A majority of today's advanced attacks leave no digital traces on a computer's hard drive. They are called file-less attacks. But, the malicious code still hides and executes from the internal memory (RAM). Therefore, an incident investigator that only focuses on analysis of hard drives and log files will miss important information.
When there is a suspicion of intrusion on a computer, it is important to act quickly. To get the best possible investigation data, it is important to "freeze the moment" to keep volatile data intact. It is also important to be able to quickly stop an ongoing intrusion. Many people have probably experienced that it might take some time to get technical help when a computer acts strange. Getting help is especially difficult when working remotely, as the computer must continue to be connected to the Internet in order for an IT technician to be able to connect, troubleshoot and manually acquire evidence. However, a computer's internal memory changes rapidly and digital tracks risk to disappear very fast. In addition, it is not recommended to give an attacker more time to read classified information or to start attacking other assets connected to the same computer network.
Using INCI, a non-privileged user can stop an ongoing attack and start securing evidence from the internal memory. The acquisition starts automatically after a double-click on a desktop icon or by pressing a shortcut using the keyboard. During incidents where the attacker remotely controls the mouse pointer, it is important to have a second alternative to the mouse clicks.
A business license costs EUR 790 ex. VAT per year and can be installed on any number of computers within the organization. Only one business license is required per corporate registration number, i.e., a subsidiary needs a business license of its own.
Please, contact us if you have any questions and/or want a 20 minutes demo of the product.
Video clip in Swedish