Sniper Forensics - One Shot, One Kill

Presented at DEF CON 18 (2010), Aug. 1, 2010, 4 p.m. (50 minutes)

At one time, computer forensics consisted of pulling the plug, imaging everything in sight, loading those images into EnCase or FTK, and hoping you can "find the bad guy stuff". As computer hackers have become more resourceful, the complexity of computer forensics has likewise increased exponentially. Add to that the growing size of data storage devices, and it becomes infeasible to even consider imaging tens or hundreds of terabytes, let alone load those images into EnCase or some other forensic software. So what's the answer? How can incident responders hope to remain relevant in today's operating environment? With Sniper Forensics! Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, "Locard's Exchange Principle", "Occam's Razor", and "The Alexiou Principle" to identify and target only the systems that are part of the breach. What used to take hours of analysis can now be done in minutes! What used to take weeks, can now take days! By using sound logic and data reduction based on forensic evidence extracted from Live Analysis, incident responders can introduce accuracy and efficiency into their case work at a level not available through any other means. This is truly the cutting edge of modern computer forensics, and not something to be taken lightly! Don't miss the opportunity to learn tips, tools, and hear real world examples of how Live Analysis is literally changing the landscape of modern forensics! This information is CRITICAL for all incident responders and computer forensic analysts! It combines cutting edge forensic tools and techniques with time proven principles. Successful integration of the material contained in this presentation will without question, reduce the time spent on cases and increase accuracy! It's a targeted approach to forensics which I have dubbed, "Sniper Forensics" rather than the old school, "Shotgun forensics" approach.

Presenters:

  • Christopher E. Pogue A.K.A "Big Poppa ReverShell" - Senior Security Consultant, Trustwave SpiderLabs
    Chris Pogue is a Senior Security Analyst for the Spiderlabs Incident Response and Digital Forensics team at Trustwave. He as over ten years of administrative and security experience including three years on the IBM ISS X-Force Emergency Response Services Team, five years with IBM's Ethical Hacking Team, and 13 years of Active Military service in the US Army Signal Corps. Chris also has worked with local, state, and federal law enforcement agencies such as the New York Police Department, the Royal Canadian Mounted Police, the Federal Bureau of Investigation, and The United States Secret Service to help pursue the digital evidence left behind by criminals of all types. His efforts have lead to arrests and convictions in Oklahoma, New York, Florida, Albania, and Germany. Chris holds a Bachelor's Degree in Business Management, a Master's degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), a GIAC Certified Forensics Analyst (GCFA), and a VISA PCI DSS Qualified Security Assessor (QSA).

Links:

Similar Presentations: