Looking for a “new” Windows artifact that is currently being underutilized and contains a wealth of information? Event Tracing for Windows (ETW) and Event Trace Logs (ETL) may be your answer. There’s nothing new about them, yet they can provide a wealth of information. Event Tracing for Windows was introduced in Windows 2000 and is still going strong in current …

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based …

Here’s Brian Carrier’s presentation from Open Source Digital Forensics Conference (OSDFCon) 2018. In the presentation he walks attendees through new Autopsy features around messaging, email, and chats. You can download it here.  

Signatures are dead, or so we’re told. It’s true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/Domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to attempted evasion by dedicated attackers and researchers is challenging but possible with the right tools, …

Most people know the Shadow Brokers leaked (supposedly) stolen NSA cyber tools, which lead to some of the most significant cyber security incidents of 2017. But in addition to targeting NSA, the Shadow Brokers have also targeted a few individuals in our community. Hear about the history of the Shadow Brokers and the implications of their actions for infosec and …

Test evidence lies at the heart of our field. We need to be able to test our tools to make sure that they parse data correctly. New hires and students need to have their knowledge tested and challenged in a controlled environment. How do you create realistic, believable, and effective scenarios to test forensic evidence? After spending several months putting …

Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. However, when the system is compromised and requires careful forensic analysis, FDE can be quite painful to forensic analysts. Unless you deal with standard and widely supported encryption such as LUKS, Bitlocker, TrueCrypt or few others, it might really hard to …

In every case you work on, someone is asking you to get answers faster but without introducing more human error. Depending on the case, there are “go to” artifacts that help us to quickly answer basic questions. As the questions get more complicated so can the analysis. Oftentimes, the need arises to correlate multiple artifacts to get a more accurate …

In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics and Incident Response (DFIR). Most DFIR talks and advice discuss what to do once an incident has occurred. Instead, this talk provides Security Architects, System Administrators, SOC teams, and management new techniques and advice to supercharge their IR capabilities by …

In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics and Incident Response (DFIR). In doing so, there are many things that System Administrator, Enterprise Defenders, and Security Operations Centers can do proactively to not only enhance the security of an organization, but also assist the DFIR personnel in performing …