DFIR SANS360 Talks

More documents

Recommendations

Info

Caveats Google, Akamai and Facebook will come up quite a bit. Create a whitelist for sites you know everyone talks to. What is left might be interesting. What to look for? – Rented space (Amazon, etc.). – Common ISPs. – One connection ever per host, with a download. – Subsequent beaconing from internal hosts. 168
Why Did This Change Your Life? Reiterated the value of customer engagement. Taught us to do something new. Spawned a whole range of thinking about second and third order analytics that is still paying off today. Showed us the versatility and power of LYNXeon in a new way. 169
Page 7 and 8:
Registry Decoder • Originally fun
Page 9 and 10:
Registry Decoder Offline • Used t
Page 11 and 12:
Browsing • Similar to Access Data
Page 13 and 14:
Plugins • Full plugin system, eac
Page 15:
Searching - The Best Part!! • No
Page 20 and 21:
Reporting • We wanted to be able
Page 23 and 24:
TRIAGE Standardizing Remote IR Coll
Page 25 and 26:
Our Problem • Slow Response Time
Page 27 and 28:
Our Actions - After Triage • Auto
Page 29 and 30:
What does it do? • Runs Sysintern
Page 31 and 32:
Quick Hits • Start Up Info • AV
Page 33 and 34:
CASE STUDY
Page 35 and 36:
Triage Received - AV Logs analyzed
Page 37 and 38:
Wait what was that?? • Yes we hav
Page 39 and 40:
What hit me? • Gammima.AG • Gam
Page 41 and 42:
Triage Timings • 5hr 25 Minutes
Page 43:
Who Created Triage?
Page 46 and 47:
"All our knowledge is the offspring
Page 48:
The REALITY of the depiction DOESN'
Page 55 and 56:
By the time a person reaches physic
Page 57 and 58:
The Midline moves down towards the
Page 59 and 60:
Growth & Development of the Face 7
Page 61 and 62:
Before you reach for your slide rul
Page 63 and 64:
5 Step Age Estimation Process 1. Ro
Page 65 and 66:
3 Years Old
Page 67 and 68:
9 Years Old
Page 69 and 70:
15 Years Old
Page 71 and 72:
25 Years Old
Page 73:
"All our knowledge is the offspring
Page 76 and 77:
SANS360 Registry, UserAssist, and V
Page 78 and 79:
VSCs Does old data every completely
Page 80 and 81:
UserAssist Info from the Registry N
Page 82:
Questions? Harlan Carvey harlanc@ap
Page 85 and 86:
Kitteh Porn!
Page 87 and 88:
Emperor Rob Let's Meet Our Suspects
Page 89 and 90:
Find the Common Images $ awk '{prin
Page 91 and 92:
Eliminate "Known Goods" $ awk '{pri
Page 93 and 94:
Lee-Ah and Emperor Rob? $ awk '{pri
Page 95 and 96:
Thanks J-Michael!
Page 98 and 99:
Automating Your Timeline Analysis i
Page 100 and 101:
Background • • What about YARA?
Page 102 and 103:
Log2timeline and YARA Together At L
Page 104 and 105:
Example Rule private rule MFT_Hit {
Page 106:
Summary • YARA rules can be used
Page 109 and 110:
Overview What Are Fraudulent Docum
Page 111 and 112:
What Are Fraudulent Documents Fraud
Page 113 and 114:
Types of Fraud - Purchasing Indict
Page 115 and 116:
Types of Fraud - Bid Rigging FBI a
Page 117 and 118: Word Documents Metadata Metadata i
Page 119 and 120: Word Documents Metadata Creating a
Page 121 and 122: Word Documents Metadata Printing D
Page 123 and 124: Red Flag #1 Company’s name should
Page 125 and 126: Red Flag #3 Creation dates shouldn
Page 127 and 128: Red Flag #5 No Metadata when metada
Page 129 and 130: Detection Process In Action Suspec
Page 131 and 132: Collect Documents Mixture of bids,
Page 133 and 134: Extract Metadata Run SquirrelGrippe
Page 135 and 136: Analyze Metadata Suspicious Documen
Page 137: What’s Next More Information Pap
Page 141: Pay no attention to the data behind
Page 153: Girl, Unallocated’s Open Source T
Page 157: Helmet of Problem Solving Dongle of
Page 160 and 161: Context LYNXeon is our tool for ne
Page 162 and 163: The Challenge We get our first qua
Page 164 and 165: Bad Host! Bad! No Cookie! Easy to
Page 166 and 167: What are we doing again? Initial c
Page 170: Questions & Discussion For future q
Page 173 and 174: • Registry values used to track a
Page 175 and 176: For Windows XP: C:\Documents and Se
Page 177 and 178: Live Registry: HK_USERS\(USERID)\Lo
Page 179 and 180: \Software\Microsoft\Windows\Shell\B
Page 181 and 182: TZWorks Windows Shellbag Parser (ht
Page 183 and 184: C:\>sbag usrclass.dat -csv > usrcla
Page 185 and 186: Unauthorized Access of Other Employ
Page 188 and 189: #SANS360 DFIR Summit 2012! Hi.. My
Page 190 and 191: Log2timeline! Reviewing log2timelin
Page 193 and 194: Now let’s try this on a real comp
Page 195 and 196: Log2timeline does a GREAT job of ma
Page 197 and 198: Data diagram of PoC Solution: Featu
Page 201 and 202: To do: • Find time (egoings@kpmg.
show all

DFIR SANS360 Talks

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?