SANS Asia-Pacific Series: APT Investigations HOWTO - The Forensic Side

  • Monday, 10 Feb 2014 7:00PM EST (11 Feb 2014 00:00 UTC)
  • Speaker: Jess Garcia

We are pleased to acknowledge the Australian Information Security Association (AISA) as the sponsor of this webcast.

APT (Advanced Persistent Threat) incidents, and their corresponding forensic investigations, constitute a big challenge from the technical point of view. It's not easy to deal with an investigation in which dozens or even hundreds of systems have been compromised, and where attackers may use sophisticated strategies to go unnoticed.

Dealing with that complexity often requires deep computer forensics knowledge (on top of a great dose of intuition and creativity), which must be combined and coordinated in a way which is not commonly found in the average Incident Responder: registry, filesystem, memory, timelines/supertimelines, shadow volumes, malware analysis, network forensics, mobile devices forensics, etc.

In this presentation, based on Jess Garcia's experience leading his IR Team at One eSecurity in massive APT investigations during the last few years, he will discuss which tools and techniques are used in a typical APT incident, and how Incident Responders can combine them to get the best results in the real world.