PFCLForensics is a very powerful tool that can be used to support a breach response process and team; to perform a live response on one or many databases and servers and also files; and finally to allow forensic analysis and investigation and report writing to answer the basic questions:
- Was there an actual breach?
- How did the attacker get in?
- What rights did the attacker have?
- What data did the attacker see?
- What did the attacker change?
- What could the attacker have done with more skill?
These are the main features of PFCLForensics:
- Project based: to allow multiple investigations to be undertaken or practice responses
- Checksums: All of the data extracted from a database or server or from a file is checksummed to prove the data has not changed
- Sources: Load data from databases, servers and adhoc files
- File load: pre-defined file types can be loaded but you are also able to define your own file types
- Time Sync: Each source, database, server or file can have a slightly different time when compared to a unique wall clock. Add time offsets so all data is synchronised to the same time line
- logs and trace: The tool allows logging and trace to be enabled to record actions made in the tool. This can provide an audit trail of actions
- List data sources: All data sources gathered for all systems in a project visible in one list so that individual data can be viewed in details
- Timeline: Build a time line of only relevant evidence
- Supporting data: Other imporant data that is relevant but not actual evidence of an attack can be saved to the supporting time line
- Drillable graph: The timeline is represented as a grid but also as a drillable timeline to home into clusters of evidence
- Overall Timeline: View all events captured as one complete timeline so that the whole expanse of the attack can be viewed as one timeline
- Filtering: Create simple or complex filters of the data in the source grids to target what evidence might be needed. Also filter the timeline and supporting data to allow detailed views of evidence and for reporting. The filtering is also reflected in the graphs
- Sorting: Sort any columns of data in the source data or timeline or supporting evidence grids
- Report: Fully functional word processor is built in that allows the responder to create a detailed report of the attack and to use any data in the tool as screen shots or raw data
- Copy Data: Copy any data from grids to the report or external to the tool with a simple right click
- Screen shots: take screen shots of the data or graphs in the tool for use in the report
PFCLForensics like all of our other products is built on top of the core functionality and reporting in PFCLScan. This is a deliberate decision to allow us to build on a stable code base use consistent features and functionality. This means also that you can buy a license for PFCLCode as an add on for PFCLScan or you can purchase a standalone product license for PFCLForensics.