Everyone — except for some consultants paid by the hour — wants to skip the tedious work associated with digital investigation. The good news is there are many ways of using automation so you can focus less on the tedious and more on the interesting.
This post covers 3 types investigators should know about.
Let’s get started.
Jump to…
What Are Automated Investigations?
Automated Investigation Benefits
3 Ways to Automate Investigations
Automated Data Collection
Automated Artifact Scoring
Automated Artifact Normalization
Try Automation (Right) Now
What Are Automated Investigations?
Automation is when the application does the next step for you. Manual is when the user needs to press a button or type a command. So, an automated investigation is when your software does as many steps as possible before involving the investigator.
The investigator still makes the final call, they just have fewer buttons to press.
Automated Investigation Benefits
There are many ways to add automation into your digital investigations, and each has its own benefits.
The 2 major benefits:
| Speed | Consistency |
|---|---|
| Automation can make investigations faster because computers do some types of tasks faster, and there is no delay between tasks. | Automation ensures all necessary data is collected and analyzed, even when junior examiners are involved. |
3 Ways to Automate Investigations
There are several ways to add automations.
Let’s focus on 3:
- Automated collection: Ensure data is quickly and accurately collected.
- Automated scoring: Ensure you quickly focus on relevant artifacts and not noise.
- Automated normalization: Merge artifacts into simple concepts.
#1 – Automated Data Collection
The first step to any investigation is getting access to data to analyze. Automating the live collection process ensures quick access to all data needed.
How to automate:
- Have a single program do the snapshot collection, even if it’s a script that runs other programs. Users should have to focus only on a single program to run.
- Allow users to remotely collect. Either use an investigation tool with persistent agents or integrate with agents already in place.
- Use continuous monitoring so data is stored centrally, and you can quickly access it.
Benefits:
| Speed | Consistency |
|---|---|
| Allowing users to remotely start collections means they can quickly start the process, and it won’t block waiting for user interaction. | Having a single program ensures you don’t forget to run one, and therefore miss critical data. |
Examples:
| Name | Description |
|---|---|
| KAPE | KAPE is a popular collection tool that will copy files based on sets of rules and can run additional programs. It requires multiple files to be copied to the target system and .NET to be installed. |
| Cyber Triage | The Cyber Triage Collector is a single Windows executable that collects Windows artifacts. It is adaptive and will parse and resolve artifacts on the host so that it can collect as many relevant executables and files as possible. It integrates with the common EDRs. |
| Velociraptor | Velociraptor is an agent-based DFIR tool that you can use to issue queries to thousands of systems. You can also collect data from it and its output structure is similar to KAPE. |
| EDRs | EDRs (such as Windows Defender for Endpoint, Crowd Strike Falcon, and SentinelOne) are continuous monitoring solutions if your subscription has data retention. These systems monitor process activity and will save it so you can quickly query it during an investigation. These data sets may not be complete though if the attacker used evasion tactics. |
| SysMon | SysMon is another example of a continuous monitoring solution. You can configure it to send data to a central SIEM and then query that to quickly start an investigation. |
#2 – Automated Artifact Scoring
Only a small subset of data is related to an investigation. The investigator’s main responsibility is to find the relevant data. Scoring helps to identify them.
Scoring will identify artifacts as:
- Bad: Related to the attack.
- Suspicious: Could be related to an attack.
- Good: Not related to an attack.
- Unknown: Unclear if related to an attack.
When an investigator’s tools score for them, their first task is to review the bad and suspicious items before aimlessly looking in different places for items that could be suspicious.
Common ways to score:
- Use Malware Scanning engines to identify bad or suspicious files. Use multiple engines for a broad set of opinions, including some that use fuzzy matching techniques to find unique variations of files.
- Use Yara or SIGMA rules to flag malicious files and event logs. These rules are shared within the community based on the research of others and TTPs attackers use.
- Use Machine Learning and AI to look for outliers and data that matches previous incidents.
Benefits:
| Speed | Consistency |
|---|---|
| You save time by letting the software apply thousands of rules to each artifact. You can then quickly focus on only notable ones. | It’s easy to miss evidence when it is a tiny subset. Using automation ensures you reliably review each file. It also means you can always use the latest threat intelligence during your analysis. |
Examples:
| Name | Description |
|---|---|
| Cyber Triage | Cyber Triage uses malware scanning engines, AI, Yara and Sigma rules, threat intelligence, and other heuristics from attacker TTPs to score artifacts. |
| Hayabusa and Chainsaw | Hayabusa and Chainsaw are popular open source tools that use Sigma rules to analyze event logs and flag entries that are bad or suspicious. |
| THOR | THOR is an IOC and Yara scanner that will run on a live system and identify files that match the rules. |
| Velociraptor | Velociraptor can run queries on the endpoints and some are written to flag certain types of suspicious or bad activity. |
| EDRs | EDRs will flag bad processes and sometimes user behavior from their observations of endpoints. EDRs often focus on scoring bad and not suspicious items because their primary goal is detection. |
#3 – Automated Artifact Normalization
Investigators must often locate and de-duplicate artifacts that recorded what happened on the host. For example, evidence a process ran can be found in Prefetch, Event ID 4688, and several other locations.
Each location may have both unique and overlapping data. Making the investigator manually de-duplicate is a waste of time.
Automated tools can normalize and merge multiple low-level data artifacts (such as Prefetch and Event ID 4688) to a single higher-level information artifact (such as Process). This is easier and faster for the investigator to interpret.
How to automate:
- Convert the collected lower-level artifacts and event logs into the higher-level concepts.
- Merge observations of the same event into a single artifact.
Benefits:
| Speed | Consistency |
|---|---|
| Users have fewer artifacts to focus on because data artifacts overlap, and they are merged. | Users will not forget to look at a certain type, and you are not relying only on the training of the investigator to know where to look. |
Examples:
Cyber Triage is the only tool we’ve seen that does this. It maps data artifacts to information artifacts and merges duplicates together. For example, it merges data from the Security, Terminal Services, and Local Session Manager logs together for inbound remote logins to create a single session.
Try Automation (Right) Now
Get rid of the tedious tasks in your investigations, and they will be faster, and investigators will be happier. Making sure collections automatically start, artifacts are scored, and artifacts are normalized will help streamline your SOC and DFIR investigations.
Want to try all 3 automations right now? You can with our free, 7-day trial of Cyber Triage.