feature-spotlight-forensic-collection

Feature Spotlight: Forensic Collection

Overview

After a ransomware attack, incident responders will want to be able to investigate how the attackers were successful.  Some of this evidence can be collected afterwards during the investigation, but much of the data is temporary and needs to be collected while the attack is active.  Information like memory dumps, open files and open network connections provide important clues that allow incident responders to come to a determination quickly. RansomStop can now automatically collect certain information at the moment an attack is detected, but before the response actions (like stopping the malicious process) has been taken.

Information Collected

RansomStop will try and collect the following information, although not every piece will be available in every attack.
  1. Suspicious Executable (process image)
  2. Files referenced in the suspicious command line execution
  3. Open file handles by the suspicious process
  4. All open network connections
  5. All running processes
  6. Suspicious process memory minidump
  7. Registry keys that are used for persistence

Collection Process

To ensure that ransomware processes are stopped as quickly as possible to limit damages, RansomStop will first suspend the ransomware process so it stops functioning, while keeping memory and network connections intact.  RansomStop then performs all the forensic collection and stores the files safely in your RansomStop Admin Portal. After the collection is complete, the ransomware process is moved from suspended to stopped. This process typically just takes a few seconds.

Forensic Evidence Collection List

Forensic Collections ListForensic Collections List

Forensic Detail and Downloads

Forensic Collection DetailForensic Collection Detail

Summary

This is a feature that hopefully you never need.  But if you do need it, we think it will be invaluable in a post-attack incident response scenario, which will allow investigators to pinpoint the root cause and provide immediate recommendations to secure your organization and return to normal as quickly as possible.
 

    • Related Articles

    • Getting Started with the RansomStop Dashboard

      Overview Welcome to the RansomStop Dashboard walkthrough. This guide covers the main features and navigation of the dashboard. Dashboard 1. Alerts The dashboard is the default log on screen. It gives you a quick overview of alerts and file activity. ...