Runbooks

Runbooks are reusable procedural checklists that guide investigators through specific evidence handling procedures or technical operations. They provide step-by-step instructions that can be attached to evidence items and case type actions.

What Are Runbooks?

A runbook is an ordered list of instructions for completing a specific procedure. Unlike case type actions (which define what needs to be done during an incident), runbooks describe how to perform a specific technical task.

For example, a case type for a malware infection might include an action "Isolate affected endpoint." The investigator knows what to do, but a less experienced team member might not know how. Attaching the Endpoint Containment runbook to that action provides the detailed steps.

Runbooks vs. Case Type Actions

Concept Purpose Example
Case Type Actions Define the response workflow — what to do "Isolate affected endpoints from the network"
Runbooks Provide step-by-step procedures — how to do it 10-step endpoint containment checklist

Passive checklists: Runbooks are informational guides. Completing all steps in a runbook does not automatically complete the parent action or change the evidence item status. The investigator must still mark the action as complete separately.

Where Runbooks Are Used

Runbooks can be attached in two places:

1. Evidence Items

When an evidence item is created, runbooks defined on its evidence type are automatically attached. For example, creating a "Hard Drive Internal" evidence item will automatically attach the "Hard Drive Acquisition & Handling" runbook.

Investigators can also manually attach additional runbooks from the Runbooks tab in the evidence detail view, or detach runbooks that are not relevant.

2. Case Type Actions

Case type actions can have a runbook attached to provide detailed instructions. When a case is created from that case type, the action appears with a runbook icon indicating that procedural guidance is available. Clicking the action expands the runbook steps inline.

Snapshots: When a runbook is attached to an evidence item or action, a snapshot of the runbook steps is stored. This means editing or deleting the global runbook definition does not affect runbooks already in use on existing evidence items or cases.

Default Runbooks

DFIRe ships with 14 runbooks covering common evidence handling and response procedures:

Evidence Handling

Runbook Attached To Description
Hard Drive Acquisition & Handling Hard Drive Internal, Hard Drive External Documenting, write-blocking, and imaging hard drives and SSDs
Flash Media Acquisition & Handling Flash Media, SIM Card Handling USB drives, SD cards, SIM cards, and similar removable media
Memory Image Verification & Processing Memory Image (RAM) Verifying integrity and initial processing of volatile memory captures
Disk Image Verification & Integrity Disk Image Verifying forensic disk image integrity and preparing for analysis
Mobile Device Intake & Preservation Mobile Phone, Tablet Intake and signal isolation for mobile devices
Computer Intake & Preservation Laptop, Workstation, Server Standard intake for computers received as physical evidence
Log File Integrity & Processing Log File Verifying integrity and establishing reliability of collected logs
Malware Sample Safe Handling Malware Sample Safe receiving, storage, and preparation of malware samples
Network Capture Verification & Processing Network Capture (PCAP) Verifying integrity and documenting provenance of network captures
Account Evidence Preservation User Account, E-Mail Account Preserving evidence from user and email accounts
Cloud Resource Evidence Preservation Cloud Resource, Virtual Machine Preserving evidence from cloud infrastructure before modification

Technical Operations

Runbook Used In Actions Description
Endpoint Containment General Cyber, Malware Infection, Network Compromise Step-by-step endpoint isolation while preserving forensic evidence
Evidence Collection - Workstation General Cyber, Cloud Security, Policy Violation Volatile and non-volatile evidence collection in order of volatility
Reset User Password and Sessions Financial Fraud, Cloud Security, General Cyber, Lost Equipment Complete account reset including sessions, tokens, and MFA

Managing Runbooks

Creating a Runbook

  1. Go to System Settings > Runbooks

    The runbooks table shows all defined runbooks with their step counts.

  2. Click "New Runbook"
  3. Fill in the Details
    • Name: Descriptive name for the procedure
    • Slug: Unique identifier (auto-generated from name, used in JSON references)
    • Description: Brief explanation of when to use this runbook (supports markdown)
  4. Add Steps

    Each step has an order number and an instruction. Steps are displayed in order and can be toggled between a visual editor and a JSON editor for bulk editing.

Assigning Runbooks to Evidence Types

  1. Go to System Settings > Evidence Types
  2. Edit the Evidence Type
  3. Select Default Runbooks

    Choose one or more runbooks from the dropdown. These will be automatically attached when new evidence items of this type are created.

Existing items: Changing the default runbooks on an evidence type only affects newly created items. Existing evidence items retain whatever runbooks were attached at creation time.

Assigning Runbooks to Case Type Actions

  1. Go to System Settings > Case Types
  2. Edit the Case Type
  3. Edit an Action

    In the action's JSON definition, add a runbook_slug field with the slug of the runbook to attach.

Actions with workflows: An action can have either a workflow (decision tree) or a runbook, but not both. If an action already has a workflow_definition, the runbook will not be attached.

Using Runbooks During Investigations

On Evidence Items

Navigate to an evidence item and click the Runbooks tab. Each attached runbook shows its steps as a checklist. Click individual steps to mark them as completed. The sidebar shows overall progress across all attached runbooks.

To attach additional runbooks, click Attach Runbook and select from the list of available runbooks. To remove an irrelevant runbook, click the detach button.

On Case Actions

In the case view's Actions tab, actions with attached runbooks display a book icon. Click the action to expand the runbook steps inline. Steps can be checked off as they are completed.

Tracking Progress

Runbook progress is visible in several places:

  • Evidence sidebar: Shows combined progress bar across all attached runbooks
  • Runbooks tab: Shows per-runbook step completion with count badge
  • Case actions: Individual step checkmarks within the action view

Import and Export

Runbooks are included in the system settings export/import. This allows you to:

  • Back up runbook definitions alongside other system configuration
  • Transfer runbooks between DFIRe instances
  • Version-control your runbook library by exporting settings to a JSON file

The export includes the runbook definitions, evidence type default runbook assignments, and case type action runbook references.

API and MCP Access

Runbooks are accessible via the REST API at /api/runbooks/ and through the MCP server tools. The MCP create_item tool automatically attaches default runbooks when creating evidence items, and the manage_runbook_steps tool allows toggling step completion programmatically.