DFS by DreamGRC: Digital Forensics as a Service Platform

User Guide and Quick-Start Documentation

Table of Contents

1. Introduction
2. Getting Started
3. Account Setup
4. Dashboard Overview
5. Case Management
6. Creating a New Case
7. Viewing Case Details
8. Evidence Management
9. Uploading Evidence Files
10. Remote Collection
11. Evidence File Types
12. Forensic Analysis
13. Single File Analysis
14. Batch Analysis
15. Available Tools & Commands
16. Understanding Analysis Results
17. Incident Reconstruction
18. Creating a Workflow
19. Workflow Templates
20. Step-by-Step Guidance
21. Timeline Creation
22. Correlation Analysis
23. Running Correlations
24. ML-Based Correlations
25. Interpreting Results
26. Report Generation
27. Report Types
28. Customization Options
29. Exporting Reports
30. Administration
31. User Management
32. Organization Settings
33. Compliance & Standards
34. Troubleshooting
35. API Integration

---

Introduction

DFS by DreamGRC is a cutting-edge Digital Forensics as a Service (DFaaS) platform that transforms complex evidence analysis into an intelligent, interactive investigative experience. This guide will walk you through all the features and functionalities of the platform, from basic navigation to advanced forensic analysis workflows.

Key platform features include: - Centralized case management for digital investigations - Support for multiple evidence types (memory dumps, disk images, network captures, logs) - Advanced forensic analysis using industry-standard tools - ML-powered correlation engine for relationship discovery - Guided incident reconstruction workflow - Comprehensive report generation with plain-language explanations - Compliance with NIST, GDPR, and ISO standards

---

Getting Started

Account Setup

1. Registration:
2. Navigate to the platform login page
3. Click "Register" to create a new account
4. Fill in the required information (name, email, password)
5. Accept the terms of service
6. Submit the registration form

7. You'll receive a confirmation email to verify your account

8. Login:

9. Return to the login page
10. Enter your email and password
11. Click "Login"

12. On first login, you'll be prompted to complete your profile

13. Profile Setup:

14. Add your professional information
15. Set notification preferences
16. Configure 2FA (two-factor authentication) for enhanced security

Dashboard Overview

After logging in, you'll be taken to the main dashboard, which serves as your command center for all forensic operations:

• Quick Stats: Overview of cases, evidence files, and recent activities
• Recent Cases: Direct access to your most recent investigations
• Active Workflows: Status of ongoing incident reconstruction workflows
• Notifications: System alerts and updates
• Navigation Menu: Access to all platform features

Key sections of the navigation menu: - Cases: Manage all your investigation cases - Evidence: Upload and manage forensic evidence - Analysis: Access forensic analysis tools - Correlation: Discover relationships between evidence items - Workflows: Create and manage incident reconstruction workflows - Reports: Generate and access investigative reports - Administration: User and organization management (admin users only)

---

Case Management

Creating a New Case

Cases are the foundation of your investigative work, providing a container for all evidence, analysis, and findings related to a specific incident or investigation.

To create a new case:

1. Navigate to the "Cases" section from the main menu
2. Click the "New Case" button
3. Fill in the case details:
4. Case Name: A descriptive name for the investigation
5. Case Type: Select from predefined types (Security Incident, Compliance Audit, etc.)
6. Priority: Set the case priority (Low, Medium, High, Critical)
7. Description: Detailed information about the case
8. Start Date: When the investigation began
9. Tags: Optional keywords for easier filtering
10. Click "Create Case"

Viewing Case Details

Each case has its own dedicated page with multiple tabs for different aspects of the investigation:

1. Overview: Summary of case details, status, and key metrics
2. Evidence: All evidence files associated with the case
3. Analysis: Results of forensic analysis operations
4. Correlations: Discovered relationships between evidence items
5. Workflows: Incident reconstruction workflows
6. Timeline: Chronological view of detected events
7. Reports: Generated reports for this case
8. Activity: Audit log of all actions taken within the case

To access case details: 1. Navigate to the "Cases" section 2. Click on the case name in the list 3. Use the tabs to navigate between different aspects of the case

---

Evidence Management

Uploading Evidence Files

DFS by DreamGRC supports various types of forensic evidence that can be uploaded and analyzed.

To upload evidence:

1. Navigate to the relevant case
2. Select the "Evidence" tab
3. Click the "Upload Evidence" button
4. Choose the upload method:
5. Manual Upload: Directly upload files from your computer
6. Remote Collection: Collect evidence from remote endpoints (requires agent deployment)
7. For manual uploads:
8. Select the file(s) you wish to upload
9. Choose the evidence type (Memory Dump, Disk Image, Network Capture, Log File, etc.)
10. Add a description
11. Set the acquisition date/time
12. Click "Upload"
13. Wait for the upload to complete
14. The new evidence will appear in the evidence list

Remote Collection

For distributed investigations, DFS by DreamGRC supports remote evidence collection through lightweight collection agents:

1. Navigate to the "Agents" section from the main menu
2. Click "Deploy New Agent"
3. Configure the agent:
4. Target Environment: Select the target OS (Windows, Linux, macOS)
5. Collection Capabilities: Choose what the agent can collect
6. Authentication: Set access credentials
7. Click "Generate Agent"
8. Download the agent package
9. Deploy the agent on the target system(s) using the provided instructions
10. Once deployed, agents will appear in the "Agents" list
11. To collect evidence:
12. Select the agent from the list
13. Click "Collect Evidence"
14. Configure the collection task (memory dump, specific artifacts, etc.)
15. Click "Start Collection"
16. Evidence will be automatically uploaded and associated with the selected case

Evidence File Types

DFS by DreamGRC supports a wide range of digital evidence types:

1. Memory Dumps:
2. Raw memory images (.raw, .mem, .dmp)
3. Volatility-compatible formats

4. Supported tools: Volatility Framework, memory_analyzer

5. Disk Images:

6. Full disk images (.dd, .img, .raw)
7. Volume images

8. Supported tools: The Sleuth Kit, file_analyzer

9. Network Captures:

10. Packet captures (.pcap, .pcapng)
11. NetFlow data

12. Supported tools: Wireshark/Tshark

13. Log Files:

14. System logs
15. Application logs
16. Security logs

17. Supported tools: log_analyzer

18. Registry Files:

19. Windows registry hives

20. Supported tools: registry_analyzer

21. Miscellaneous:

22. Documents
23. Email archives
24. Mobile device backups
25. Custom evidence types

---

Forensic Analysis

Single File Analysis

To analyze a single evidence file:

1. Navigate to the case containing the evidence
2. Select the "Evidence" tab
3. Find the evidence file you want to analyze
4. Click the "Analyze" button next to the file
5. Configure the analysis:
6. Tool: Select the appropriate forensic tool (automatically suggested based on file type)
7. Command: Choose the specific analysis command/operation
8. Parameters: Set any additional parameters for the analysis
9. Click "Start Analysis"
10. The analysis will run in the background
11. Once complete, you'll be notified and can view the results

Batch Analysis

For analyzing multiple evidence files at once:

1. Navigate to the case containing the evidence
2. Select the "Evidence" tab
3. Check the boxes next to multiple files you want to analyze
4. Click the "Batch Analysis" button
5. Choose between:
6. Smart Analysis: Automatically selects optimal tools and commands for each file type
7. Custom Analysis: Manually configure analysis for each file type
8. For Smart Analysis:
9. Review the proposed analysis configurations
10. Adjust if necessary
11. Click "Start Batch Analysis"
12. For Custom Analysis:
13. Configure each file type's analysis settings
14. Click "Start Batch Analysis"
15. Monitor progress in the "Analysis" tab
16. Once complete, you'll be notified and can view the results

Available Tools & Commands

DFS by DreamGRC integrates several industry-standard forensic tools:

1. Volatility Framework (Memory Analysis):
2. process_list: Extract running processes
3. network_connections: Identify network connections
4. registry_analysis: Analyze registry artifacts in memory
5. malware_scan: Scan for indicators of malicious code

6. timeline_analysis: Extract timeline of events

7. The Sleuth Kit (Disk Analysis):

8. disk_info: Get basic information about the disk image
9. filesystem_analysis: Analyze file system structures
10. file_recovery: Recover deleted files

11. timeline_analysis: Create filesystem timeline

12. Wireshark/Tshark (Network Analysis):

13. packet_analysis: Analyze packet contents
14. protocol_statistics: Generate protocol usage statistics
15. traffic_patterns: Identify communication patterns

16. malicious_traffic_detection: Detect potentially malicious traffic

17. Log Analyzer:

18. event_correlation: Correlate events across logs
19. anomaly_detection: Identify unusual patterns
20. timeline_analysis: Create event timeline

21. user_activity: Track user actions

22. Correlation Engine:

23. ml_correlation: ML-based correlation between evidence files
24. timeline_analysis: Create comprehensive timeline across evidence types
25. pattern_match: Identify common patterns
26. similarity: Find similar artifacts between evidence files

Understanding Analysis Results

Analysis results are presented in a user-friendly format:

1. Summary View: High-level overview of findings
2. Technical Details: In-depth technical information
3. Plain Language Explanation: Automatically generated explanation of what the findings mean
4. Visualizations: Graphical representations of data where applicable
5. Artifacts: Extracted files or data points
6. Indicators of Compromise: Detected security indicators
7. Timeline Entries: Events extracted for timeline creation
8. Export Options: Save results in various formats

To interpret results: 1. Start with the plain language explanation for a quick understanding 2. Review the summary to grasp the key findings 3. Explore technical details for in-depth examination 4. Use visualizations to understand relationships and patterns 5. Extract artifacts for further analysis if needed

---

Incident Reconstruction

Creating a Workflow

Incident reconstruction workflows provide a structured approach to investigate security incidents:

1. Navigate to the relevant case
2. Select the "Workflows" tab
3. Click "New Workflow"
4. Choose a workflow method:
5. Template-Based: Start with a predefined template
6. Custom Workflow: Build a workflow from scratch
7. For template-based workflows:
8. Select a template from the list
9. Configure template parameters
10. Click "Create Workflow"
11. For custom workflows:
12. Name your workflow
13. Add a description
14. Add steps manually (see below)
15. Click "Create Workflow"

Workflow Templates

DFS by DreamGRC provides several templates for common investigation scenarios:

1. Malware Incident Response:
2. Initial triage and containment
3. Evidence collection
4. Malware identification and analysis
5. System impact assessment
6. Root cause analysis

7. Remediation planning

8. Data Breach Investigation:

9. Initial assessment
10. Evidence preservation
11. Attack vector identification
12. Scope determination
13. Data impact analysis
14. Timeline reconstruction

15. Regulatory reporting preparation

16. Insider Threat Investigation:

17. Suspicious activity review
18. User activity timeline
19. Data access analysis
20. Communication pattern analysis

21. Intent determination

22. Network Intrusion Analysis:

23. Initial compromise identification
24. Lateral movement tracking
25. Persistence mechanism detection
26. Data exfiltration analysis
27. Complete attack chain reconstruction

Step-by-Step Guidance

Each workflow consists of a series of steps that guide you through the investigation process:

1. Step Types:
2. Evidence Collection: Gather specific evidence types
3. Analysis: Run specific forensic analysis
4. Correlation: Identify relationships between evidence
5. Review: Manual review checkpoint
6. Documentation: Document findings

7. Action: Take investigative actions

8. Managing Workflow Steps:

9. Add new steps using the "Add Step" button
10. Reorder steps by dragging and dropping
11. Edit steps by clicking the "Edit" icon

12. Delete steps by clicking the "Delete" icon

13. Executing Workflow Steps:

14. Navigate to the workflow
15. Start at the first incomplete step
16. Follow the instructions for each step
17. Complete required actions
18. Mark the step as complete when finished
19. Proceed to the next step
20. The system will guide you through the entire workflow

Timeline Creation

As you progress through the workflow, the system automatically builds a comprehensive incident timeline:

1. Timeline Sources:
2. Events extracted from evidence analysis
3. Correlation results
4. Manual entries added during investigation

5. System activities

6. Timeline Features:

7. Interactive visualization
8. Filtering by event type, source, or keyword
9. Confidence level indicators
10. Event grouping and clustering

11. Export options

12. Working with Timelines:

13. Navigate to the "Timeline" tab in the case
14. Review automatically generated entries
15. Add manual entries for events not captured in evidence
16. Add annotations to clarify events
17. Adjust event timing if needed
18. Export the timeline for reporting

---

Correlation Analysis

Running Correlations

Correlation analysis helps discover relationships between different evidence items:

1. Navigate to the relevant case
2. Select the "Correlations" tab
3. Click "New Correlation"
4. Choose the correlation type:
5. Standard Correlation: Basic relationship discovery
6. ML-Based Correlation: Advanced pattern detection using machine learning
7. Timeline Correlation: Time-based event correlation
8. Cross-Evidence Correlation: Find relationships across different evidence types
9. Select the evidence files to include
10. Configure correlation parameters
11. Click "Run Correlation"
12. Review the results in the visualization pane

ML-Based Correlations

The platform's advanced correlation engine uses machine learning to identify non-obvious relationships:

1. Pattern Recognition:
2. Automatically identifies common patterns across evidence files
3. Detects anomalies and outliers

4. Clusters related events and artifacts

5. Entity Extraction:

6. Identifies important entities (users, systems, files, etc.)
7. Maps relationships between entities

8. Creates entity relationship graphs

9. Temporal Analysis:

10. Identifies temporal patterns and sequences
11. Detects causality between events
12. Reconstructs event chains

Interpreting Results

Correlation results are presented in multiple formats:

1. Visualization: Interactive graph showing relationships between evidence items
2. Table View: Detailed listing of all discovered correlations
3. Confidence Scores: Indicators of correlation strength
4. Plain Language Summaries: Automatically generated explanations of findings
5. Evidence Links: Direct links to source evidence for each correlation

To work with correlation results: 1. Start with the visualization for a high-level overview 2. Use filters to focus on specific correlation types or evidence sources 3. Explore individual correlations for detailed information 4. Add important correlations to the case timeline 5. Export correlation data for reporting

---

Report Generation

Report Types

DFS by DreamGRC supports several report types to meet different needs:

1. Executive Summary:
2. High-level overview of the investigation
3. Key findings and conclusions
4. Non-technical language
5. Visual summaries

6. Recommended for management briefings

7. Technical Report:

8. Comprehensive technical details
9. In-depth analysis findings
10. Tool outputs and artifacts
11. Technical language

12. Recommended for technical teams

13. Forensic Analysis Report:

14. Focused on analysis methodology
15. Detailed evidence examination
16. Chain of custody documentation
17. Technical findings with explanations

18. Recommended for internal investigation documentation

19. Incident Response Report:

20. Incident overview
21. Response timeline
22. Actions taken
23. Findings and impact assessment
24. Remediation recommendations

25. Recommended for incident documentation

26. Regulatory Compliance Report:

27. Structured for regulatory requirements
28. Compliance-focused findings
29. Required documentation elements
30. Formal language
31. Recommended for regulatory submissions

Customization Options

Reports can be customized in several ways:

1. Content Sections:
2. Executive summary
3. Methodology
4. Evidence inventory
5. Analysis findings
6. Timeline
7. Indicators of compromise
8. Recommendations

9. Appendices

10. Format Options:

11. PDF (professional formatted document)
12. HTML (interactive web-based report)
13. Plain text (simple text format)

14. Word document (editable format)

15. Visual Elements:

16. Charts and graphs
17. Evidence screenshots
18. Timeline visualizations
19. Relationship diagrams

Exporting Reports

To generate and export a report:

1. Navigate to the relevant case
2. Select the "Reports" tab
3. Click "Generate Report"
4. Configure the report:
5. Select the report type
6. Choose included sections
7. Set the format
8. Add custom title and description
9. Click "Generate"
10. Preview the report
11. Make any necessary adjustments
12. Click "Export" to download or share the report
13. The report is also saved in the case for future reference

---

Administration

User Management

Administrators can manage users and permissions:

1. Navigate to the "Administration" section
2. Select "User Management"
3. View all users in the system
4. To add a new user:
5. Click "Add User"
6. Enter user details (name, email, role)
7. Set permissions
8. Click "Create User"
9. An invitation will be sent to the new user
10. To edit a user:
11. Find the user in the list
12. Click the "Edit" icon
13. Modify user details or permissions
14. Click "Save Changes"
15. To deactivate a user:
16. Find the user in the list
17. Click the "Deactivate" button
18. Confirm the action

Organization Settings

Administrators can configure organization-wide settings:

1. Navigate to the "Administration" section
2. Select "Organization Settings"
3. Configure various settings:
4. General Information: Organization name, logo, contact info
5. Security Settings: Password policies, session timeouts, 2FA requirements
6. Evidence Retention: Default retention periods
7. Report Templates: Custom report templates and branding
8. Notification Settings: Email notification preferences
9. API Access: API key management for integrations
10. Click "Save Changes" to apply new settings

---

Compliance & Standards

DFS by DreamGRC is designed to meet key forensic and regulatory standards:

1. NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
2. Collection process compliance
3. Examination methodology
4. Analysis documentation

5. Reporting standards

6. ISO/IEC 27037: Guidelines for identification, collection, acquisition, and preservation of digital evidence

7. Evidence handling procedures
8. Chain of custody documentation

9. Data preservation techniques

10. GDPR Compliance:

11. Data minimization principles
12. Purpose limitation controls
13. Storage limitation features
14. Evidence anonymization options

The platform automatically enforces these standards through: - Structured workflows that follow standard methodologies - Comprehensive chain of custody tracking - Thorough documentation of all actions - Secure evidence handling procedures - Standardized reporting formats

---

Troubleshooting

Common issues and their solutions:

1. Upload Problems:
2. Check file size limits (current maximum: 10GB per file)
3. Ensure file format is supported
4. Verify network connection

5. Try chunked upload for large files

6. Analysis Errors:

7. Check if the file is corrupted or password-protected
8. Verify that the correct analysis tool was selected
9. Check for sufficient system resources

10. Review the error message for specific guidance

11. Performance Issues:

12. Close unnecessary browser tabs
13. Clear browser cache
14. Limit the number of concurrent analyses

15. For large cases, use the batch processing features

16. Login Problems:

17. Clear browser cookies
18. Reset password if necessary
19. Check network connectivity
20. Verify that your account is active

For additional support: - Check the knowledge base in the Help Center - Contact support through the "Help" menu - Submit a support ticket for technical issues

---

API Integration

DFS by DreamGRC provides a comprehensive API for integration with other systems:

1. API Access:
2. Navigate to "Administration" > "API Access"
3. Generate an API key
4. Set permissions for the key

5. Copy the key for use in your applications

6. API Documentation:

7. Available at /api/documentation
8. Interactive Swagger UI for testing endpoints
9. Complete endpoint reference
10. Authentication details

11. Request and response examples

12. Key API Endpoints:

13. /api/cases: Case management
14. /api/evidence: Evidence uploading and management
15. /api/analysis: Forensic analysis operations
16. /api/correlations: Correlation analysis
17. /api/reports: Report generation

18. /api/workflows: Incident reconstruction workflows

19. Integration Examples:

20. SIEM systems for automated evidence collection
21. Ticketing systems for case management
22. Threat intelligence platforms for indicator enrichment
23. Custom dashboards for visualization

For detailed API implementation guidance, refer to the API documentation or contact the development team.