Deep File Inspection™

Deep File Inspection (DFI) is the nexus of FDR. It is a static-analysis engine that rapidly peels apart a file, enabling digital inspection deep beyond Layer 7 of the OSI model, effectively automating the work of a typical SOC analyst or security researcher. Attacker nesting creativity becomes irrelevant. DFI rapidly dissects common carriers to expose embedded logic (macros, scripts, applets), semantic context (spreadsheet cells, presentation words, etc.), and metadata (author, edit time, page count, etc). Common evasive characteristics and encoding mechanisms are automatically discovered and deciphered. The DFI process is so thorough in its analysis, it typically results in 4X the amount of analyzable content relative to original file size. For example, 6MB of data may be derived from a 2MB file, resulting in 8MB of total inspectable content.

DFI uncovers the underwater part of the malware iceberg illustration InQuest DFI submarine explores the depths of malware Submarine shadow illustration

To appreciate its power, consider the primary challenges security analysts and threat hunters face on a daily basis:

  • Constantly evolving malware, exploits, and attacker tactics, techniques, and procedures (TTPs)
  • Constantly evolving attack surface (user locations, user devices, application movement to cloud, network design changes, etc.)
  • Gigabytes to terabytes of network traffic analysis
  • Understaffed, often underskilled
  • Buried in the time-consuming, mundane work of converting raw, unstructured data into structured data, and then into actionable intelligence

Now consider that the solutions available to SOC analysts and threat hunters fall into two broad buckets - fast but superficial insight, or insight depth that is painfully slow and exorbitant in cost. This leaves the chasm in the middle to be covered by humans - humans with the necessary skill and experience to collect, inspect, analyze, act and hunt - which are in extremely short supply.

DFI shatters this dilemma as shown in the two diagrams below: