I am very thankful my DFIR colleague, Silas Bärtsch, took the time to come up with a little lesson learned on the current capabilities of the tool suite which we would like to share with you. Plaso and Timesketch first caught my attention at Swiss Cyber Storm in 2015 and they kept revisiting. Substitutes and improved versions to find remedy and work towards moreĪutomation and collaboration during investigations. That said, we are in continuous search for alternatives, ![]() However, for the majority of the SME’s and their varied environments we maintain a cram-full toolbox of software with incredibly various levels of quality that produce all sorts of outputs you can think of …and even can’t think of. Large enterprises maintain infrastructure to remotely pull evidence and hunt their mostly homogeneous fleet. There is software to dump memory, carve slack space, access shadow copies, extract event logs, open and dump OS specific database formats, collect configurations – you name it. Be it some Internet facing systems, refurbished Trojans or more of the targeted and internally spreading sort of code. The same applies when you investigate into cyber breaches. However, if you are being asked for the very detail on the latest OS version, face new file systems, some exotic setup or software you quickly realize you move in a world where the feature lag of forensic suites hits hard, pretty UX is no requirement and the command completion feature is your friend. If you are into e-discovery or economic and physical crime investigation you are usually well off with Relativity, Guidance and Nuix. Release cycles somehow leads to the development of a myriad of scripts and tools. ![]() ![]() Hence, one would expect a certainĭegree of automation in analysis. We have investigated into a reputable number ofĬases and we are not the only doing so. We have been teaching forensics and network incidentĪnalysis for quite a while.
0 Comments
Leave a Reply. |