Real-Time Automated Forensic Evidence Collection in Critical Systems: Leveraging Advanced Network Monitoring Tools for Enhanced Cybersecurity Incident Response

This thesis examines the convergence of network monitoring infrastructure with automated forensic evidence capture in support of improved cybersecurity incident response capabilities. The study fills the essential gap between threat detection and forensic analysis by introducing a new approach exploiting Zabbix, a publicly available open-source monitoring tool, to support real-time automated evidence capture in a forensic and legal conforming context. The research adopts a systematic approach combining the development of a theoretical framework with experimental validation by conducting controlled laboratory tests. This modular architecture consists of four individual modules, namely, Detection, Response, Acquisition, and Preservation, working through Zabbix's trigger-action mechanism while upholding forensic chain of custody requirements. Real-world case studies are extensively illustrated, firstly a data exfiltration scenario and afterwards an unauthorized service deployment inside a trusted network. The study provides a flexible answer well tailored to resource-limited environments such as air-gapped networks, industrial control systems, and legacy systems in which it would not be feasible to implement traditional SIEM/SOAR systems. The modularity accommodates customizing the different threat situations while maintaining forensic integrity, demonstrating that it is possible to reuse productively the existing monitoring infrastructure as part of an automated forensic capability without depending on specialized forensic environments or massive incremental investments. Findings confirm the hypothesis that network monitoring systems are capable of filling the detection-to-investigation void, offering incident response capabilities to organizations without violating the principles of forensic best practices and laws.