As malware becomes more sophisticated, it has become increasingly difficult to identify the impact of a security compromise, even after an event is detected, and it has become increasingly difficult to distinguish malicious computing activity from other computer processes and user activity. There remains a need for improved techniques for forensic analysis to assist an investigator investigating security events, and there generally remains a need for improved techniques for detecting malware on endpoints in an enterprise network.