Remi identifies attacker attempts to regain access after being removed from the environment. Forensic artifacts include newly created persistence mechanisms, re-used credentials, and connections to known command-and-control servers.

🔍 Investigative Questions Answered:

• Who's connecting to the computer(s)? Any foreign countries logging in? (IP and geolocation data from re-entry attempts)
• Is this a state actor, hacking group, or a single threat? (Patterns indicating known threat actors)
• What tools were used to gain access to the network? (Detection of attacker-deployed tools for re-entry)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Sequence of re-entry attempts and methods)

Remi’s Application Detections monitor suspicious application behavior, identifying unauthorized software execution, application exploitation, and vulnerability abuse. Forensic evidence includes process names, execution paths, user accounts involved, and associated timestamps.

🔍 Investigative Questions Answered:

• When did the attack start? (Based on timestamps of malicious application executions)
• What tools were used to gain access to the network? (Extracted from suspicious application usage)
• Were any files installed or copied to this computer? (Detection of installation processes)
• AI Explains the attack as it happens, the audience is forensic examiners and law enforcement. (Detailed process and timeline reconstruction)

Remi’s Endpoint Detections identify malicious activities occurring on user devices, such as suspicious process execution, file modifications, and unauthorized hardware usage. Forensic data includes device IDs, process trees, accessed file paths, and device MAC addresses.

🔍 Investigative Questions Answered:

• Which computer is patient 0? (Identification of the first infected endpoint)
• Were any files installed or copied to this computer? (Detection of new files or modifications)
• Was any data accessed, was personal information accessed, was sensitive data accessed? (File access monitoring)
• What tools were used to gain access to the network? (Suspicious tools detected on endpoints)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Timeline and endpoint behavior analysis)

Remi detects authentication anomalies, highlighting unauthorized access attempts, brute force attacks, and credential misuse. Extracted evidence includes failed login attempts, successful logins from unusual locations, and multi-factor authentication bypasses.

🔍 Investigative Questions Answered:

• Who's connecting to the computer(s)? Any foreign countries logging in? (Based on IP addresses and geolocation of login attempts)
• Is there an insider threat? (Identification of unusual access by internal accounts)
• When did the attack start? (Timestamp of the first unauthorized access)
• Is the attack in progress or has it stopped? (Ongoing or terminated login attempts)
• What on the victim's side failed that allowed the hacker to gain access to? (Weak passwords or MFA bypass detection)

Remi detects unauthorized data extraction attempts by monitoring file transfers, cloud uploads, and removable media usage. Extracted forensic evidence includes file names, sizes, transfer methods, destination IPs, and timestamps.

🔍 Investigative Questions Answered:

• Was any data exfiltrated from the computer network? (Identification of file transfers)
• Where was the data transferred to? (Destination IP addresses and transfer methods)
• What was the attack vector? (Methods used for data theft)
• Is the attack in progress or has it stopped? (Ongoing exfiltration detection)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Detailed exfiltration timeline and method)

Remi detects malware infections by analyzing file executions, network communications, and behavioral indicators.Forensic evidence includes malicious file hashes, infection vectors, executed payloads, and timestamps of initial infection.

🔍 Investigative Questions Answered:

• If malware or rootlets were involved, what information can you provide about each? (Malware type, hash, and behavior analysis)
• What was the attack vector? (How malware was introduced)
• Which computer is patient 0? (First infected device identification)
• When did the attack start? (Infection timestamps)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Complete infection timeline and spread)

Remi monitors network traffic to uncover unauthorized communications, lateral movement, and data exfiltration attempts. Extracted forensic evidence includes source and destination IP addresses, ports, protocols, and detected network scans.

🔍 Investigative Questions Answered:

• Where did the attack originate from? (Source IP analysis)
• What city, state, country? (IP geolocation data)
• Who was the internet provider? (Identified through IP lookups)
• Show the sessions of the hacker so we can understand. (Network session data)
• Are there any domain lookup history with this domain? (DNS and network connection logs)
• Who's connecting to the computer(s)? Any foreign countries logging in? (Cross-border connection identification)
• What was the attack vector? (Network-based intrusion detection)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Complete network activity timeline)

Remi detects attacker tactics designed to maintain long-term access to compromised systems. Forensic evidence includes scheduled tasks, startup modifications, registry changes, and hidden services.

🔍 Investigative Questions Answered:

• What on the victim's side failed that allowed the hacker to gain access to? (Unpatched software, weak configurations)
• What tools were used to gain access to the network? (Persistence mechanisms analysis)
• Is the attack in progress or has it stopped? (Active vs. inactive persistence methods)
• Explain the attack as it happens, the audience is forensic examiners and law enforcement. (Persistence techniques timeline)