From Hours to Minutes: Automating Incident Response Triage with Open-Source Tools
Traditional forensic acquisitions create bottlenecks in incident response, requiring specialized expertise and significant time that delays investigations. This presentation introduces an automated forensic triage workflow using open-source tools to accelerate response operations. The workflow utilizes a Velociraptor offline collector to acquire forensic triage images, automatically uploaded to cloud storage. This triggers an OpenRelik workflow that processes triage data using tools like Hayabusa and Plaso/log2timeline, with AI-powered analysis and summarization. The processed output is uploaded to Timesketch for collaborative analysis. Several DFIR datasets will be used to show the automation pipeline from initial collection to timeline analysis. The workflow reduces time-to-analysis from hours to minutes while maintaining forensic integrity. Attendees will learn to implement automated triage workflows and integrate multiple open-source tools into investigation pipelines. This targets incident responders, digital forensics practitioners and anyone in the security community looking to streamline forensic operations.
Speaker
Markus Einarsson
Security Architect and Incident Response Lead, Sectra, Sweden
Markus Einarsson is a Security Architect and Incident Response Lead at Sectra in Sweden, where he secures cloud-hosted environments for healthcare customers worldwide. With over a decade of experience in cybersecurity, Markus specializes in incident response, digital forensics and security architecture. As part of the Sectra Hunt and Incident Response Team, he has extensive hands-on experience with forensic workflows and modern DFIR toolchains. Markus holds multiple GIAC certifications includ... read more