AISI DFIR (Digital Forensics and Incident Response) is a managed forensics and incident response service offered by AISI, a French cybersecurity firm. The service covers both doubt-removal investigations and confirmed incident response engagements. The service is structured around three analysis axes: - Malware Analysis: Extraction of indicators of compromise (IOCs), identification of malware persistence mechanisms, YARA rule creation, and reverse engineering. - Incident Analysis: Identification of persistence sources, assessment of risks related to malware execution, definition of countermeasures, and provision of a machine remediation tool. - Behavioral Analysis: Evidence collection via the proprietary Scout tool, investigation based on recurring MITRE ATT&CK techniques, identification of persistence traces, suspicious command executions, suspicious connections, and unusual behaviors. AISI has developed three proprietary tools to support the service: - Scout: Collects system and user registry hives, system logs, suspicious files, system files (USN, etc.), process details, and network connections. - Commodore: Processes encrypted archives in bulk, analyzes registry hives and logs, examines suspicious files, enriches data, and normalizes output format. - Hunter: Performs remediation by removing malware and persistence artifacts such as scheduled tasks, services, registry keys, and WMI objects. Use cases include response to intrusions with erratic behavior (RDP sessions, AnyDesk installations), ransomware denial-of-service investigations, and analysis of machines suspected of compromise.