We specialize in incident response across Windows systems from 9X to 11, including modern server platforms. With over 20 years of experience, we've developed effective practices, tools, and utilities to support fast, efficient investigations.
Our services help maintain forensic integrity and provide clear, actionable reports to aid in threat hunting and identifying affected systems. Whether you're responding to an active incident or preparing for potential threats, our expertise ensures meaningful support every step of the way. Click the link below to learn more about how we can assist your company with its cybersecurity needs.
Our incident response process is simple and straight forward. We start by understanding the system and it's function then we begin to analyze each service and, the services that system provides to your customers. From there, our analysis then reviews the system as a whole. This article is a small sample of the information that we collect when performing Incident Response.
Artifact Collection
The incident response scripts that we have put together will search the filesystem, running applications, ports and IP addresses and if possible the connections in which your system has made to other machines. Additionally our tools will search the executing environments logged on user for artifacts with hashes for lookup.
Your network interfaces will be scrutinized as well as routes and other network details. From this incident responders can then attempt to determine if the system has been affected (sniffing, routing, last logins, etc) if malicious traffic has traversed the environment(s).
Artifact Collection Information
-
Network Artifact Collection
Your system will be polled for network connections, running programs and which programs are using which ports and PID numbers. This will help you identify any malicious communications or applications running on the syste.
-
File System Collection
Your file system will be searched for malicious hashes, this will include desktop, downloads and documents folder(s). Additionally temp files and other locations will also be searched to help incident responders pull together important information about a system that needs to be cross-referenced.
-
User Collection
User information (if local accounts) will be polled on the local box. This will be all users in the C:\users\ path (or your default disk path) as well (if running as administrator) all the files within each folder for malicious hashes, etc. The scripts will also pull information from your browsers to determine if the user has gone to any malicious web locations or, downloaded any malicious files.
-
Running Processes
All running processes will be dumped with detailed information to help an incident responder cross reference other collected details from the system. This can be accessed within the directories created as well as the output from the network and, the details from other dumps.
-
Full Collection
The purpose of these options is to enable the responder to find all the details discussed above but also attempt to isolate files that have been created within the last 30 days. In addition to which, these tools will also attempt to pull information from the system logs to allow responders the ability of focusing their threat hunting efforts to specific areas.
During investigations we may also introduce custom software in order to collect and analyze any affected systems to produce actionable and efficient reports. Some of our tools can also pull samples during investigations which can also help with providing reporting, and lead to additional areas that require immediate investigation.
If you are interested in licensing our custom tooling, please let us know by filling out the Licensing & Tooling form.
If you feel that your system has been affected by malware, or you need assistance with Incident Response for your desktop or server environment please feel free to fill out the Incident Response request form below: