9 Powerful Rapid DFIR Checklist: Patch to Proof

Security teams patch fast—then get stuck on a harder question:

“Can we prove we weren’t compromised before we patched?”

When high-severity bulletins hit (Android patch levels, Apple WebKit fixes, Windows Patch Tuesday with active exploitation), patching is necessary—but it’s not evidence. If an attacker already landed, patching can stop the same entry point while leaving persistence, stolen tokens, mailbox rules, or mobile profiles untouched.

This guide gives you a rapid DFIR checklist you can run right after emergency mobile + desktop updates to produce audit-friendly proof, identify compromise early, and escalate cleanly when you need deeper forensics.

Need hands-on DFIR help? Start here: https://www.pentesttesting.com/digital-forensic-analysis-services/
Want risk-based scoping + readiness? https://www.pentesttesting.com/risk-assessment-services/
Need containment + hardening sprints? https://www.pentesttesting.com/remediation-services/

High-Impact Bulletins Summary (Why this rapid DFIR checklist matters)

Android Security Bulletin (Jan 2026) — Security Patch Level focus

• Your proof goal: confirm devices actually reached the required patch level (not “update pending”).
• Your DFIR goal: confirm no pre-patch exploitation artifacts remain on endpoints, especially where devices lagged.

Apple iOS/iPadOS 26.2 — WebKit fixes (high-risk browsing surface)

• WebKit is a common risk amplifier because browsing happens everywhere (Safari + in-app web views).
• Your proof goal: confirm OS version compliance + validate account integrity (Apple ID / IdP sessions).

Windows Patch Tuesday (Jan 2026) — actively exploited issues

• “Patched” isn’t the same as “safe.” Attackers commonly chain: foothold → privilege escalation → persistence.
• Your DFIR goal: detect persistence + suspicious identity activity that patching won’t remove.

The 9-Step Rapid DFIR Checklist (Patch → Proof)

1) Start a Case Folder (Before you “clean up”)

Outcome: a repeatable evidence pack structure your team can defend later.

Windows (PowerShell, Admin)

$CaseId = "CASE-" + (Get-Date -Format "yyyyMMdd-HHmmss")
$Base   = "C:\IR\$CaseId"
New-Item -ItemType Directory -Force -Path $Base | Out-Null
"created=$((Get-Date).ToString('o'))`ncase_id=$CaseId" | Out-File "$Base\case_notes.txt" -Encoding utf8
New-Item -ItemType Directory -Force -Path "$Base\exports","$Base\hashes","$Base\packages" | Out-Null
Write-Host "Case folder: $Base"

macOS / Linux (Terminal)

CASE_ID="CASE-$(date +%Y%m%d-%H%M%S)"
BASE="$HOME/IR/$CASE_ID"
mkdir -p "$BASE"/{exports,hashes,packages}
printf "created=%s\ncase_id=%s\n" "$(date -Iseconds)" "$CASE_ID" > "$BASE/case_notes.txt"
echo "Case folder: $BASE"

2) Prove Patch Compliance (Don’t trust “update applied”)

Outcome: hard evidence that endpoints reached the required OS/patch level.

Android (ADB)

adb devices
adb shell getprop ro.build.version.security_patch
adb shell getprop ro.build.fingerprint

iOS/iPadOS (MDM export preferred)

If you have an MDM CSV export (device name, user, OS version), quickly flag non-compliant devices:

import csv

MIN_SAFE = (26, 2)  # set your baseline
def vtuple(v):
    parts = [int(p) for p in v.strip().split(".") if p.isdigit()]
    return tuple(parts + [0] * (3 - len(parts)))

bad = []
with open("mdm_inventory.csv", newline="", encoding="utf-8") as f:
    for r in csv.DictReader(f):
        v = r.get("os_version") or r.get("OS Version") or ""
        if v and vtuple(v) < MIN_SAFE:
            bad.append((r.get("device_name"), r.get("user"), v))

print("Non-compliant iOS/iPadOS devices:")
for row in bad:
    print(row)

Windows (Patch + build evidence)

$Out = "C:\IR\patch_proof"
New-Item -ItemType Directory -Force -Path $Out | Out-Null
systeminfo | Out-File "$Out\systeminfo.txt"
(Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber) |
  Out-File "$Out\build.txt"
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 25 |
  Export-Csv "$Out\hotfix_last25.csv" -NoTypeInformation

3) Preserve “Minimum Viable Evidence” (MVE) in 30–60 minutes

Outcome: fast capture that still supports a real timeline later.

Windows: Export core logs (high signal)

$Base = (Get-ChildItem C:\IR | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName
$Out  = "$Base\exports"
wevtutil epl Security "$Out\Security.evtx"
wevtutil epl System "$Out\System.evtx"
wevtutil epl Application "$Out\Application.evtx"
wevtutil epl "Microsoft-Windows-PowerShell/Operational" "$Out\PowerShell_Operational.evtx"

macOS: Unified logs (time-bounded)

BASE="$HOME/IR/CASE-$(ls -1t ~/IR | head -1)"
mkdir -p "$BASE/exports"
log show --last 24h --style syslog > "$BASE/exports/unifiedlog_last24h.txt"
log show --last 24h --predicate 'eventMessage CONTAINS[c] "ssh" OR eventMessage CONTAINS[c] "login"' \
  --style syslog > "$BASE/exports/auth_signals_last24h.txt"

Android: Quick triage capture

CASE="android_case_$(date +%Y%m%d-%H%M%S)"
mkdir -p "$CASE"
adb shell getprop ro.build.version.security_patch > "$CASE/security_patch.txt"
adb shell pm list packages -f > "$CASE/packages.txt"
adb logcat -d > "$CASE/logcat.txt"
adb bugreport "$CASE/bugreport.zip"

iOS: If you can, take an encrypted backup (best evidence yield)

If you have libimobiledevice available:

CASE="ios_case_$(date +%Y%m%d-%H%M%S)"
mkdir -p "$CASE"
ideviceinfo > "$CASE/ideviceinfo.txt"
idevicebackup2 backup --full "$CASE/ios_backup_full"

4) Validate Endpoint Telemetry (Your “proof of visibility”)

Outcome: confirm you actually can see what you need to see.

Check these in EDR/MDM/SIEM (document each):

• Sensor health + last check-in time
• Policy applied (tamper protection, real-time protection)
• Local admin changes / privilege escalation detections
• New persistence creation alerts
• New profiles / VPN / certificates (mobile)
• New OAuth consents / impossible travel / risky sign-ins (identity)

Windows Defender quick status evidence

$Base = (Get-ChildItem C:\IR | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName
Get-MpComputerStatus | Out-File "$Base\exports\defender_status.txt"

5) Hunt “Patch-Resistant” Persistence (Because patching doesn’t remove it)

Outcome: catch the things attackers keep after you patch.

Windows: Fast persistence sweep

$Base = (Get-ChildItem C:\IR | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName
$Out  = "$Base\exports"

schtasks /Query /V /FO CSV > "$Out\scheduled_tasks.csv"
Get-CimInstance Win32_Service | Select Name,State,StartMode,PathName | Export-Csv "$Out\services.csv" -NoTypeInformation
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s > "$Out\run_hklm.txt"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s > "$Out\run_hkcu.txt"
Get-LocalGroupMember Administrators | Export-Csv "$Out\local_admins.csv" -NoTypeInformation

macOS: LaunchAgents/Daemons + profiles

BASE="$HOME/IR/CASE-$(ls -1t ~/IR | head -1)"
ls -al /Library/LaunchAgents  > "$BASE/exports/launchagents_library.txt"
ls -al /Library/LaunchDaemons > "$BASE/exports/launchdaemons_library.txt"
ls -al "$HOME/Library/LaunchAgents" > "$BASE/exports/launchagents_user.txt"
profiles status -type enrollment > "$BASE/exports/profiles_enrollment.txt" 2>&1
profiles show -type configuration > "$BASE/exports/profiles_configuration.txt" 2>&1

Android: Look for risky indicators (baseline-style)

adb shell settings list global > global_settings.txt
adb shell dumpsys device_policy > device_policy.txt
adb shell dumpsys wifi > wifi_state.txt
adb shell dumpsys account > accounts_dump.txt 2>/dev/null || true

6) Correlate Identity Signals (Mobile + desktop incidents often pivot through accounts)

Outcome: prove whether compromise was device-only, account-only, or both.

Capture and preserve:

• IdP sign-ins (IPs, user agents, geo)
• Session revocations (time and operator)
• MFA resets / recovery method changes
• Mailbox rules + forwarding
• OAuth app consent events

Example: Write a clean “incident timeline” CSV (starter template)

timestamp_utc,source,entity,action,details
2026-01-27T03:10:00Z,MDM,iphone-CEO,os_update,iOS 26.2 installed
2026-01-27T03:25:10Z,IdP,[email protected],signin,New device + new IP
2026-01-27T03:40:00Z,EDR,WS-1021,alert,Suspicious persistence created

7) Build a Timeline You Can Defend (Patch → Proof narrative)

Outcome: a single story: what happened, when, scope, and why you believe it’s contained.

Simple correlation with Python (merge multiple CSVs by time)

import csv
from datetime import datetime

def load(path, source):
    out = []
    with open(path, newline="", encoding="utf-8") as f:
        for r in csv.DictReader(f):
            ts = r.get("timestamp_utc") or r.get("time") or ""
            if not ts:
                continue
            out.append((datetime.fromisoformat(ts.replace("Z","+00:00")), source, r))
    return out

events = []
events += load("idp_events.csv", "IdP")
events += load("edr_alerts.csv", "EDR")
events += load("mdm_changes.csv", "MDM")

events.sort(key=lambda x: x[0])
for ts, src, r in events:
    print(ts.isoformat(), src, r.get("entity") or r.get("device") or "", r.get("action") or "", r.get("details") or "")

8) Define Isolation Triggers (When to pull a device out now)

Use these “stop the bleeding” triggers (document which one fired):

• Active exploitation indicators (suspicious process + outbound C2)
• New admin / privilege escalation events
• Unknown MDM profile / certificate install
• Repeated authentication anomalies tied to the same endpoint
• Evidence of token theft / mailbox persistence

Containment rule: isolate first, preserve second only if encryption/fraud is ongoing. Otherwise preserve quickly, then isolate.

9) Package Evidence with Hashes (Audit-ready)

Outcome: a portable proof bundle that supports DFIR escalation.

Cross-platform hashing (macOS/Linux)

BASE="$HOME/IR/CASE-$(ls -1t ~/IR | head -1)"
find "$BASE" -type f -print0 | xargs -0 shasum -a 256 > "$BASE/hashes/SHA256SUMS.txt"

Windows hashing

$Base = (Get-ChildItem C:\IR | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName
Get-ChildItem -Recurse $Base -File | Get-FileHash -Algorithm SHA256 |
  Export-Csv "$Base\hashes\SHA256SUMS.csv" -NoTypeInformation

When to Engage Pentest Testing Corp (DFIR deep-dive + readiness validation)

If you have any of these, you’ll benefit from a forensic-led engagement:

• WebKit exposure + executive/mobile device anomalies
• Windows persistence indicators, lateral movement, or suspicious admin actions
• Identity compromise signals (impossible travel, new OAuth consents, mailbox rules)
• You need a customer-shareable incident summary + evidence trail

Start DFIR: https://www.pentesttesting.com/digtal-forensic-analysis-services/
Scope impact fast: https://www.pentesttesting.com/risk-assessment-services/
Fix gaps and harden: https://www.pentesttesting.com/remediation-services/

Free Website Vulnerability Scanner (tool page)

Run a quick scan here: https://free.pentesttesting.com/
(For deeper validation and customer-ready reporting, see our services above.)

Sample Scan Report to check Website Vulnerability (from the tool)

Related Reading (Recent posts from our blog)

Use these to extend your post-patch DFIR checklist into deeper workflows:

• https://www.pentesttesting.com/iphone-suspicious-activity-dfir-checklist/
• https://www.pentesttesting.com/webkit-zero-day-48-hour-patch-playbook/
• https://www.pentesttesting.com/january-2026-patch-tuesday-smb-patch-first/
• https://www.pentesttesting.com/audit-ready-patch-evidence-pack/
• https://www.pentesttesting.com/windows-malware-forensics-memory-kape/
• https://www.pentesttesting.com/digital-forensics-am-i-hacked-dfir-triage/