Digital Forensics and Incident Response Against the Digital Darkness: An Intro to Forensicating Evil

Presented at DEF CON 31 (2023), Aug. 12, 2023, 2 p.m. (240 minutes).

Are you ready to step into the shoes of a cybersecurity or incident response analyst? Whether you're new to investigation or looking to take your analysis skills to the next level, we've got an exciting opportunity for you! Join mR_F0r3n51c5 and S3curityNerd for a four-hour class that will take you on a journey through the world of malware analysis and investigation. In today's ever-evolving threat landscape, malware continues to be a weapon of choice for various types of threat actors. Our class leverages forensic and malware analysis fundamentals to teach students how to investigate a compromised Windows system. To ensure the most up-to-date learning experience, the class authors have carefully selected fresh malware samples trending in 2023. By the end of this class, you'll have the skills to: - Build analysis skills that leverage complex scenarios and improve comprehension - Practically acquire data in a forensically sound manner - Identify common areas of malware persistence - Gather evidence and create a timeline to characterize how the system was compromised - Participate in a hand-to-keyboard combat capstone where you'll be given an image of a compromised Windows system and demonstrate your newly acquired analysis skills. Don't miss this opportunity to gain hands-on experience and take your analysis skills to the next level. Join us and discover the exciting world of forensic analysis and investigation! Skill Level: Intermediate Prerequisites for students: - Not defined Materials or Equipment students will need to bring to participate: - Students will be required to download material (e.g., Virtual Machine). Students will be given a URL for download access. - Regarding the downloaded virtual machines, these should be imported into your virtual machine software and ready before the start of class. If any additional technical support is needed, the instructors will make themselves available online. - Students must have a laptop that meets the following requirements: - A 64-bit CPU running at 2GHz or more. The students will be running one virtual machine on their host laptop. - Have the ability to update BIOS settings. Specifically, enable virtualization technology such as "Intel-VT." - The student must be able to access their system's BIOS if it is password protected. This is in case of changes being necessary. - 8 GB (Gigabytes) of RAM or higher - At least one open and working USB Type-A port - 50 Gigabytes of free hard drive space, allowing you the ability to host the VMs we distribute - Students must have Local Administrator Access on their system. - Wireless 802.11 Capability - A host operating system that is running Windows 10+, Linux, or macOS 10.4 or later. - Virtualization software is required. The supplied VMs have been built for out-of-the-box comparability with VMWare Workstation or Player. Students may use other software if they choose, but they may have to troubleshoot unpredictable issues. Instructors cannot guarantee compatibility with all virtualization software suites. At a minimum, the following VM features will be needed: - NATted networking from VM to Internet - Copy and Paste of text and files between the Host machine and VM

Presenters:

  • Michael "S3curityNerd" Register
    Michael Register, known as S3curityNerd, with 7 years of combined experience in IT, Networking, and Cybersecurity. He holds multiple certifications and actively conducts post-exploitation research to enhance threat hunting operations.
  • Michael "mR_F0r3n51c5" Solomon
    Michael Solomon, also known as mR_F0r3n51c5, is a Threat Hunter with over 12 years of experience in Cyber Operations, Digital Forensics & Incident Response (DFIR), and Threat Hunting. His passion lies in helping to shape the next generation of cybersecurity analysts for a safer tomorrow.

Similar Presentations: