- Page 7 and 8: Registry Decoder • Originally fun
- Page 9 and 10: Registry Decoder Offline • Used t
- Page 11 and 12: Browsing • Similar to Access Data
- Page 13 and 14: Plugins • Full plugin system, eac
- Page 15: Searching - The Best Part!! • No
- Page 20 and 21: Reporting • We wanted to be able
- Page 23 and 24: TRIAGE Standardizing Remote IR Coll
- Page 25 and 26: Our Problem • Slow Response Time
- Page 27 and 28: Our Actions - After Triage • Auto
- Page 29 and 30: What does it do? • Runs Sysintern
- Page 31 and 32: Quick Hits • Start Up Info • AV
- Page 33 and 34: CASE STUDY
- Page 35 and 36: Triage Received - AV Logs analyzed
- Page 37 and 38: Wait what was that?? • Yes we hav
- Page 39 and 40: What hit me? • Gammima.AG • Gam
- Page 41: Triage Timings • 5hr 25 Minutes
- Page 46 and 47: "All our knowledge is the offspring
- Page 48: The REALITY of the depiction DOESN'
- Page 55 and 56: By the time a person reaches physic
- Page 57 and 58: The Midline moves down towards the
- Page 59 and 60: Growth & Development of the Face 7
- Page 61 and 62: Before you reach for your slide rul
- Page 63 and 64: 5 Step Age Estimation Process 1. Ro
- Page 65 and 66: 3 Years Old
- Page 67 and 68: 9 Years Old
- Page 69 and 70: 15 Years Old
- Page 71 and 72: 25 Years Old
- Page 73: "All our knowledge is the offspring
- Page 76 and 77: SANS360 Registry, UserAssist, and V
- Page 78 and 79: VSCs Does old data every completely
- Page 80 and 81: UserAssist Info from the Registry N
- Page 82: Questions? Harlan Carvey harlanc@ap
- Page 85 and 86: Kitteh Porn!
- Page 87 and 88: Emperor Rob Let's Meet Our Suspects
- Page 89 and 90: Find the Common Images $ awk '{prin
- Page 91 and 92: Eliminate "Known Goods" $ awk '{pri
- Page 93 and 94:
Lee-Ah and Emperor Rob? $ awk '{pri
- Page 95 and 96:
Thanks J-Michael!
- Page 98 and 99:
Automating Your Timeline Analysis i
- Page 100 and 101:
Background • • What about YARA?
- Page 102 and 103:
Log2timeline and YARA Together At L
- Page 104 and 105:
Example Rule private rule MFT_Hit {
- Page 106:
Summary • YARA rules can be used
- Page 109 and 110:
Overview What Are Fraudulent Docum
- Page 111 and 112:
What Are Fraudulent Documents Fraud
- Page 113 and 114:
Types of Fraud - Purchasing Indict
- Page 115 and 116:
Types of Fraud - Bid Rigging FBI a
- Page 117 and 118:
Word Documents Metadata Metadata i
- Page 119 and 120:
Word Documents Metadata Creating a
- Page 121 and 122:
Word Documents Metadata Printing D
- Page 123 and 124:
Red Flag #1 Company’s name should
- Page 125 and 126:
Red Flag #3 Creation dates shouldn
- Page 127 and 128:
Red Flag #5 No Metadata when metada
- Page 129 and 130:
Detection Process In Action Suspec
- Page 131 and 132:
Collect Documents Mixture of bids,
- Page 133 and 134:
Extract Metadata Run SquirrelGrippe
- Page 135 and 136:
Analyze Metadata Suspicious Documen
- Page 137:
What’s Next More Information Pap
- Page 141:
Pay no attention to the data behind
- Page 153:
Girl, Unallocated’s Open Source T
- Page 157:
Helmet of Problem Solving Dongle of
- Page 160 and 161:
Context LYNXeon is our tool for ne
- Page 162 and 163:
The Challenge We get our first qua
- Page 164 and 165:
Bad Host! Bad! No Cookie! Easy to
- Page 166 and 167:
What are we doing again? Initial c
- Page 168 and 169:
Caveats Google, Akamai and Faceboo
- Page 170:
Questions & Discussion For future q
- Page 173 and 174:
• Registry values used to track a
- Page 175 and 176:
For Windows XP: C:\Documents and Se
- Page 177 and 178:
Live Registry: HK_USERS\(USERID)\Lo
- Page 179 and 180:
\Software\Microsoft\Windows\Shell\B
- Page 181 and 182:
TZWorks Windows Shellbag Parser (ht
- Page 183 and 184:
C:\>sbag usrclass.dat -csv > usrcla
- Page 185 and 186:
Unauthorized Access of Other Employ
- Page 188 and 189:
#SANS360 DFIR Summit 2012! Hi.. My
- Page 190 and 191:
Log2timeline! Reviewing log2timelin
- Page 193 and 194:
Now let’s try this on a real comp
- Page 195 and 196:
Log2timeline does a GREAT job of ma
- Page 197 and 198:
Data diagram of PoC Solution: Featu
- Page 201 and 202:
To do: • Find time (egoings@kpmg.