Automating Analysis with Multi-Model Avocados - SANS DFIR Summit 2018

Описание: In every case you work on, someone is asking you to get answers faster but without introducing more human error. Depending on the case, there are “go to” artifacts that help us to quickly answer basic
questions. As the questions get more complicated so can the analysis. Oftentimes, the need arises to correlate multiple artifacts to get a more accurate answer to a complex question. We can sometimes lose the macro focus when reviewing individual artifacts, missing how they all relate to each other to
allow for a deeper and faster understanding of a system. This presentation will provide insight into the importance of tool output, and then look at methods and technologies for automated correlation of forensic artifacts to answer more complex questions. A demonstration will introduce you to one
method that utilizes the multi-model database, ArangoDB, to correlate artifacts and produce reports of more complicated questions such as “What volume serial number does a shellbag entry relate to?”, “What is the timeline of external device usage?”, and “What executables are no longer on the system?”

Matthew Seyer (@forensic_matt), Consultant, G-C Partners, LLC