Search

US-12619730-B1 - System and method for cybersecurity forensic analysis based on deleted data

US12619730B1US 12619730 B1US12619730 B1US 12619730B1US-12619730-B1

Abstract

A system and method for forensic analysis of block level storage devices for detecting cybersecurity attacks is presented. The method includes accessing a disk in a computing environment, the disk including deleted data; recovering at least a file from the deleted data; initiating a forensic analysis on the at least a file to detect a forensic artifact, wherein the forensic artifact indicates a cybersecurity attack; detecting the forensic artifact on the on the at least a file; and initiating a remediation action on a virtualization associated with the disk based on the detected forensic artifact.

Inventors

  • Nir Ohfeld
  • Shir Tamari

Assignees

  • Wiz, Inc.

Dates

Publication Date
20260505
Application Date
20250624

Claims (19)

  1. 1 . A method for forensic analysis of block level storage devices for detecting cybersecurity attacks, comprising: accessing a disk in a computing environment, the disk including deleted data; recovering at least a file from the deleted data; initiating a forensic analysis on the at least a file to detect a forensic artifact, wherein the forensic artifact indicates a cybersecurity attack; detecting the forensic artifact on the at least a file; and initiating a remediation action on a virtualization associated with the disk based on the detected forensic artifact.
  2. 2 . The method of claim 1 , further comprising: generating an inspectable disk based on the disk; and recovering the at least a file from the inspectable disk.
  3. 3 . The method of claim 2 , further comprising: attaching the inspectable disk to a forensic analyzer, wherein the forensic analyzer includes a software tool forensic analysis.
  4. 4 . The method of claim 1 , further comprising: detecting a pattern in a block level storage of the disk; determining that a file is stored on a block of the disk based on the detected pattern; determining that the block is unallocated; and determining that the block includes the deleted data based on detecting that the block is unallocated.
  5. 5 . The method of claim 1 , further comprising: initiating the forensic analysis to detect an indicator of compromise.
  6. 6 . The method of claim 5 , wherein the indicator of compromise indicates any one of: unauthorized access, data exfiltration, a malware artifact, an altered file, a privilege escalation, or any combination thereof.
  7. 7 . The method of claim 1 , further comprising: detecting a cybersecurity object on the disk; detecting a cybersecurity risk based the cybersecurity object and the forensic artifact; and initiating the remediation action based on a combination of the cybersecurity object and the forensic artifact.
  8. 8 . The method of claim 7 , further comprising: initiating the remediation action to include a plurality of actions, wherein a first action is directed to the cybersecurity object and a second action is directed to the forensic artifact.
  9. 9 . The method of claim 1 , further comprising: initiating inspection of a first resource in the computing environment based on detecting the forensic artifact, wherein the disk is associated with a second resource, and wherein the second resource is configured to access the first resource.
  10. 10 . A non-transitory computer-readable medium storing a set of instructions for forensic analysis of block level storage devices for detecting cybersecurity attacks, the set of instructions comprising: one or more instructions that, when executed by one or more processing circuitries of a device, cause the device to: access a disk in a computing environment, the disk including deleted data; recover at least a file from the deleted data; initiate a forensic analysis on the at least a file to detect a forensic artifact, wherein the forensic artifact indicates a cybersecurity attack; detect the forensic artifact on the at least a file; and initiate a remediation action on a virtualization associated with the disk based on the detected forensic artifact.
  11. 11 . A system for forensic analysis of block level storage devices for detecting cybersecurity attacks comprising: a processing circuitry; a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: access a disk in a computing environment, the disk including deleted data; recover at least a file from the deleted data; initiate a forensic analysis on the at least a file to detect a forensic artifact, wherein the forensic artifact indicates a cybersecurity attack; detect the forensic artifact on the e the at least a file; and initiate a remediation action on a virtualization associated with the disk based on the detected forensic artifact.
  12. 12 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate an inspectable disk based on the disk; and recover the at least a file from the inspectable disk.
  13. 13 . The system of claim 12 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: attach the inspectable disk to a forensic analyzer, wherein the forensic analyzer includes a software tool forensic analysis.
  14. 14 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect a pattern in a block level storage of the disk; determine that a file is stored on a block of the disk based on the detected pattern; determine that the block is unallocated; and determine that the block includes the deleted data based on detecting that the block is unallocated.
  15. 15 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: initiate the forensic analysis to detect an indicator of compromise.
  16. 16 . The system of claim 15 , wherein the indicator of compromise indicates any one of: unauthorized access, data exfiltration, a malware artifact, an altered file, a privilege escalation, or any combination thereof.
  17. 17 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect a cybersecurity object on the disk; detect a cybersecurity risk based the cybersecurity object and the forensic artifact; and initiate the remediation action based on a combination of the cybersecurity object and the forensic artifact.
  18. 18 . The system of claim 17 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: initiate the remediation action to include a plurality of actions, wherein a first action is directed to the cybersecurity object and a second action is directed to the forensic artifact.
  19. 19 . The system of claim 11 , wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: initiate inspection of a first resource in the computing environment based on detecting the forensic artifact, wherein the disk is associated with a second resource, and wherein the second resource is configured to access the first resource.

Description

TECHNICAL FIELD The present disclosure relates generally to forensic analysis, and specifically to performing forensic analysis on deleted data of a disk. BACKGROUND An attacker who gains access to a compromised machine in a computing environment may attempt to delete evidence to avoid detection and delay incident response. The attacker may clear command histories, delete log entries, modify log files to remove records of their activity, and the like. An attacker might target files, such as authentication logs or shell histories, by directly editing/overwriting them to erase traces of unauthorized access. Attackers delete files during or after a compromise primarily to conceal their presence, hinder forensic investigation, and prolong access to the system. Once inside a system, an attacker typically performs various activities, including scanning for vulnerabilities, escalating privileges, exfiltrating data, installing malware, and the like. Each of these actions can leave behind digital footprints in system logs, temporary files, shell histories, and audit trails. If these traces remain intact, security analysts or automated monitoring systems might detect the intrusion quickly, respond, and block the attacker's access. By deliberately deleting or altering these files, attackers aim to erase the evidence of how they entered, what they did, and what tools or payloads they used. This makes it significantly more difficult for incident responders to determine the scope and impact of the breach. If the attack is discovered later, a lack of preserved evidence limits forensic teams' ability to understand the threat actor's tactics, techniques, and procedures (TTPs), thereby weakening the organization's future defenses. In targeted or espionage-motivated attacks, file deletion also helps protect the attacker's identity and intent. It would therefore be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions. In one general aspect, the method may include accessing a disk in a computing environment, the disk including deleted data. The method may also include recovering at least a file from the deleted data. The method may furthermore include initiating a forensic analysis on the at least a file to detect a forensic artifact, where the forensic artifact indicates a cybersecurity attack. The method may in addition include detecting the forensic artifact on the on the at least a file. The method may moreover include initiating a remediation action on a virtualization associated with the disk based on the detected forensic artifact. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. Implementations may include one or more of the following features. The method may include: generating an inspectable disk based on the disk; and recovering the at least a file from the inspectable disk. The method may include: attaching the inspectable disk to a forensic analyzer, where the forensic analyzer includes a software tool forensic analysis. The method may include: detecting a pattern in a block level storage of the disk; determining that a file is stored on a block of the disk based on the detected pattern; determining that the block is unallocated; and determining that the block includes the deleted data based on detecting that the block is unallocated. The method may include: initiating the forensic analysis to detect an indicator of compromise. The method where the indicator of compromise indicates any one of: unauthorized access, data exfiltration, a malware artifact, an altered file, a privilege escala