Aurora Focus users can now interact with a hardened Python interpreter that is present locally on each endpoint that is running Aurora Focus v2.3.1000 or later. This new feature allows users to interact with their endpoints in an efficient and technical manner to accomplish tasks on endpoints in an automated fashion. By default, Endpoint Defense is supporting 5 capabilities to collect different forensic artifacts from targeted endpoints. These capabilities include:

• Collecting master file table (MFT) artifacts from NTFS volumes.
• Collecting entire Windows registry hives from endpoints.
• Collecting entire Windows event log files from endpoints.
• Collecting web browser history databases from Chrome, Firefox, Internet Explorer, Edge, Opera, and Safari.
• Collecting common application execution records, including Amcache, Prefetch, and Shimcache.

Users can also configure and deploy custom packages to conduct custom, scripted actions against endpoints. This allows customers to upload in-house or third-party scripts and applications to Endpoint Defense’s cloud services and deploy them to endpoints. This scripting is done via interacting with the local Python interpreter built into Aurora Focus, allowing for an easily extensible set of capabilities.

After packages have been deployed and executed on endpoints, users can automatically upload the resulting data to SMB shares or SFTP servers for centralized collection and analysis by other forensic or incident response tools. Users can also configure packages to store the results locally on the endpoints for retrieval at a later time.

The Aurora Focus package deployment supports up to 20 packages for your organization. Each package has a maximum file size of 70MB. These capabilities and workflows around the package deployment feature are exposed via Endpoint Defense’s API.