Across the board, businesses strive to establish repeatable processes so that they can replicate past successes and avoid repetitive tasks that eat up valuable time and effort. With the volume of incidents and time constraints on DFIR teams, identifying these opportunities and efficiencies is essential to managing an ever-growing caseload.
To provide a standardized and repeatable approach to remote collections, we have added the ability to create targeted location profiles. Targeted location profiles allow you to define multiple locations on an endpoint, including folders, browser activity and system files that will be consistently collected every time the profile is used.
The Benefit of Targeted Location Profiles
Standardizing collections with targeted location profiles provides several benefits:
- Repetitive processes are reduced by removing the need to continually rebuild the same collection criteria for investigations
- A consistent approach to cases is provided, maintaining standard collections and best practices for investigations.
- Guidelines and structure on the collection requirements for each case type are given, which can help train new or less experienced team members
- Omissions in collected data sets are mitigated – ensuring that key file locations aren’t excluded when a collection opportunity presents itself
How to Use Targeted Location Profiles
Unique target location profiles can be created for all your case types, providing a consistent and repeatable process for every type of collection. These profiles can be used for a number of applications in corporate investigations, with two potential workflows being:
Incident Response – Customized Playbooks Help to Ensure a Consistent Approach to Investigations
Using targeted profiles in incident response investigations, custom triage profiles can be built out with the unique paths running on your systems. These triage profiles can also include the recently introduced volatile artifacts to capture live system processes which are often required to identify malware.
To further leverage the IR capabilities of AXIOM Cyber, the collected data can then be run against YARA rules to identify known instances of malware. Malicious files can be further examined using the VirusTotal integration in AXIOM Cyber, providing insights into the history and behavior of a threat to inform response and mitigation plans.
eDiscovery – Standardize Collections for the Data Sources Required for Each Custodian Profile
For eDiscovery investigations, profiles can be created for a series of custodian types to standardize common collections and manage the volume of information collected for a case. Targeted profiles ensure that the same collection criteria have been applied to all endpoints to gather the same data for each custodian in a case.
Combined with the new parsing-only feature in AXIOM Cyber, collections targeting electronically stored information (ESI) can be initiated quickly and completed in a fraction of the time of fully parsed and carved collections.
To further streamline the efficiency of your collections, target locations can be combined with queued collections, which allows AXIOM Cyber to automatically progress through the consistent targeted collection for up to 15 endpoints.
With time constantly in short supply, targeted location profiles will be a great asset for capturing the data required for your investigations and reducing the time spent configuring the same type of collection each time.
Get Magnet AXIOM Cyber Today
Explore the benefits of targeted location profiles for yourself by requesting a free trial of AXIOM Cyber today!