Investigating Cloud Compromise with Darktrace
Cloud compromise is a growing concern for organizations, with attackers increasingly targeting cloud infrastructure. Investigating these attacks can be complex and time-consuming, but with the right tools, it can be done quickly and effectively.
Introduction to Forensic Acquisition & Investigation
Darktrace’s Forensic Acquisition & Investigation is a cloud-native solution that automates forensic analysis, enabling rapid investigation of compromised servers. This solution is purpose-built for the cloud and can import artifacts from various sources, including EC2 instances, ECS, and S3 buckets.
For example, the Cloudypots system, a global honeypot network, produces a raw disk image whenever an attack is detected and stores it in an S3 bucket. This image can be directly imported into Forensic Acquisition & Investigation using the S3 bucket import option.
Key Features of Forensic Acquisition & Investigation
Some key features of Forensic Acquisition & Investigation include:
- Automated forensic analysis of disk images
- Timeline view of system events, including parsed log files and file-specific events
- Support for importing artifacts from various sources, including EC2 instances, ECS, and S3 buckets
Additionally, Forensic Acquisition & Investigation supports cloud-native analysis, which condenses hours of manual work into just minutes. This solution also provides a chronological record of every event that occurred on the system, derived from multiple sources.
Benefits of Using Forensic Acquisition & Investigation
The benefits of using Forensic Acquisition & Investigation include:
- Rapid investigation of compromised servers
- Automated forensic analysis of disk images
- Timeline view of system events
- Support for importing artifacts from various sources
By leveraging Forensic Acquisition & Investigation, organizations can quickly and effectively investigate cloud compromise, reducing the time and complexity associated with these investigations.








