Doing More With Less: Triaging Compromised Systems With Constrained Resources

A session at 4th Annual Open Source Digital Forensics Conference & Workshops

  • Willi Ballenthin

Tuesday 5th November, 2013

2:20pm to 2:55pm (EST)

During large scale or time limited investigations, forensic triage analysis yields results that clarify the scope of an engagement faster than deep-dive analysis. But it still doesn’t make sense to capture 5GB when 75MB will do. In this presentation, we’ll discuss which artifacts we’d snipe if there were only 75MB to spend.

To judge the critical artifacts, we’ll review open source techniques that analysts use to efficiently perform triage analysis. We’ll talk about cross platform tools, including: python-registry and a complete suite of Registry analysis utilities, INDXParse.py and its associated GUI-based $MFT explorer, and python-evtx/LfLe.py with their integrated event log viewer. Each section consists of a short explanation of the related artifact, a rapid tutorial of the tool, and a concise case study. We’ll also contrast these approaches with other excellent solutions such as RegRipper, The Sleuth Kit, and libevtx. The ultimate goal is to enable an investigator to review many systems while relying on the capacity of a cheap Flash USB drive.

We’ll close the presentation with a discussion of artifacts that are not easily captured or analyzed with limited resources, such as volume shadow copies or memory dumps.

About the speaker

This person is speaking at this event.
Willi Ballenthin

Next session in Track 2

3pm SIFTER: Search Indices for Text Evidence Relevancy by Nicole L. Beebe

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 2:20pm2:55pm EST

Date Tue 5th November 2013

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session