TUTORIAL: Digital Forensics and Incident Response in the Cloud Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering. In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints. These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as: What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards? Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy? Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.