During the course of a typical day, your team might have to review dozens or hundreds of security alerts, hopefully only a fraction of which will turn out to be real incidents. As you begin your response to these alerts, rather than simply trusting the alert as accurate and remediating, or pulling a full disk image from each potentially infected endpoint and doing a deep-dive investigation, you can do something in between: a triage collection.
A triage collection is when you grab a targeted subset of files that can help you complete a rapid preliminary “triage” investigation. By starting out with a smaller, targeted collection, you can complete that initial investigation more quickly, which is important if you need to scale up your response efforts. In many cases, you can get a fairly complete story about what happened on an endpoint just by looking at a few key artifacts. This webinar covers four categories of data in a triage collection: volatile, Windows and file system, persistence mechanisms, and application-specific information. We walk through at a high level why the artifacts in each of these categories are valuable and how you can use them in a variety of investigation types.