A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity—i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.

A system and method detects and handles replay attacks using counters maintained for each of several different periods for various values of IP addresses and browser description attributes encountered.

Certain embodiments described herein relate to methods and systems for detecting unexpected behavior associated with a process. In certain embodiments, a method comprises receiving a memory allocation request, the request indicating one or more memory segments to be allocated in memory of a computing system. The method further comprises allocating the one or more memory segments in the memory based on the memory allocation request. The method further comprises allocating one or more decoy memory segments in the memory based on the memory allocation request. The method further comprises trapping an input/output (I/O) operation. The method further comprises detecting an unexpected behavior associated with the I/O operation based on determining that the I/O operation impacts at least one of the one or more decoy memory segments. The method further comprises performing one or more actions based on the detection.

A method and a system for preventing an activity of a malware application in a computer system are provided. The method comprising: receiving at least one artefact of a sandbox environment to be installed in the computer system for simulating the sandbox environment in the computer system; receiving an indication of at least one interaction of a given application with the at least one artefact; analyzing an activity of the given application to detect at least one of a first type event and a second type event triggered thereby after executing the at least one interaction; in response to the analyzing rendering a positive result: identifying the given application as being the malware application; and using data indicative of a digital footprint of the given application in the computer system for further updating the at least one artefact for further preventing the activity of the malware application.

Methods and systems for removing sensitive information from a digital image. An instruction to share a digital image is received. It is then determined that the digital image contains a depiction of a corporate display medium that is classified as sensitive based on a policy and, based on the determination that the digital image contains the depiction of the corporate display medium that is classified as sensitive based on the policy, the digital image is processed to modify the depiction. The digital image is shared.

A system and method detects and handles replay attacks using counters maintained for each of several different periods for various values of IP addresses and browser description attributes encountered.

Methods and systems for removing sensitive information from a digital image. An instruction to share a digital image is received. It is then determined that the digital image contains a depiction of a corporate display medium that is classified as sensitive based on a policy and, based on the determination that the digital image contains the depiction of the corporate display medium that is classified as sensitive based on the policy, the digital image is processed to modify the depiction. The digital image is shared.

Modified data records, including mock data, are generated and disseminated in response to determining that a data breach has occurred resulting in the data records being released or otherwise made available at an Internet website. The modified data records are posted or otherwise made available at the same Internet site at which the original data records are posted or otherwise are available. The modified data records are made to be more enticing to a would-be acquirer of the data than the original data records by containing significantly more records than the original data records and/or be offered to the would-be acquirer at better terms.

A system and method detects and handles replay attacks using counters maintained for each of several different periods for various values of IP addresses and browser description attributes encountered.

A method and a system for preventing an activity of a malware application in a computer system are provided. The method comprising: receiving at least one artefact of a sandbox environment to be installed in the computer system for simulating the sandbox environment in the computer system; receiving an indication of at least one interaction of a given application with the at least one artefact; analyzing an activity of the given application to detect at least one of a first type event and a second type event triggered thereby after executing the at least one interaction; in response to the analyzing rendering a positive result: identifying the given application as being the malware application; and using data indicative of a digital footprint of the given application in the computer system for further updating the at least one artefact for further preventing the activity of the malware application.