Номер журнала: 2020.4
Заголовок статьи: A method for rapid analysis of events related to impacts on files designed to investigate information security incidents
The article offers a method for rapid analysis of information security events based on the representation of an incident as a set of events consisting of impacts on files. The method involves using a database of identified impact templates, where initial data is the NTFS volume change log entries - $UsnJrnl. An algorithm for searching and classifying impacts on the files using templates is considered. The proposed method of rapid analysis allows you to determine the order of events within the framework of the incident under investiga-tion, reducing the number of analyzed data arrays to one - $UsnJrnl log.
N. A. Gaidamakin, R. V. Gibilinda, N. I. Sinadsky
information security incident investigation, information security event, file impact, file impact pattern
Скачать полный текст