As cybersecurity threats continue to evolve, incident response teams need to adapt their strategies to stay ahead. The latest update from Cellebrite Endpoint Inspector offers new features that make incident response collections faster, more efficient, and more thorough. In this blog post, we will discuss two of these features: support for YARA rules and operating system index searching.

YARA Rules for Incident Response Collections

One of the most significant enhancements to Endpoint Inspector is the support for YARA rules for incident response collections. YARA rules help incident responders to define computer collections that can detect malware and security threats based on textual or binary patterns.

Open-source YARA rules are already included for computers from ReversingLabs, but you can also import additional rules from various thread intel feeds or write your own rules. The scope of YARA rules can be limited by file path to avoid consuming too many resources.

When defining a computer collection for incident response, you can choose rule categories and then rule sets from a list on the “Select YARA Rule Sets” dialog. A report will be generated as a text file, listing all the files that were responsive to the rules selected. The files can also be included by selecting the “Collect Responsive Files” checkbox. This will gather the responsive files and folders into an L01 alongside the report.

Searching the Operating System Index

Another new feature is the ability to search the operating system index when defining a computer collection to collect files. You can use keywords to search the operating system’s index, which reduces the volume of collected files and accelerates the time to meaningful insights. Endpoint Inspector is transparent about what is indexed, searched, and collected, producing defensible results.

Better Incident Response Collections

Cellebrite Endpoint Inspector’s new features, including YARA rules and operating system index searching, enhance incident response collections’ efficiency and accuracy. YARA rules help detect malware and security threats based on textual or binary patterns, while searching the operating system index accelerates the time to meaningful insights, producing defensible results.

Minimizing business disruption is a core value of our remote computer, mobile, cloud, and workplace applications collection capabilities in Endpoint Inspector. Adding capabilities for triaging incidents and gathering sensitive, volatile data to assess risks is a natural progression to ensure we’re providing your team with the best, most comprehensive tool on the market. To learn more about Endpoint Inspector and Cellebrite Enterprise Solutions as a whole for smoother corporate investigations, don’t hesitate to reach out to us.

Share this post