Exploratory Analysis of File System Metadata for Rapid Investigation of Security Incidents

TL;DR

This paper presents a user-centered analytical tool that streamlines the investigation of cybersecurity incidents by enabling efficient analysis of disk snapshots, reducing manual effort and expert knowledge requirements.

Contribution

The paper introduces a novel tool for rapid analysis of file system metadata, improving efficiency and accessibility in security incident investigations.

Findings

Tool reduces investigation time significantly.

Validated with security team members showing improved analysis efficiency.

Supports rapid identification of security incidents.

Abstract

Investigating cybersecurity incidents requires in-depth knowledge from the analyst. Moreover, the whole process is demanding due to the vast data volumes that need to be analyzed. While various techniques exist nowadays to help with particular tasks of the analysis, the process as a whole still requires a lot of manual activities and expert skills. We propose an approach that allows the analysis of disk snapshots more efficiently and with lower demands on expert knowledge. Following a user-centered design methodology, we implemented an analytical tool to guide analysts during security incident investigations. The viability of the solution was validated by an evaluation conducted with members of different security teams.