Tweet
Title: (Intermediate) Turning Telemetry and Artifacts Into Information
Description:
There are many excellent FOSS triage and live response tools for Windows. They can dive deep into Windows systems to extract the artifacts and telemetry that might identify what happened on a machine.
However, after extracting those artifacts, it is usually up to the analyst to parse and reformat the raw data from these artifacts to make sense of them.
What if you are looking for a basic, repeatable, automated way to create an overview of what happened on a machine? In this Show And Tell we'll walk through the process of turning raw artifacts into useful information.
The presenter has spent many years developing tools and methods to help junior forensicators collect, parse, and make sense of Windows telemetry and artifacts. And in the process help them learn more.
In this Show And Tell, we will walk through the process of doing an automated, targeted collection on a suspicious machine. We will take that collection, and use Open Source tools to turn that data into an immediately useful report. We will also cover how to collect locally, and remotely - and the unique challenges that each presents.
We will start with collecting data from a suspicious endpoint using AChoir, and creating a report from that data using AChReport. We will also use tools like Volatility and Loki to automate memory analysis and determine if something malicious is located in memory. We will cover this process for both live systems, and collected memory dumps. And we will talk about when you would use one method over the other.
Finally, we will take the collected data, and show how to run Plaso against it to get a timeline which can be further processed for a more detailed analysis.
This workshop is relevant for both the novice and experienced forensic analyst. It is targeted at automating parts of the forensic analysis process to find common signs of malicious activity. We will use specific tools, but the goal is to show how forensic tools can be automated to enhance the forensic analysis process.
Speaker(s): Omenscan
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 13:30 (01:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 15:00 (03:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:45 (UTC).
Description:
There are many excellent FOSS triage and live response tools for Windows. They can dive deep into Windows systems to extract the artifacts and telemetry that might identify what happened on a machine.
However, after extracting those artifacts, it is usually up to the analyst to parse and reformat the raw data from these artifacts to make sense of them.
What if you are looking for a basic, repeatable, automated way to create an overview of what happened on a machine? In this Show And Tell we'll walk through the process of turning raw artifacts into useful information.
The presenter has spent many years developing tools and methods to help junior forensicators collect, parse, and make sense of Windows telemetry and artifacts. And in the process help them learn more.
In this Show And Tell, we will walk through the process of doing an automated, targeted collection on a suspicious machine. We will take that collection, and use Open Source tools to turn that data into an immediately useful report. We will also cover how to collect locally, and remotely - and the unique challenges that each presents.
We will start with collecting data from a suspicious endpoint using AChoir, and creating a report from that data using AChReport. We will also use tools like Volatility and Loki to automate memory analysis and determine if something malicious is located in memory. We will cover this process for both live systems, and collected memory dumps. And we will talk about when you would use one method over the other.
Finally, we will take the collected data, and show how to run Plaso against it to get a timeline which can be further processed for a more detailed analysis.
This workshop is relevant for both the novice and experienced forensic analyst. It is targeted at automating parts of the forensic analysis process to find common signs of malicious activity. We will use specific tools, but the goal is to show how forensic tools can be automated to enhance the forensic analysis process.
Speaker(s): Omenscan
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 13:30 (01:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 15:00 (03:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:45 (UTC).