Patent attributes
A forensic analysis method performed in respect of an endpoint device connected to a computer network. The forensic analysis method comprises collecting file system call data from the endpoint device. The file system call data corresponds to a plurality of system calls relating to file system operations arising from activity performed on the endpoint device. The forensic analysis method also comprises collecting network communication metadata from the endpoint device. The network communication metadata is based on a plurality of system calls relating to communication operations over the computer network arising from activity performed on the endpoint device. The forensic analysis method further comprises detecting first candidate data comprised in one of the collected file system call data and the collected network communication metadata and identifying second candidate data in the other of the collected file system call data and the collected network communication metadata with the second candidate data corresponding to the first candidate data. The forensic analysis method yet further comprises analysing the second candidate data to determine whether or not the first and second candidate data correspond to suspect activity performed on the endpoint device.
