Dr Mike Cohen
[Velocidex Enterprises]
Dr. Michael Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques.

He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specializing in digital forensics, network and memory forensics. In 2010 he joined Google, where he created tools in support of the incident response team.

Michael has recently founded Velocidex Enterprises - the company behind Velociraptor - an advanced DFIR and endpoint visibility tool.

Tutorial: Hunting at scale with Velociraptor

Have you ever wondered how many of your endpoints were already compromised? Once you detected compromise have you dreaded the long and tedious task of remediation? Did you wish for your security solution to be super automated?

Welcome to the age of Velociraptor - the new advanced DFIR visibility tool everyone has been talking about! Velociraptor is powered by a flexible and powerful query language, allowing you to rapidly go from an advisory or a new hunting idea to getting actionable data in minutes. Then you can leverage the power of Velociraptor's remediation and detection capabilities to ensure the compromise is cleaned up and never happens again!

This workshop is an introduction to hunting and incident response with Velociraptor for information security professionals. You will download and install Velociraptor, then deploy a new deployment and become familiar with the GUI. Experience the power of scaling a hunt across a large network (over 1,000 endpoints). We then continue to post process the data to quickly identify anomalies.

We cover the basics of modern DFIR techniques exposing artifacts such as process analysis (VAD, Mutants, Handles), low level NTFS analysis ($I30 carving, timelining, recovery of deleted files), evidence of execution (prefetch files, amcache, SRUM) and event log collection and analysis.

Some of the scenarios we cover include;

1. A domain account was compromised. Where did the attacker laterally move to?
2. Malware was delivered via a phishing email. Were other users in the domain compromised by the same malware?
3. Uncovering common malware persistence mechanisms tied to the Att&ck network.

This workshop will be hands on and include examples you should run on your own windows VM. All you need to participate is a Windows VM (e.g. a cloud instance).

Secure your place today!