We would like to present our internal forensics platform "SiERRA" that was developed over the last years out of the need to streamline and automate our workload.

In the backend, we have packaged various open-source and self-developed tools into lightweight Docker containers ("workers") that talk to a central API and have a defined interface for their input and output types. By tracking worker input and output, we are able to automatically keep track of the origin evidence item that every worker output is connected to. Workers are also able to raise "alerts" for suspicious findings that need the analyst's attention.

To further automate analysis, we created a format to define "workflows": A way to define the flow of data through multiple workers. Our workflow automation will then take care of queuing the workers in the right order and filtering worker output so it becomes suitable as input for the next worker in line.

In the front end, we created a web application that is able to support our analysis process from start to finish: An analyst will first create a case and upload evidence. They can then trigger workflows or single workers on the evidence and monitor the worker progress. After processing has finished, the analyst is able to look at the resulting reports and data extracts using specialized views for different types of data (e.g. tables, timeline data, file system trees) and will also be alerted to the automatic findings of workers.

To aid in documentation, every piece of information that is displayed in the various views can be selected by the analyst and be promoted to a finding with the option of adding further details or explanations in Markdown format. Findings will be displayed in their own view in chronological order and can be filtered by host and/or severity, giving an easy overview over what has happened in a case.

Since introducing this platform, we have seen numerous benefits as opposed to the "classical" approach to breach forensics:

1. The relative ease of implementing new workers gives us the ability to quickly adapt to specific analysis needs in an incident as well as to research into novel attack techniques. Including new workers in a default workflow provides immediate benefit to all new cases.
2. Presenting and tracking all assets, findings and analysis data in a web application provides transparency for everyone involved in the case and enables seamless cooperation involved parties.
3. Making documentation of findings as friction-less as possible by providing an easy interface to create findings and pre-filling already known pieces of data improves overall case documentation
4. Standardized workflows and automatic findings allow for a low barrier to entry for new colleagues getting started in forensics and also allow incident responders to take a look themselves in everyday cases.