SANS DFIR Webcast -- Cache Me If You Can!

Описание: by   / 505forensics  

"Malware can hide, but it must run" are legendary words for any forensic investigator to live by. As we peek days, weeks, months, sometimes even years back in time, what artifacts are available to help us determine if malware did run? If only there was a native artifact that contained execution information...but wait, there is! In this talk, we will examine Windows execution artifacts including the ShimCache, RecentFileCache, and the newer Amcache hive found in Windows 8 and 10. We will examine the structures of these artifacts, as well as the different points of information recorded by each. Lastly, we will also discuss ways for the forensic investigator to include these artifacts in their investigation, including various parsing tools and analysis techniques.

Want to hear more from Matt?

Join him and other speakers at the Data Breach Investigation Summit & Training. The most effective way to improve your readiness and strategy in combating risk and the damage that results from even a minor compromise. The courses will provide you hands-on, immersion training on what it takes to identify, respond, investigate and defend against data breaches in your organization. And, you'll be able to collaborate with fellow attendees facing similar sets of challenges during the complimentary lunch and learns and @Night sessions. Hear from industry renowned speakers, providing you with actionable knowledge of new trends and best practices to help reduce your risk of advanced threats. Learn more and register.
Speaker Bio

Matt Bromiley

Matt has over 4 years experience in incident response, digital forensics, threat intelligence, and network security monitoring. He recently joined the team at Mandiant, a FireEye company, where he finds himself working with some of the best and brightest in the industry. His skills include disk, database, and network forensics, incident response/triage, and log analytics. Matt has helped organizations of all sizes with their forensics and IR needs, from local banks to large, multinational conglomerates. He also has a passion for Mac & Linux forensics, as well as building scalable analysis tools utilizing free and open source software. Matt's passion for DFIR helps him explore new topics with hopes of addressing previously unanswered questions. Along with traditional database forensics, Matt has also presented on NoSQL forensics, including platforms such as MongoDB and Elasticsearch.

When not jamming with the console cowboys in cyberspace, Matt can be found with his new daughter, wife, 2 dogs, and sometimes hidden in a cloud of sweet, delicious smoke of a Texas BBQ pit.