2024-10-23 –, Europe - Main Room
How to become an Incident Response Rockstar?
After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder – which also holds true in digital forensics.
As a bonus, we will discuss less-known artifacts like MPLogs and the bitmap cache.
By attending this talk, participants will be better and more efficient Incident Responders as they can focus on key aspects of an investigation.
After this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more.
This discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time.
As one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred.
At the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database.
After this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more.
This discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time.
Speaking of essential event logs, we will discuss the importance of PowerShell event logs and logging, as these are still up to date and frequently used by ransomware groups and APTs.
We will showcase how to find suspicious files, which might point out a staging directory from the attacker, as well as the importance of checking the antivirus logs carefully (which is always my first step into a new investigation).
On the other hand, we will discuss other important forensics concepts like Shellbags and how you can present them to the customer in which directories the threat actor(s) roamed around.
As one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred.
At the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database.
Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.