Old Dog, New Tricks: Forensics with PowerShell
- Jared Atkinson
- Tuesday, October 13th, 8:15pm - 9:15pm
Recent intrusion into the networks of organizations like Office of Personnel Management, Sony, JPMorgan Chase, and British Airways have shown that the question isn't "if" your organization will be targeted, but "when". With these attacks and many others in recent years, incident response teams have had to rapidly change tactics from the "image-and-forget" methodology to live box forensics and containment. During these engagements, forensic analysts must actively track and monitor an adversary in their network while preventing the adversary from recognizing detection but most tools are not up to the job. PowerShell brings the flexibility and in-memory nature to defenders to tackle live threats.
In this talk, I will cover how my project, PowerForensics, can provide the Digital Forensics/Incident Response community with an all in one toolset for attack response and investigation. By leveraging PowerShell's access to the Windows API and .NET framework, PowerForensics provides investigators with a forensically sound "live" investigation platform without the need to image the hard drive. I'll cover the background and overview of PowerForensics, including how its various capabilities can facilitate the investigation of advanced actors at scale. Finally, I'll cap off with a complex demo, showing how PowerForensics can help blue teams investigate the real attacks they're now facing. PowerShell isn't just for the red team anymore.
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Monday, October 12
Tuesday, October 13
Wednesday, October 14
|Tunneling, Pivoting, and Web Application Penetration Testing||Gordon Fraser - Master's Degree Candidate||Wednesday, October 14th, 6:15pm - 6:55pm||Master's Degree Presentation|
|The NEW 2015 CISSP exam was implemented on April 15, 2015. Are you ready for the new exam?||David R. Miller||Wednesday, October 14th, 7:15pm - 8:15pm||SANS@Night|
|Sushi-grade Smartphone Forensics on a Ramen Noodle Budget||Heather Mahalik||Wednesday, October 14th, 8:15pm - 9:15pm||SANS@Night|
Thursday, October 15
|DIY vulnerability discovery with DLL Side Loading||Jake Williams||Thursday, October 15th, 7:15pm - 8:15pm||SANS@Night|