- How can we rapidly get consistent data across every incident from remote locations?
- How can we standardize the collection process across all locations, so primary incident handler receive actionable data?
- Can we do this with a free toolset?
- Can we customize this based on our needs?
- Simplified Interface for data collection?
- As of this posting, our customization to the Triage application has allowed us to do the following:
- It has increased response efficiency by standardizing the collection process of files by remote analyst.
- It has decreased incorrect files being sent to us for analysis.
- It has decreased the analysis time when looking for suspicious and unknown autoruns.
- It allows for a training tool for new malware analysts and what to look at.
- It allows for keeping historic snap shots of suspicious machines that we were unable to find IOC’s on.
- Response time has dropped to about 1hr with getting files from remote analysts.
Getting Robocopy to work in XP. I have the exe, just need to test it.
- Have Triage execute on machines when our AntiVirus Solution fires off.
Compress and move the Incident file off the host machine and onto a network share.
- Modify Triage to use an INI file for variables, so that customization can happen without recompiling.
- Create an Error tracking log.
Integrate into RegRipper to parse out Registry Settings.