Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection

Due to the increasing number and impact of computer security incidents, it has become essential to develop and implement efficient measures for their investigation. However, comprehensive forensic analyses are time-consuming, and this time is often not available to security analysts during acute computer security incidents. As a result, automated tools are increasingly being used. These tools, however, often cover only a limited scope of the necessary analyses and typically require deep technical expertise to be used effectively. For this reasons, we developed a framework that enables the automated analysis of disk images in the context of security incidents and is capable of identifying whether a system has been compromised. The framework orchestrates multiple established digital forensics and incident analysis tools through a decision-tree-based control logic. This decision tree governs the execution flow of integrated modules, each representing a distinct analytical domain (e.g., file system analysis, artifact extraction, event log inspection). A live demonstration illustrates how analysts interact with the system, which external analysis tools are integrated, and how the framework consolidates results into a structured, analyst-oriented report. The framework was evaluated using both compromised and non-compromised disk images derived from real-world and synthetic computer security incidents. The evaluation assesses detection capabilities, practical benefits for analysts, and current limitations.

This talk addresses the growing need for efficient incident analysis in response to the increasing number and impact of computer security incidents. While automation is essential to reduce investigation time, existing tools in digital forensics and incident analysis often operate in isolation and lack comprehensive orchestration. We present a modular framework that integrates established forensic and analysis tools using a decision-tree-based control mechanism. The talk includes a live demonstration of the framework, an overview of its architecture, and an explanation of how it detects compromised disk images. Finally, we discuss current limitations and outline future extensions of the framework.