Tuesday 5th November, 2013
2:20pm to 2:55pm
During large scale or time limited investigations, forensic triage analysis yields results that clarify the scope of an engagement faster than deep-dive analysis. But it still doesn’t make sense to capture 5GB when 75MB will do. In this presentation, we’ll discuss which artifacts we’d snipe if there were only 75MB to spend.
To judge the critical artifacts, we’ll review open source techniques that analysts use to efficiently perform triage analysis. We’ll talk about cross platform tools, including: python-registry and a complete suite of Registry analysis utilities, INDXParse.py and its associated GUI-based $MFT explorer, and python-evtx/LfLe.py with their integrated event log viewer. Each section consists of a short explanation of the related artifact, a rapid tutorial of the tool, and a concise case study. We’ll also contrast these approaches with other excellent solutions such as RegRipper, The Sleuth Kit, and libevtx. The ultimate goal is to enable an investigator to review many systems while relying on the capacity of a cheap Flash USB drive.
We’ll close the presentation with a discussion of artifacts that are not easily captured or analyzed with limited resources, such as volume shadow copies or memory dumps.
3pm SIFTER: Search Indices for Text Evidence Relevancy by Nicole L. Beebe
Sign in to add slides, notes or videos to this session