CG - Yes, You Too Can Perform Daring Acts of Live Acquisition - D0n Quix0te

reminders later today there is going to be an auction or online there's the the silent auction that y'all should take a look at later today there's going to be a raffle out here in the chill out area and just like to take a moment thank all the sponsors for you know providing this venue and all the cool stuff all the speakers they're coming to do all this and without further Ado it's Mr Don kote he's here to talk about all the stuff that y'all are here to listen to so before we get started I have a tradition in my talks I've been doing this for 30 years uh back when I was at at lock we

used to do this um I like to hand out marshmallows um to to the crowd guys can pass them around take them eat them if you like the way that we use them at Lockheed and the way that I like to use them is I have a tendency to get really detailed into things and waste a bunch of time on a specific subject uh I encourage you to if you want to eat the marshmallows by all means eat them if I get too detailed into something and I've gone off the off the rails uh throw them at me so um I've only been pelted once uh so I think I'm actually getting better at this the pseudonym that I go uh under is

uh don kote you can reach me at uh Omen scan on Twitter or omcan gmail.com if you'd like to uh send me an email tell me how much you either liked or hated this talk uh um right now I'm doing Global incident response at Live Nation uh which I refer to as the coolest company on the planet uh really really great company to work for I'm having a great time working there uh I had to say that because there are some Live Nation people here uh no but honestly really I I enjoy that working for this company a lot prior to that I was 6 16 years at Nasa and uh then I did nerd for hire for

a while and then prior to that seven years at Lockheed um please don't add those all up um my uh background is in arching architecting and defending high value targets uh especially when I worked at Nasa um firewalls IDs web filtering vulnerability management I wrote fsma security plans did incident response essentially anything that had to do with security my disclaimer um I don't speak for anyone I work for or have worked for or will work for this talk is not endorsed uh approved or liked by anybody I have ever worked for ever uh in fact these opinions are mine and I might be wrong and I reserve the right to change my mind so before we get into the meat of

the of the presentation I I want to Define some terms um you'll hear these terms used a lot and and and they're very broad terms so I'd like to narrow them a little bit just for the purpose of this talk for the purpose of this talk we're going to say an artifact is a digital item or Remnant that's produced by actions taken on a digital digital device uh we're going to say forensics is the process of identifying extracting and analyzing evidence analyzing the artifacts uh from digital devices live acquisition which is mostly what we're going to talk about today is uh extracting digital artifacts from a live running system system and then deadbox a term that I'm sure most of you have

heard is essentially extracting the digital artifacts or doing analysis on a system that has already been shut [Music] down uh so again before we get started into the meet I I want to make sure that we understand a few things about this talk um incident response and forensics they're difficult and complicated things after seeing this presentation won't make you an incident responder um so if you suspect a crime has been committed uh on a on an endpoint get someone qualified to look at it you don't want uh someone who's committed a crime to get away with it because the evidence has been uh destroyed or has not been gathered in in a in a manner that will hold up in court

um make sure you either have or get permission to pull forensics to pull artifacts off of a workstation you don't want to think you're doing a good thing and then get fired for it right um so again this is not a forensics class or or an inent response class uh having said that let's talk about some of the really cool free tools that you can use to gather artifacts from a workstation um a workstation has malware on it or you've been asked to look at a workstation that's doing something funny uh and you know that this is not going to go to court this is not uh going to be a digital crime uh and and so you want to look at

this this workstation and see what's happen um actually before I talk about that I'd like to make a quick a quick comment I just thought about this before I started talking my grandfather had a big bucket of screws that he kept in his garage and whenever something would break we would ask Grandpa to to fix it and he would get this big bucket had brackets and screws and all sorts of things in it and it was amazing that he was able to fix almost anything with this big bucket of of of just metallic stuff and and that's kind of what I'm going to talk about all of these tools that are freely available that can be put together to to gather

forensics to learn information about what's happened on a workstation all these little pieces that can be put together uh to create sort of a cohesive way of gathering information about about what may have happened on a on a workstation um when we talk about live box versus deadbox the first thing that we need to determine is are we going to shut this thing down if we're going to do live acquisition we need for the machine to keep running if we don't if if there's something really bad happening and just pulling the the plug out of the wall or or turning it off from the from the switch is not going to be enough if we want that machine shut

down immediately you're not going to be able to get live artifacts you're not going to be able do live acquisition so you're going to lose the volatile artifacts memory connections uh the the existing connections it turns out when you do live box and deadbox Analysis many of the artifacts are actually the same some will be lost though so uh when you're looking at doing a live acquisition you're looking at gaining those artifacts that would be lost when you would shut that machine down um Gathering artifacts either live box or dead box they're often the same artifacts and many of them use actually the same utilities but just just different options we're going to focus primarily

on live acquisition today there are a lot of really really good Windows tools for Gathering artifacts Gathering forensics on a Windows machine problem is finding them is hard uh and once you find them there's going to be a lot of trial and error to figure out what do I want repeatable when I go up to a machine what options do I want to run this this utility with um and it turns out many of these utilities are vertical they're very specific uh so you need many utilities to gather many artifacts there's not one single utility that will just give you all the information you want um so what I'm going to talk about here is not only Gathering the artifacts

but creating the toolkit to gather those artifacts and part of creating a toolkit to do that is to know where the utilities are at and to download them now you can use a web browser you could search Google you could do all manually but once you know where these utilities are you can actually create a toolkit uh create a a script that creates the toolkit automatically downloads the utilities and unzips them from the the websites of the researchers that provide them for us um for that I like using curl um you may find a different utility that you like better uh I like curl a lot and then info zip these are both free uh curl will download uh HTTP do

HTTP downloads uh and info zip will unzip them so we have all these utilities but we we don't want to walk walk up to a workstation with a handful of utilities and have to type them all in so we want to take everything and put it into a cohesive repeatable and understandable process and to do that we script it we script all the utilities together now the problem with scripting is that we run into something called observers Paradox observers paradox is this concept that by observing something you actually change it and this is what we find when we're doing live acquisition when we do an acquisition on a machine we are actually changing that machine so we

want to think about something called order of volatility what are our most volatile artifacts what are the things that are most likely to change and gather those first the easiest example is let's say I'm at a workstation I want to gather uh I want to dump the memory I want to gather um registry I want to copy the registry I want to uh get the log files each one of those you need a program to run to to do that acquisition so the first thing you want to do is acquire the memory because if you're loading three programs into memory you've modified memory three times rather than modify memory three times grab the memory first then if you modify

memory later you're not worried about it you've already grabbed memory so uh order of volatility is something to be concerned about when you do this I usually try to grab everything I can um you may run into issues of how much time you have available or how much disk space you have available uh I run into both of those and so when I run into that the artifacts I gather I gather are the ones that I think are most likely to need so let's talk about specific artifacts first Gathering memory two great utilities uh win pm and memorize first utility uh this is all free software that I'm talking about um win PM can be downloaded from the Google

recall repo in GitHub uh it's my favorite utility because it's really easy easily to script it's really easy to script and it's really easy to download so if you're creating a toolkit to download uh these utilities uh this is very easy man Manion also provides um a great utility called memorize Works consistently well I've used it for years very good very good uh utility for grabbing memory but it does have some idiosyncrasies that make it um a little a little bit um less desirable than than win PM in in my mind others may feel differently there are a few others there was a new one I saw by magnet forensics I think uh that looked really good I've played with it a

little bit um but these two uh are are the ones I use consistently uh side note volatility uh is a is a free piece of software you can use to then um uh analyze the the memory dumps that you've created um it's it volatility is a wonderful piece of software whether you're Vol volatility is free but if you had to pay for it it would be worth it uh just a tremendous piece of software so the next artifact that we're interested in is dis uh dis artifacts right so the primary thing that you're going to be interested is something called the mft the master file table um turns out uh not only in Windows but in a lot of operating

systems there are some areas of the dis that just really aren't meant to be copied um so there are no native or common ways to do that so we need people like um I'm probably going to butcher his name I think it's it's pronounced waim shik uh J shik he he uh provides a a free utility called raw copy uh this will copy both the mft and the and the dollar log file uh from uh and he also provides another utility called extract usn Journal which will extract the usn journal the dollar J that's uh that's a an ads an alternate data data stream uh in the in the windows ntf FS file system um these these three artifacts sort of

form the the the indexing and journaling system of NTFS so primarily the N the mft is this database index of all of the metadata for all the files in in NTFS so file create time file um modified time all the the file Flags uh now it turns out the mft is is database is in that it grows and when a file is deleted the entry is not actually deleted in the mft it's just marked for reuse so if you have a very large mft and there isn't much activity on the system MF mft entries for files and directories on the system can last a very long time days weeks months so when you're looking at

what may have happened on a workstation even though the file may have been deleted there's still be maybe an mft entry for it NTFS is a logging uh a journaling file system so the dollar log file and the usn journal form the uh the the journaling system again uh just to just to reiterate uh J shik's uh GitHub repository provides these utilities raw copy and extract usn Journal that can that can gather those artifacts um oh um and uh just a a quick note these are raw artifacts this would not be human readable um you need some other utility to then look at that data uh there's a great piece of free software a& JP it's free for

non-commercial use if you're going to use it for commercial use please pay for it but it can read in the mft log file in the usn journal and then give you uh timeline of the activity on on your system I typically don't do that I I'm old school I like to do things manually so after I after I gather the mft I I like to put it into a human readable format comma separated values and then uh import it into a spreadsheet and do manual analysis um for that there's a great piece of software called mft dump this is provided by the malware Hunters if you do Google search you'll be able to find it it will take this raw mft and

and parse it into a comma separated value that you can then do analysis on it however you normally would do your analysis I use a spreadsheet but but uh whatever will read comma separated values will read this data and you can do analysis on it um GMG systems uh also provides a set of utilities called FAU forensics acquisition utilities uh volume dump is the is the utility but it's in a set of utilities there's a whole bunch of stuff in it uh and it will also parse the usn journal into a human readable format uh this this artifact um a utility is actually Pro provided by Microsoft a native Windows utility called fsutil and it will also parse the

usn journal dump it so that you can uh you can it's human readable uh so the next set of artifacts we're going to look at our systems information um probably everyone in the room here knows about CIS internals um I love their PS tools uh CIS internals just provides just tons of really great utilities uh in this case we're just going to talk about PS info which is in this set of tools PS tools uh it will give you system information on a live running system PS list give you information on the running processes and then another uh utility I don't believe it's in PS tools I think it's a separate CIS internals utility called handle will

give you all of the open file handles on on a running system extremely useful utility um within Windows there are also some really useful native utilities uh SC service control I think that stands for uh but s the SC query command will give you service information task list another native utility will give you running process and service information and then on everybody's favorite uh Network information utility [Music] netstat okay so the registry now registry has a lot of moving Parts um so I'm going to try and not be confusing about this uh I've tried to break it into pieces uh and I hope it's not too confusing so registry can be thought of as basically two

pieces the user registry and the system registry uh user registry we typically uh refer to the hive HKC H Key current user uh that is in a file called ntuser.dat within each user's uh user profile the system registry that's that's applicable to the whole system is in system 32 config the four main files that that we usually look at there are more but but the four four main files we usually look at are system Sam security and software uh that's the name of the file within uh system 32 config when we're doing a live acquisition those files are open and active so we can't copy them um we have to consider this when we're trying to

figure out how we're going to gather the information that's in the system registry we have to consider some other unusual issues with the registry namely that one of the main hives we're interested in is something called current control set that Hive doesn't actually exist it's it's a symbolic link to one of two other registry hives either called control set one or control set two when a system is running current control set is just a pointer to one of those two sets of registry entries the way we know uh if we were doing deadbox analysis the way we would know which one was being used is this registry ENT entry uh hqy local machine system select

current it will say it's using either control set one or control set two so um when we look at acquiring uh the the registry we're not going to be able to copy uh any of those any of those files and the the registry Hive itself current control set we have to understand is not actually in the registry so how do we deal with this well when we look at the registry we have really three sort of pieces to this we can copy the registry or duplicate the registry in its raw format in its unhuman read in its machine readable format we could parse the registry which would put it in human readable format the problem with parsing the

registry is you lose the metadata so what are we concerned about when we do analysis what what is this what is the metadata we're concerned about turns out the registry keeps track of the last time a registry key was written so if we if we duplicate the raw registry information and then analyze it we will get this metadata we will be able to find out when the last time each key was written and that can be very useful when trying to build a timeline to figure out what transpired on this machine uh but parsing the the registry into a human readable format also has value so if we want to since we can't copy the files and we want them in a raw

format we can use a native Windows utility uh called reg regg allows you to do two things it allows you to do a reg save and a reg export reg save essentially duplicates the the registry Hive that you're interested in looking at it will preserve the metadata if you just want the key value pairs you could do a registry export and uh and do analysis just on that so if you do a registry save and you get this this raw format you're still eventually want to going going to want to see the the data human readable format so doing deadbox analysis or doing analysis on on the artifact that you've gathered using the raw artifact you've gathered using uh

registry save there are two extremely good utilities reg file export is uh freely available by noft it will parse the hives from this from the raw registry data and reg Ripper the most excellent reg R Ripper by harlon Carvey um you can run this against um the the raw registry data that you've gathered and it will give you the last right time Las I'm sorry Las oh okay uh the next uh artifact that we're going to be interested in oh I'm doing great okay good the next uh artifact we're going to be interested in is the event logs these ter turn out to be very easy to acquire uh under system 32 wi EVT logs

you could just use a regular dos copy to copy this data um one thing you do have to be aware of a little idiosyncrasy is if you're using Windows native tools on a 64-bit system system 32 doesn't really exist it's called CIS native but you can refer to system 32 and and it will work um my Microsoft will will map everything over to system 32 however when you're writing your own utilities you have to know that you're actually you actually want to grab the artifacts from CIS native when you uh want to parse those event logs into a human readable format another tremendous CIS internals tool PS log list uh I like I like this utility a

[Music] lot so other artifacts we're going to be interested in when we do live acquisition the prefetch information so Redwolf computer computer forensics provides a utility called parse prefetch info um I guess you can guess what that utility does but it will take the prefetched data uh in a Windows system and parse it into uh I parse it into comma separated values and then uh I can import them into um a uh spreadsheet and do analysis on it Nur soft excuse me I'm going to get drink of water [Music] here Nur soft also provides some other really good utilities last activity view very very cool utility will essentially go through all the common areas in a window system where

where activity information is stored in the registry in the event logs in the prefetch it'll go through all of those areas and then create one file of all the activity that's happened on your system and uh some of this activity can go back years this is a really really really cool Tool uh he also provides um piece of software called user assist view this will give you the last time and count of the system of the the program that were run on on the system uh and then a browsing history view all available again from noft uh this will take the four major browsers Internet Explorer Firefox Chrome and Safari and it will go through the history F uh the

history data of all of these utilities of all of these browsers and put them into one cohesive uh file to be analyzed uh turns out when you're doing analysis on machines uh it's not uncommon at all for someone to use multiple browsers on on a machine so having one view of the history of all four browsers can be really useful uh one other thing real quick uh you'll notice that we might be gathering the same forensic artifacts from multiple places um this is is also really important and help because when you're trying to build to reconstruct what happened on a workstation if you have an artifact that says something happened that's useful if you have two artifacts from two

separate uh two separate areas of the operating system that tell you the same thing happen then you have corroboration you're you're far more likely to be on the right path if multiple artifacts corroborate uh what what you believe may have happened on that Workstation so last thing I'm going to talk about is a piece of software called Aire which I'm uh releasing today we talked about all of these utilities that we want to be put to be scripted and to consider uh you know the volatility of those artifacts um for that to be repeatable for things to be put in the same place when you run the you when you run when you gather the artifacts if you have a

script that does this you don't want artifacts from one of your Acquisitions to step on artifacts of another acquisition so what I wanted to do was to create a scripting Tool uh and framework so that you could script all of these Utilities in in the most beneficial way and to add things into the scripting language that you wouldn't see in a normal scripting language and and I'll talk about that in just a minute so was the problem I was trying to solve um if you've worked with any incident responders um you know that eventually every incident responder creates a script to do this I've seen these scripts in batch files um VB script uh Powershell uh Pearl uh they

can they can come in all sorts of all sorts of flavors and Fashions um what I have not found uh is a script that helps you build the toolkit now why is that important it turns out that after many years I had all sorts of stuff in my scripting toolkit I wasn't sure where I got it from I wasn't using it anymore I wasn't sure if I still needed it um toolkits can get you can lose track of your toolkit very quickly uh so I wanted to create a utility that not only ran acquisition but allowed you to build the acquisition toolkit itself and and thus kind of self-d doent itself so I also wanted to create create a common

framework I wanted to create a utility that wouldn't matter whether I was sitting at the box or I was doing an acquisition over the network so I wanted to create a common framework where all the files were stored in the same place every time I ran an acquisition a new directory was created uh so these are things that you have to think about when you're when you're writing your own scripting uh when you're scripting your your your own live acquisition toolkit so I wanted to build a scripting language or a scripting framework that automatically did all that and a couple other things that I'll talk about and I also wanted it to be able to

pull artifacts uh from from deadbox from a a mounted drive so what are some of the things you do over and over again uh that you just don't find in common scripting languages you can put them in scripting languages you can download a hashing program you can set your artifacts to read only but typically you're going to always do that so why not build it in so some of the common things I wanted to do was when I downloaded the program the the the the scripting the this the set of of scripting uh commands to create the toolkit I wanted to Hash the programs not just hash the data when I do the acquisition but hash the programs

themselves when I when I create the scripting toolkit now why why is that important because when I do the acquisition I also built into the into the into the scripting language automatic logging so now I'm I've I've I've I have the hash or the the program I downloaded when I run the acquisition I hash the program is this the same program that I downloaded or has something changed right this helps with non-repudiation so yes I'm sure that the program I downloaded is the program that gathered this artifact when I ran the toolkit uh I wanted to do local and remote acquisition and I wanted to set the artifacts to read only so I may be the only person in the room

that's ever done this but I have opened an artifact and accidentally resaved it it's the same artifact but now I've put into question my non-repudiation I've changed the time stamp I can prove that it's the same thing I can rehash it but why do that why not just have the scripting utility when it grabs the artifact set it to readon so you don't make the mistake yeah think the algorithms that no I'm just do using md5 but this is open source if you want to change it by all means uh and I'm encouraging people because trust me you guys are smarter than I am so I'd like to get as many people involved to do as many things to

this as possible yes [Music] origal the the original I'm sorry readwrite you you're you're changing something in the metadata by setting it to read only are you keeping track of what it originally was whether it was read only or not well it's going to be read right because you're Gathering the artifact you're writing the artifact so it's a new file so you're not making original file any original I'm sorry file the original file was a file or WR you're not maintaining that knowledge no no it's it's just automatically sent to set to read only but it's a good point so you know maybe we have to give some thought to that yeah absolutely that's why I'm

here uh I wanted to for focus on order volatility I wanted to self-documented toolkit but the actual creating of the toolkit I wanted it to be open source and I wanted it to be compiled uh to minimize the impact on memory so it's it's written in C GCC uh W it's windows it's available on GitHub you can download it now there's an install file if you would just like to run it uh the source code is there if you would like to modify it uh download it test it uh and then by all means send me emails because I am absolutely sure I have not thought of anything and some of the things I have thought of

um others may may have a different opinion on it and uh and I'm I'm totally open to changing it to to whatever makes sense um some of the things I'd like to do in the future I'd like to see it become more move more towards a repository model so when I say that I mean right now I'm going out to someone's website I'm downloading their their uh zipped utility I'm unzipping it and I'm putting it uh in a directory to to then run it at some later time what I'd like to see is a is a more a more sort of codified this is where you get the utility this is how you do it um that of

course we'll take um we'll take uh cooperation from the people that create the utilities but uh I'm willing to have those discussions to say you know can we make it easier to to get these utilities and and download them uh the other thing that I've been playing with a little bit now is um throwing it up onto a cloud drive and then doing a remote acquisition by running it both both running the utility and saving the artifacts uh out to out to to Cloud to make it essentially available to to anybody that would want to use it so in your environment you would you would have a small script that would map out to the to this this Cloud

area and could then run the the acquisition on the workstation I think that's a good model it's really really really slow it's not practical right now but uh again um I'd be absolutely willing to hear some input about that yeah so from this on um for a live act do you have to consider any impact that that tool set might have on the actual post itself yeah so this is why one of the reasons why I want to see this become uh the the question is does the acquisition impact the workstation itself um it's going to impact the workstation in whatever way the person that wrote the utility you know however they wrote it so if they write to to to

disk it's going to impact the dis it's going to impact memory I mean you're running a program it's going to impact memory uh so those are conversations that i' I'd like to start having can we can we as a community work on a utility that considers that important right or are we just going to take a bunch of utilities stick them in a batch file and run them right so I think it's a a better conversation to say hey let's build this let's build this framework and let's think think those things through [Music] I one what yeah do you it is current state do you think it would be a viable alternative to something like an in

case no no this isn't this isn't going to replace uh commercial software um could I see that a possibility in the future as much as I would say volatility is really sort of the sort of the standard now um I think with enough Community involvement with enough thought about you know how do we acquire these artifacts in a way that will hold up in court have we thought this through um yeah I think it could be a very viable but in its current state no no it's it's just the beginning of that yeah investigation why do you prer doing an on an actual live system relying on like a software control for like read only um to preserve Integrity to your

dis image as opposed to um creating like a DD image of the disc and mounting do um analysis plus doing like a memory snapshot of the life system in conjunction with analysis on like a DD image plus analysis of the memory snapshot right so yeah so really good question what is the essentially I'm paraphrasing but why why focus on live acquisition versus deadbox analysis why not image the drive or pull the drive um couple of Reason couple of things first of all I don't have a preference I do both right Locker yeah right to use a forensic Bridge yeah so pull the drive use a forensic Bridge uh to ensure that you're not modifying uh the drive in any

way uh essentially deadbox analysis I I don't have a preferences a preference over live box versus deadbox but in many cases um first of all you're going to lose volatile artifacts if you're just using deadbox so go ahead so you do dead box analysis but at the same time when you acquire the hard the hardware that you're doing analysis on you do a memory snapshot of that and then you do analysis of the memory snapshot separately as in addition to your dead box right I think you have the ability to preserve the Integrity of the uh drive that you're doing uh-huh that as to just working on the light box right okay so um you know

again I I want to be clear I I don't have a preference over one or the other but what I will say is I've run into many circumstances where I could not do deadbox a deadbox acquisition a very large raid Drive um a a situation where you went in and it's a production system you got two hours you're not going to be able to acquire a drive in two hours how do you Ure that the Integrity of the desk you're doing analysis on in the live setting is not not any more than in deadbox analysis I mean deadx analysis you know you're working up with image read only but but you have no guarantee even in

deadbox analysis that that that data has has not been modified in any way all you can say is like when you hash all you're saying is I'm sure of it from this point forward but knowing what happened before whether those artifacts are trustable or not an actor on that machine could have modified those artifacts you you I'm talking about like you as the friend investigator T the artifacts so again setting the artifacts to read only to make sure that you don't you don't modify them always working on it a copy of them uh don't work on your I mean again this is not an IR class so to go through all of the reasons all of

the ways that you would preserve Integrity that you would prove in a court that those artifacts are the artifacts that were acquired that's Way Beyond this talk on that one most of his work um you know in Europe location have responders in locations so I need to I need David to go and do an investigation on a particular machine that doesn't contain v data but I find out what's happen report so and also David can't get access to drives Europe because D tricky so he goes in gets what he can there's ways to do it though there's ways to do it Lally like you can have so if you have a site that's isolated from your incident Response

Team you can do stuff like have the you know help Des person using run books um either like d it for you and a memory snapshot of the system and then send those over to you through you know the internal Network or the network that you have um you can also have them do a live system too so you can take the disc out put it into like a Linux box only and then the investigator can conduct their investigation over as say yeah and again again you know what what he's really saying is that in situations there are some situations where where dead boox just doesn't make sense it's it's not it's not either practical or it's it's

not even legal so um in those cases you know this is our second best uh method I'm

sorry if the if the drive is encrypted when you turn the system off you potentially lose all access to it anyways and then you're if you like use the right blocker and D to drive you get just 8 trash can't use anything so you have to

your analis yeah those are those are questions that are really Beyond this those those get into you know again the analysis I have had to do uh analysis on encrypted drives and and so you have to use some very specific techniques to do that but it that is not a decision of whether you want to do live box or or deadbox um but it is certainly when you're doing incident response it's or or forensic analysis it's I mean if I get a disc drive and it's encrypted my first reaction is oh no so you know but you do what you can do Amazon work spaces yes yeah so Amazon also right right was that about

workes do on workac I think come across SU [Music]

it really sucks chall it is the challenge yeah yeah they need to work on yeah so again you know I think probably everyone in the room is getting getting sort of a feel for you know how many questions you have when when you're doing this and you make you know through either your experience or through you know working with the with the folks that are really expert in those Technologies to say you know what can we do here and again time is is often an issue I have been to places where we wanted to acquire uh the the whole hard drive but we had two hours and and it was a hard stop it wasn't well you know we really

don't want to give it up in two hours it's our business shuts down at this time and comes back up at this time if you don't get your data in two hours that's your problem so in those cases you make the best of what you what you have gather the forensics that you can [Music] gather questions what a lively group man that's is awesome any more questions for Don all right yeah I have a challenge I do uh a respons friend challenges is having to explain to non-technical folk uh the time invested it takes to conduct a friendships analysis like it could take one minute week There's no way to really quy it do you have any okay so here's what I

would say and I'm probably going to get in trouble because people I work with are here uh but but but but here's here's my my best answer to that as long as I've been doing incident response and forensics I've always taken it to the appro from the approach of driving policy so here's the thought if I'm going to gather forensics and do analysis on this workstation am I going to be able to convince people that they should change their behavior right so when you're looking at what you're essentially saying is what is the value of spending 16 hours on this drive to tell you exactly what happened rather than just wipe the drive and start over

right the value is that in several circumstances we've had recurrent issues that that incidents have been able to show were based on the way we were doing business so if this happened twice it ha happened three times the forensics over and over show that we need to change something now you can say to the organization look we are more secure because we have proven we didn't come to you and say theoretically people could do this we're saying this has happened and we need to change what we're doing and so you show that your your value that you have had impact on your workstation or you have had work uh impact on your organization and have

driven a more secure way of doing business so you're talking about doing a root cause analysis root cause analysis and then you find out how the compromised or what the whatever uh forensic the person investigation you're doing and then doing a feedback loop into like your detection mechanisms for example and making sure that that doesn't happen again even even if you're not doing a feedback loop into into your your other tools that's good but even if you're not doing that write a report write a report and make sure people read it and in the at the end of that report say this is what we learned from this inves ation and this is what should be

[Music] changed and and I I cannot I cannot stress how valuable that is you've read my reports what do you think pretty long they are long they're very long and far too detailed for also I've been a lot of good recommendations so one thing I always David about is he'll give a lot of recommendation necessary on capabilities we actually have in the but I think the the the recommendations of value for when I take that to the business I say this is what we found these are recommendations these start working through that so he's not just looking at it from these

[Music] are you're going to see a lot of patterns that come out of these friend investigation yeah yeah other questions thank you thank you David all right thank [Applause] you all right thank everybody for coming awesome just a reminder about the silent talk let me shut this off the pool party later tonight minutes and and here uh seven for the closing ceremonies they're going to