DFIR in one paragraph
DFIR (Digital Forensics and Incident Response) is the umbrella term for two related but distinct disciplines. Incident response answers the question: "there is a fire — how do we stop it, contain damage, restore operations and notify the people we have to notify?" Digital forensics answers the question: "what happened, when, by whom, with what — to a standard of evidence that holds up in audit, internal investigation, or court?". Most real-world engagements need both, but the priorities, methodologies and deliverables are different.
Incident response
The IR mission is operational: detect, contain, eradicate, recover, learn. The clock matters. A typical IR engagement runs to a SANS PICERL-style methodology — Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. Responders are expected to make pragmatic trade-offs: sometimes you wipe a workstation to get a salesperson back online; sometimes you preserve it for forensics. The senior IR lead arbitrates that decision in real time.
IR deliverables are time-sensitive: containment confirmation, eradication playbook, recovery sign-off, regulator notification draft (BNM, NACSA, MCMC, PDP as applicable), customer-comms draft, after-action report. Engagement typically lasts hours to weeks.
Digital forensics
The forensics mission is evidentiary: reconstruct what happened, with chain of custody and defensible methodology, to support an investigation, a HR action, an insurance claim, a regulatory inquiry or a court case. The clock matters less; the integrity of the evidence matters more. A forensic engagement uses write-blockers, hashing, controlled imaging and reproducible analysis. Outputs may be presented years later.
Forensic deliverables: timeline reconstruction, artefact analysis (registry, prefetch, MFT, browser history, log correlations), email/document recovery, attribution evidence, expert witness statement. Engagement typically lasts weeks to months.
When to engage which
- Active ransomware, active intrusion, exfiltration in progress → IR first, forensics in parallel for evidence preservation. See incident response.
- Suspected insider data theft (employee left, exported data) → Forensics first, IR if any persistence or external indicators emerge. See digital forensics.
- Fraud investigation, financial loss, IP theft → Forensics-led, IR involved only if attacker access is still active.
- Regulator-mandated post-incident investigation → Forensics-led, with IR providing the operational narrative.
- PCI DSS payment-card breach → IR for containment and customer comms, forensics via a PCI Forensic Investigator (PFI) where required.
- Suspected compromise but no active attacker behaviour → Compromise assessment, which sits between the two. See compromise assessment.
Sample timeline of a breach response
A typical breach engagement combining both disciplines:
- Hour 0: SOC detects anomaly. IR retainer activated. Triage call.
- Hours 1-4: Containment — affected hosts isolated, credentials rotated, suspicious accounts disabled. Volatile evidence captured.
- Hours 4-24: Eradication scoping. Forensic imaging of patient-zero and lateral hosts. Initial root-cause hypothesis.
- Day 1-3: Regulator notification window. For RMiT-regulated entities, the clause 10.71 clock has been running. For NCII entities, Act 854 §22 reporting to NACSA must be triggered.
- Day 1-14: Eradication and recovery. Concurrent forensic timeline reconstruction.
- Week 2-6: Forensic deep-dive, attribution analysis, exfiltration assessment, customer impact determination.
- Week 6-12: Final forensic report, lessons-learned exercise, control hardening, regulator final submission.
NACSA reporting obligations under Act 854 §22
The Cyber Security Act 2024 imposes incident-reporting obligations on National Critical Information Infrastructure (NCII) entities. Section 22 requires NCII entities to notify the Chief Executive of NACSA of any cyber security incident in respect of their NCII within the prescribed timeframe. The supporting regulations specify the form of the notification and the information to be included.
In practice, this means your IR playbook must include a specific decision point: "does this incident trigger a §22 notification?" — and a specific person accountable for making that call within minutes of confirmation. For details on the Act and your specific obligations, see our NACSA compliance guide.
Should you retain or call ad-hoc?
Ad-hoc IR engagement is more expensive when invoked under pressure: scoping has to happen during an active incident, indemnification and authorisation paperwork takes hours, and responder availability is not guaranteed. Most Malaysian organisations that have experienced a real incident move to a retainer model. The retainer secures responders, SLA, pre-agreed terms and a half-day per quarter of readiness work (playbook review, tabletop, hunt).
Related reading: Digital Evidence Preservation Guide.