Deleted Evidence: Fill in the Map to Luke Skywalker - SANS DFIR Summit 2016

Подробнее о видео

Deleted Evidence: Fill in the Map to Luke Skywalker

This presentation will describe forensic artifacts that track activity on the NTFS file system, and how to leverage these artifacts during investigations when evidence has been deleted or partially stored in a BB-8. We will discuss artifacts such as the $UsnJrnl, INDX, Windows Defender Log, OBJECTS.DATA, and how to use these data artifacts to determine attacker activity, or find hidden Jedi temples.

David Pany (@DavidPany), Consultant, FireEye
Mary Singh (@marycheese), Senior Consultant

David Pany
(@DavidPany), Consultant, FireEye
David Pany is a consultant in Mandiant’s Alexandria, Virginia office. His primary responsibilities include delivering incident response, digital forensic, compromise assessment, and product implementation engagements. Mr. Pany has experience performing forensics analysis using tools such as EnCase and FTK, along with open-source and mobile device forensics tools. He also develops python-based tools that process forensic artifacts and automate repetitive tasks. His scripts and tools have been integrated into the standard investigative methodologies for payment card breaches and Citrix environments. In addition to providing forensic consulting services, Mr. Pany also assisted in the development of FireEye’s product implementation and integration services and methodologies.

Mary Singh
(@marycheese), Senior Consultant, FireEye
Mary Singh is a senior consultant with Mandiant with 14 years of
experience in the information security field. Mary specializes in forensic analysis, location of information exposure, and EnCase forensic software. She has experience in information operations, intrusion detection and incident response. While at Mandiant, Mary has investigated over 60 computer intrusions involving the federal government, defense industrial base, and Fortune 500 companies. Prior to joining Mandiant, Ms. Singh conducted attack prevention, detection, and vulnerability assessment in the U.S. Air Force and as a consultant with Booz Allen Hamilton. She shares her experience and knowledge by teaching and presenting at conferences.