Hunting in the Enterprise: Forensic Triage and Incident Response
Venue
Digital Investigation, vol. 10 (2013), pp. 89-98
Publication Year
2013
Authors
BibTeX
Abstract
In enterprise environments, digital forensic analysis generates data volumes that
traditional forensic methods are no longer prepared to handle. Triaging has been
proposed as a solution to systematically prioritize the acquisition and analysis of
digital evidence. We explore the application of automated triaging processes in
such settings, where reliability and customizability are crucial for a successful
deployment. We specifically examine the use of GRR Rapid Response (GRR) – an
advanced open source distributed enterprise forensics system – in the triaging
stage of common incident response investigations. We show how this system can be
leveraged for automated prioritization of evidence across the whole enterprise
fleet and describe the implementation details required to obtain sufficient
robustness for large scale enterprise deployment. We analyze the performance of the
system by simulating several realistic incidents and discuss some of the
limitations of distributed agent based systems for enterprise triaging.
