Secdo Blog

Time to say “Buh Bye” to post-mortem forensics

Sysinternals, sandboxes, EnCase, FTK, Sleuthkit, DFF, IEF, Wireshark, SIFT, CAINE, COFEE, Volatility, custom scripts in various languages, etc. If any of these names, terms and acronyms are commonly heard in your day to day, this post is specifically for you.

There are multiple use cases when these tools come in handy; data leakage, malware, misuse of resources, and more. Some of these tools must be installed locally, some focus on memory and others focus on specific artifacts. Generally speaking, each tool brings additional capabilities but they all have something in common – they are often used when an investigator needs to understand the “Five W’s” of an alert/breach/incident.

When it gets to the point where these kinds of tools are needed, everything becomes critical and the results must be delivered immediately. Sadly, these tools and their use rarely offer simplicity and investigations are never concluded quick enough.

All of these tools start with collecting evidence. In some cases, the idea is to take a memory dump and see what happened in the memory. Other times there’s a need to duplicate a hard drive and in some cases there is a need to actively record data for a period of time.

After the evidence we think we need are in the analyst’s possession, the process to figure out what took place can now begin. We are all fully aware that this process takes hours at best, but more often than not, it takes days to understand what happened. In most cases, the pertinent data is no longer available and the investigation concludes without the necessary answers.

A classic example is when a company suspects a former employee of stealing confidential corporate data. The security team needs to determine if the employee did in fact steal information. The team will take the employee’s PC, and review all available logs. Running a forensic analysis on the HD may show things like removable device connections, access to cloud shares, P2P software, personal emails and more. The analyst may never be able to get a definitive result and know exactly what happened. There are a few exceptions, but this is most commonly how these types of investigations end.

Time isn’t in the investigation team’s side. RAM memory is highly volatile and HD’s aren’t static either. If a machine is active, the difficulty of the investigation increases with every passing second as more and more sectors of the disk are overwritten, logs are rotated, and processes end.

Another problematic aspect is the required skill set needed to use these tools and decipher the results. Using and understanding tools like Volatility or Wireshark isn’t something a novice SOC analyst can do. Even sandbox reports are often inconclusive and two or more people reading them can end up with multiple conclusions.

What if there was another way?

Buh Bye post-mortem forensics. Hello Preemptive Forensics

Most companies collect logs in a centralized location, and some even collect and centralize raw packet data. This is very useful when an investigation is necessary, but analysts still need to access the endpoint. Why not collect evidence from the endpoint and store it centrally as well?

Since the SOC and IR teams need this information on a day to day basis, collecting and centralizing it like logs or packets will shorten the investigation time from days to minutes and will ensure results for every type of investigation.

By using SECDO’s Preemptive Forensics, even a SOC tier one security analyst can answer all five W’s, making all post-mortem classic forensic tools and methods a thing of the past. SECDO collects everything that happens on workstations and servers in the company for a minimum of 100 days and saves the evidence in a centralized location. SECDO provides an easy-to-understand UI for even the most complex scenarios.

Why waste valuable time attempting to understand what took place when you have a tool that provides you with the insight you desperately need?