Real-time forensics through endpoint visibility

Abstract

In the course of the last years, there has been an established forensic process in place known by every investigator and researcher. This traditional process is regarded to produce valid evidence when it comes to court trials and, more importantly, it specifies on a very precise level how to acquire a suspects machine and handle the data within. However, when new technologies come into play, certain constraints appear: Having an incident in a network containing thousands of machines, like a global corporate network, there is no such thing as shutting down and sending an investigation team. Moreover, the question appears: Is this an isolated incident, or are there any other clients affected? In order to cover such questions, this paper compares three tools aiming at solving them by providing real-time forensics capabilities. These tools are meant to be deployed on a large scale to deliver information at any time, of any client all over the network. In addition to a feature comparison, we deployed these tools within a lab environment to evaluate their effectiveness after a malware attack, using malware with pre-selected features in order to allow for a more precise and fair comparison.