2 min read
Another Industry First: Compare a Forensic Snapshot against a Baseline Image!
Emre Tınaztepe : Fri, Dec 24, '21
When responding to a cybersecurity incident, spending a lot of time analyzing forensic artifacts is a luxury that none of us have. Let’s say you have an incident in an organization with thousands of servers and clients, analyzing the compromised environment will take weeks, even months.
Compare a forensic snapshot against a baseline image
In these kinds of situations having a tool that can quickly compare a forensic snapshot against a baseline image is a great advantage to have. By capturing a forensic snapshot of a compromised environment you can quickly perform a comparative analysis and identify potential malware and gather IOCs.
Decrease the analysis time
When responding to cyber incidents, time is a crucial aspect. Now, instead of spending weeks analyzing thousands of forensic artifacts, you can compare and analyze forensics artifacts with a couple of clicks and in less than 10 minutes.
Our Diffing feature is a brand new mode in the digital forensics industry that makes it possible to compare a DRONE forensic analysis to a baseline image and list the differences between the two. It is a comparison feature for forensics artifacts that significantly reduces the time of your investigations and periodic compromise assessment and increases the speed and quality of your incident response processes.
Consider DRONE as your deep dive investigator that handles all the hard work and presents you with quality results that you can immediately use to take action for the overall security of your environment. Due to its flexible nature, you can add the diffing process in different Incident Response playbooks and the ultimate benefit is that you don't have to be a forensic expert to use the diffing feature because besides showing you automatically the changes between two case files it has an easy to use interface.
DFIR GuideDownload our DFIR Guide and learn more how you can elevate your incident response processes.
|
How does it work?
As mentioned above, with the diffing feature you can compare the base (clean) image with the latest version of the forensic snapshot, and all the changes will be easily observable.
It is supported in CLI and Tower mode.
-
CLI mode; User specifies a flag for starting the compassion process and then provides two Case files. As a result, the user can see the report.
DRONE.exe -n --compare CompareCases/CaseA.ppc CompareCases/CaseB.ppc
-
Tower mode; In the first step the user selects Diffing from the UI and then clicks “Next”. In the second step, the user uploads Case files for comparison and starts the comparison process. As a result, the user can see the report. In this mode, reporting works dynamically so when DRONE finds a difference the report is visible immediately.
What do we compare exactly?
We compare the same operating system image with each other.
For Windows images, we compare these sections below;
-
AutorunsServices
-
AutorunsScheduledTasks
-
AutorunsRegistry
-
AutorunsStartupFolder
-
InstalledApps
-
Drivers
-
Firewall
-
Hosts
-
NetworkAdapters
-
System DNS servers
-
System Proxy address
For Linux images, we compare these sections below;
-
System Proxy address
-
CronJobs
-
DNSResolvers
-
IPRoutes
-
IPTables
-
Hosts
-
KernelModules
-
Mounts
-
network interface
-
SystemArtifacts
-
Users
-
Step, select diffing
Try today for free
Forensic analysts and incident responders shouldn’t be limited by the tools they use in responding to cyber incidents in the fastest and smartest way possible.
In this spirit, Binalyze has developed this innovative new feature that will save a lot of time for analysts and highly improve their incident response processes. In combination with its other features, Binalyze DRONE will dramatically transform the way analysts perform digital forensics analysis and create a new wave in the digital forensics and incident response community.
You can try the new diffing feature for free here.