Dr Mike Cohen
Dr. Michael Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques.

He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specializing in digital forensics, network and memory forensics.

In 2010 he joined Google, where he created tools in support of the incident response team.

Michael has recently founded Velocidex Enterprises - the company behind Velociraptor - an advanced DFIR and endpoint visibility tool.

Tutorial: Enterprise Hunting and Incident Response with Velociraptor

Technical Level (3 being the highest score): 2

The life of an information security professional is a hectic one. It seems like you are fighting fires every day and always behind the eight ball. You know you should be proactively hunting for emerging threats in your network but the tools at your disposal simply do not scale.

You can check each machine individually for hardening and policy compliance but you have many thousands of endpoints deployed, it is hard enough to keep up with the alerts.

This workshop is an introduction to forensic analysis and incident response for information security professionals. We cover the basics of modern DFIR techniques exposing artifacts such as process analysis (VAD, Mutants, Handles), low level NTFS analysis ($I30 carving, timelining, recovery of deleted files), evidence of execution (prefetch files, amcache, SRUM) and event log collection and analysis.

To illustrate the investigative process, we will use a new open source endpoint visibility tool called Velociraptor. Velociraptor is a powerful endpoint tool implementing many advanced DFIR techniques and will allow us to easily demonstrate many of the techniques we will learn in the limited time.

Some of the scenarios we cover include;

A domain account was compromised. Where did the attacker laterally move to?

Malware was delivered via a phishing email. Where other user in the domain had executed the same malware?

Uncovering common malware persistence mechanisms.

We will begin by reviewing the common forensic artifacts left behind on modern Windows systems. We then consider how these may be used in practice to address common DFIR scenarios.

Finally we consider how to proactively hunt for attackers using low level forensic analysis. Using Velociraptor’s endpoint monitoring feature we will develop effective endpoint monitoring rules to detect future compromise quickly and efficiently.

Secure your place now!