CrowdStrike Falcon Forensics
Streamlining triage data collection and analysis
Falcon Forensics For Incident Responders
CrowdStrike's Falcon® Forensics streamlines the collection of point-in-time and historic forensic data for robust analysis of cybersecurity incidents and periodic compromise assessments.
Triage Large-scale Investigations Quickly In A Single Solution
Falcon Forensics is CrowdStrike’s powerful forensic data collection solution. It allows threat hunters and responders to speed up investigations and conduct periodic compromise assessments, threat hunting and monitoring.
With CrowdStrike® Falcon Forensics, responders are able to streamline the collection of point-in-time and historic forensic triage data for robust analysis of cybersecurity incidents. Responders gain the ability to research and investigate incidents faster and with greater precision. Falcon Forensics leverages a dissolvable executable and the CrowdStrike cloud, which leaves a minimal trace on endpoints. Streamlined management via the Falcon Forensics console and dashboards makes triage fast and easy
Key Benefits of Choosing Falcon Forensics
the single solution for collecting and analyzing detailed forensic data
SIMPLIFY FORENSIC DATA COLLECTION AND ANALYSIS
Falcon Forensics offers comprehensive data collection while performing triage analysis during an investigation. Forensic security often entails lengthy searches with numerous tools. Simplify your collection and analysis to one solution to speed triage.
SPEED RESPONSE TIME AND HONE IN ON ATTACKER ACTIVITY.
Falcon Forensics automates data collection and provides detailed information around an incident. Responders can tap into full threat context without lengthy queries or full disk image collections.
ACCELERATE TRIAGE ANALYSIS WITH PRESET DASHBOARDS.
Incident responders can respond faster to investigations, conduct compromise assessments along with threat hunting and monitoring with Falcon Forensics. Pre-built dashboards, easy search, and view data capabilities empower analysts to search vast amounts of data, including historical artifacts, quickly.
Extended Visibility with Preset Dashboards
- Provides incident responders a single solution to analyze large quantities of data both historically and in real-time to uncover vital information to triage an incident.
- Identify attacker activity quickly with several preset dashboards to serve up specific information around an incident.
- See trends for the past 24 hours with the Deployment Status Dashboard.
- Examine a high-level view of telemetry within a single system with the Host Info Dashboard.
- Use the Quick Wins Dashboard to quickly identify potential misconfigurations and hacker activity with preset panel groupings.
- Gather and analyze multiple artifacts for a single system and timeframe in the Host Timeline Dashboard. Use this dashboard to get a visual representation of artifacts for a specific timeline of events.
Augment Expertise with Full Threat Context
- Automate data collection and eliminate lengthy queries with a convenient console to view relevant artifacts pertaining to your research.
- Track attacker activity by analyzing the Master File Table (MFT), shim cache, shellbags, and other artifacts within your organization.
- Utilize query capabilities within preset dashboards to zero-in on specific attacker activity.
- Uncover attacker activity that may have occurred before Falcon EDR monitoring.
Eliminate Complex Processes
- Manage large scale deployments with ease. Deploy Falcon Forensics at any scale, from tens to hundreds of thousands of endpoints.
- Leverage the CrowdStrike Cloud for processing.
- Utilize CrowdStrike Real Time Response for fast deployment.
Robust Artifact Collection Types
- Falcon Forensics collects a comprehensive set of artifact types to support incident response teams' investigations. Data types include: directory and file metadata, file hashes, network data, detailed process listings, services and drivers enumeration, environment variables, scheduled tasks, users and groups information.
- Event log information
- Registry information
- Process execution artifacts
- Common persistence mechanisms
Key Capabilities
Falcon Forensics is a robust solution that simplifies forensic data analysis by eliminating the need for multiple tools or data ingestion methods. Analysts can quickly gather and analyze large quantities of historical data to triage incidents and accelerate compromise assessments.
Improve Efficacy and Time-To-Respond
Zero in on attacker activity with preset dashboards. Live and historical deep-level triage data served up in preset dashboards eliminates lengthy research time to respond to incidents, speeding analysis and triage. Responders can target attacker activity with convenient filters, queries and dashboards to quickly gain essential insights. Dashboard capabilities include:
- Deployment status: Gain visibility over collections and trends for the past 24 hours across your enterprise.
- High-level telemetry view of a single system: See contextual information about an attacker's activity outside a single query, with pictorial histograms within a given timeframe.
- Quick Wins displaying high signal-tonoise ratios: Quickly identify potential misconfigurations and hacker activity with preset panel groupings. Customize the dashboard by selecting groupings relevant to your analysis.
- Timeline format for a single system: Gather and analyze multiple artifacts for a single system and timeframe. Use this host timeline dashboard to get a visual representation of artifacts for a specific timeline of events.
Reduce Workflow Complexity
Harness the power of CrowdStrike Real Time Response and Falcon Forensics with their simple, large-scale deployment ability. Easy to deploy, Falcon Forensics can get you up and running in a minimal amount of time, from a single workstation to tens of thousands of endpoints.
- Operate with a single solution and eliminate time-consuming efforts to collect and consolidate forensics data.
- Deploy Falcon Forensics via CrowdStrike's Real Time Response for quick and easy deployment.
- Leverage the cloud for data processing, freeing up systems to continue business-critical functions.
- Gather collected data from ten to hundreds of thousands of endpoints with large-scale deployment capability.
- Avoid ongoing maintenance and management. The Falcon Forensics dissolvable agent performs the collection of artifacts and then removes itself from the system, leaving minimal trace. It does not persistently remain as yet another agent to maintain and manage on systems.
Simplify Data Collection And Research
Falcon Forensics provides the ability to automate data collection while also providing a convenient console that gives responders detailed information about an incident.
- Tap into full threat context without lengthy queries or full disk image collections.
- Uncover attacker activity that may have occurred before Falcon endpoint detection and response (EDR) monitoring.
- Take advantage of advanced query capabilities for in-depth research. In addition to preset and packaged dashboards, Falcon Forensics makes the raw event data available so responders can customize their queries.
- Track attacker activity by analyzing the Master File Table (MFT), shim cache, shellbags and other artifacts within your organization.
- Gain critical contextual data on threats and specific threat actors by combining historical forensics data with CrowdStrike's advanced threat intelligence - giving a holistic picture of specific attack methods and techniques an attacker might use.
Documentation:
Download the CrowdStrike Falcon Forensics Datasheet (.PDF)