Incident Response Triage Workflow

Tip: KAPE can collect a full forensic triage in under 10 minutes. Velociraptor can collect from multiple endpoints simultaneously if you have agents deployed. GRR enables remote collection at scale. Always collect memory if possible - it contains decrypted data, running malware, and network connections that don't survive a reboot.

Tip: osquery lets you ask 'show me all listening ports' or 'show me all processes started in the last 24 hours' as simple SQL queries. Chainsaw and Hayabusa rapidly scan Windows event logs against Sigma rules. Check for processes running from unusual locations (Temp, AppData, ProgramData).

Tip: Plaso (log2timeline) creates super-timelines from multiple log sources. Chainsaw scans event logs with Sigma rules to surface suspicious activity fast. Focus on authentication events (4624, 4625), process creation (4688), and PowerShell logging (4104) in Windows. Check for log gaps - attackers often clear logs.

Tip: Volatility 3 is the standard for memory forensics - check process lists, network connections, loaded DLLs, and injected code. Autopsy provides a full disk forensics GUI. RegRipper extracts forensic artifacts from Windows registry hives. bulk_extractor carves emails, URLs, and other data from raw images at high speed.

Tip: Detect It Easy identifies packers and compilers instantly. capa detects capabilities (like 'encrypts files' or 'communicates via HTTP') automatically. PE-sieve scans running processes for injected code. oletools analyzes malicious Office documents. Write YARA rules for any unique malware indicators so you can scan other systems.

Tip: Velociraptor and osquery can sweep entire endpoint fleets for IOCs. Wazuh correlates events across your monitoring infrastructure. Deploy YARA rules across endpoints to find malware variants. Don't just contain the systems you've confirmed - contain anything that might be compromised based on lateral movement paths.