File Operations Information Collecting Software Package Used in the Information Security Incidents Investigation

Abstract

The article describes file operations information collecting software package, that can be implemented in information system structure during information security incidents investigation. The package allows to collect and systematize accomplished file operations on all nodes of the information system structure, using the information obtained from the volume changes log – $UsnJrnl. This log possesses almost comprehensive information about files and actions that performed in relation to them. In addition, this log has several advantages compared to other logs: completeness, reliability and file identification information extraction speed. Software package also works as storage with file operations information backup availability that helps to speed up and simplify the process of information security incidents investigation. Stored information can be processed by SIEM system. It is necessary to say that SIEM system should be able to expand its functionality using e.g. scripts. Main goals of software package and SIEM system interaction are constructing a time line of information security events to accelerate the elimination of the incident consequences, and provide recommendations for applied information protection measures improving.