fit the current investigation.

The video provides a comprehensive overview of the use and creation of attack path diagrams in DFIR investigations, including practical examples and considerations to enhance their effectiveness.