A suspicious activity occurs on an endpoint so the incident response team launches an investigation to find out what happened. Did a breach occur? Are there any other infected endpoints? What was the purpose of the attack? How was the endpoint compromised?
The challenge IR teams face is to classify the collected data and find the malicious files, in the shortest period of time. Time is a major factor to reduce the potential damage of the environment. To accomplish this task the IR team will collect forensic evidence from one or more of the following sources: HD forensics, memory forensics, and live forensics. At this point, they will have hundreds, if not thousands, of files and information that need to be analyzed and classified. This analysis is time-consuming and should be done carefully to not miss any artifacts crucial to the investigation. It can often be like looking for a needle in the haystack.
Fortunately, there are ways to accelerate the forensics methods mentioned above. Learn how you can quickly classify and analyze the mass of files and memory dumps collected using these forensics methods in less time than ever.
Plus, learn how to integrate with the handy Volatility plugin, to get the comprehensive and automatic analysis of the loaded process along with the powerful capabilities of the plugin.