Automated forensics of computer systems using behavioral intelligence

摘要

A method for computer system forensics includes receiving an identification of at least one host computer (26) that has exhibited an anomalous behavior, in a computer network (24) comprising multiple host computers. Respective images (68) of the host computers in the network are assembled using image information collected with regard to the host computers. A comparison is made between at least one positive image of the at least one host computer, assembled using the image information collected following occurrence of the anomalous behavior, and one or more negative images assembled using the image information collected with respect to one or more of the host computers not exhibiting the anomalous behavior. Based on the comparison, a forensic indicator of the anomalous behavior is extracted from the positive and negative images.