Dissect: Open-source framework for collecting, analyzing forensic data

A game changer in cyber incident response, the Dissect framework enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack.

Dissect framework

Dissect framework development

Fox-IT developed and has used Dissect over the past 10 years as a critical framework in incident response investigations for customers. Now it is available on GitHub to the security community as open source software to help advance and accelerate forensic data collection and analysis.

“We developed Dissect because we dealt with increasingly complex IT environments and it has greatly enhanced our incident response capabilities. We are now sharing Dissect as open source software with the security community, particularly incident responders from fellow security companies and security teams from larger companies,” said Erik Schamper, Senior Security Analyst at Fox-IT.

Tailored for incident responders

Incident response increasingly involves large, complex, and hybrid IT infrastructures that must be carefully examined for so-called Indicators of Compromise (IOCs). At the same time, victims of an attack need to find out as quickly as possible what exactly happened and what actions should be taken in response.

With Dissect, incident responders can collect and prepare large amounts of data for analysis much faster. This leads to quicker insights into which parts of infrastructure have been compromised. In turn, it supports better and more specific decision-making about isolating environments, decisions that usually lead to substantial business impact.

The time savings obviously depend on the IT environment in which data must be collected, but Fox-IT’s experience in some cases is that data acquisition that previously took two weeks with Dissect now only takes an hour.

Staying under the radar

The Dissect framework operates in an extra stealth fashion, meaning the framework can do its work while remaining undetected by an attacker. This is especially important for in-depth investigations of, for example, state actors who themselves like to stay under the radar.

An example is that Dissect does this by bypassing operating system functionality potentially in control of an adversary. Another example is undetected data collection by collecting data directly from the hypervisor (the virtualisation layer), allowing system analysis without the attacker noticing. Fox-IT uses this this functionality regularly while investigating sophisticated state actors.

Don't miss