AFR: Automatic Multi-Stage Forensic Data Retrieval

The investigation of malware infections in enterprise networks is today a tedious task with a lot of manual intervention in order to find the scattered relevant bits and bytes from infected hosts. The authors propose in this paper AFR, a framework for automatic multi-stage forensic data retrieval, that automatically analyzes and retrieves network, memory and disk data to preserve the evidence of host compromise at a central location. AFR performs automated malware analysis using traditional intrusion detection techniques like network intrusion detection systems and antivirus software but combines the resulting alarms in real-time to proactively retrieve and archive data that is relevant for retrospective investigations.

Provided by: Association for Computing Machinery Topic: Security Date Added: Dec 2012 Format: PDF

Find By Topic