Post-incident analysis (including malware analysis)
Post-incident analysis – encompassing manual and automated malware analysis – comprises investigation of the attacker’s actions, identification of tools and methods used, detecting rootkits, backdoors, keyloggers and Trojan horses.
Within the scope of a post-incident analysis the following activities are carried out:
- securing a copy of the virtual machine
- analyzing of modifications to logs and configuration files
- analyzing of changes to permissions for particular files
- analyzing of other data aimed to define the attacker, the time and the manner of performing the attack
- analyzing of potential scope of data leak