Security

AFR: Automatic Multi-Stage Forensic Data Retrieval

Date Added: Dec 2012
Format: PDF

The investigation of malware infections in enterprise networks is today a tedious task with a lot of manual intervention in order to find the scattered relevant bits and bytes from infected hosts. The authors propose in this paper AFR, a framework for automatic multi-stage forensic data retrieval, that automatically analyzes and retrieves network, memory and disk data to preserve the evidence of host compromise at a central location. AFR performs automated malware analysis using traditional intrusion detection techniques like network intrusion detection systems and antivirus software but combines the resulting alarms in real-time to proactively retrieve and archive data that is relevant for retrospective investigations.