The document introduces Brian Moran's Live Response Collection tool, which allows digital forensic investigators and incident responders to easily collect important forensic data from Windows systems. The tool runs pre-configured scripts to collect volatile memory, disk images, log files, and other artifacts. It produces standardized output organized by computer name and date in an easy to parse format. The tool is free to use, open source, and can be customized to support additional collection needs or integrated tools.
Alphorm.com Formation Implémenter une PKI avec ADCS 2012 R2 Alphorm
La formation complète est disponible ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-le-pki-avec-adcs-2012-r2
Au travers des modules couvrant la totalité des rôles ADCS 2012 R2 Microsoft, cette formation vous guide graduellement à l'expertise des architectures PKI Windows 2012 R2 qui constituent aujourd'hui la "pierre angulaire" de toutes stratégies de sécurité informatique.
Vous acquérez toutes les compétences et connaissances nécessaires pour planifier, déployer (avec automatisation), configurer, administrer, maintenir et dépanner, et implémenter des hiérarchies sécurisées d'autorités de certification pour une sécurité et une souplesse maximale de votre PKI.
Tous les modules sont illustrés de travaux pratiques pour une approche pragmatique et 100% concrète.
Les concepts cryptographiques sont également abordés pour une compréhension complète et claire de la gestion des certificats.
Cette formation est utile dans la préparation de certaines certifications Microsoft (70-412...).
Oracle E Business Suite Security Made Easy - Menus, Functions, Responsibiliti...Louise Abdulkader
This white paper details security features in the Oracle Projects Suite products, but is also applicable to the entire Oracle E Business Suite. It gives screen shots and descriptions of how to work with menus, functions, responsibilities, and self securing attributes. This white paper was written to be understood by non-technical personnel. There is an accompanying power point that can be requested from louise.abdulkader@projectspeople.com.
Alphorm.com Formation Implémenter une PKI avec ADCS 2012 R2 Alphorm
La formation complète est disponible ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-le-pki-avec-adcs-2012-r2
Au travers des modules couvrant la totalité des rôles ADCS 2012 R2 Microsoft, cette formation vous guide graduellement à l'expertise des architectures PKI Windows 2012 R2 qui constituent aujourd'hui la "pierre angulaire" de toutes stratégies de sécurité informatique.
Vous acquérez toutes les compétences et connaissances nécessaires pour planifier, déployer (avec automatisation), configurer, administrer, maintenir et dépanner, et implémenter des hiérarchies sécurisées d'autorités de certification pour une sécurité et une souplesse maximale de votre PKI.
Tous les modules sont illustrés de travaux pratiques pour une approche pragmatique et 100% concrète.
Les concepts cryptographiques sont également abordés pour une compréhension complète et claire de la gestion des certificats.
Cette formation est utile dans la préparation de certaines certifications Microsoft (70-412...).
Oracle E Business Suite Security Made Easy - Menus, Functions, Responsibiliti...Louise Abdulkader
This white paper details security features in the Oracle Projects Suite products, but is also applicable to the entire Oracle E Business Suite. It gives screen shots and descriptions of how to work with menus, functions, responsibilities, and self securing attributes. This white paper was written to be understood by non-technical personnel. There is an accompanying power point that can be requested from louise.abdulkader@projectspeople.com.
Hitchhiker's Guide to free Oracle tuning toolsBjoern Rost
Instance and SQL tuning with EM12c Cloud Control is so easy, it is not even much fun
anymore. Also, not every customer may have the appropriate license or database
edition, or all you have available remotely is a command-line login to a database.
This presentation showcases a few open-source database tuning tools such as Snapper
and ASH replacements that DBAs can use to gather and review metrics and wait events
from the command line and even in standard edition.
Pardus Kurulumu
PARDUS, Debian GNU/Linux [1] temelli açık kaynak kodlu bir işletim sistemidir. İnternet üzerinden ücretsiz olarak indirilebilmekte ve kolay kurulabilmektedir. Kişisel veya kurumsal kullanımlar için Pardus’un rekabet edebilir ve sürdürülebilir bir işletim sistemi haline getirilmesi için TÜBİTAK ULAKBİM bünyesinde geliştirme ve idame çalışmaları devam ettirilmektedir.
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
Join us to hear about a new Oracle product that monitors Oracle and non-Oracle database traffic, detects unauthorized activity including SQL injection attacks, and blocks internal and external threats from reaching the database. In addition this new product collects and consolidates audit data from databases, operating systems, directories, and any custom template-defined source into a centralized, secure warehouse. This new enterprise security monitoring and auditing platform allows organizations to quickly detect and respond to threats with powerful real-time policy analysis, alerting and reporting capabilities. Based on proven SQL grammar analysis that ensures accuracy, performance, and scalability, organizations can deploy with confidence in any mode. You will also hear how organizations such as TransUnion Interactive and SquareTwo Financial rely on Oracle today to monitor and secure their Oracle and non-Oracle database environments.
There exist some valid reasons to rebuild indexes on an Oracle database (not many). This presentation is about some of those reasons and how to automate such online index rebuild.
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법Ji-Woong Choi
MySQL 소개
간략한 소개
version history
MySQL 사용처
제품 군 변화
시장 변화
MySQL 구성
MySQL 클라이언트 / 서버 개념
클라이언트 프로그램
MySQL 설치
MySQL 버전
MySQL 설치
MySQL 환경 설정
환경설정, 변수 설정
MySQL 스토리지 엔진 소개
MySQL tuning 소개 및 방법
데이터 백업/복구 방법
백업
복구
MySQL Upgrade
Modern query optimisation features in MySQL 8.Mydbops
MySQL 8 (a huge leap forward), indexing capabilities, execution plan enhancements, optimizer improvements, and many other current query tweak features are covered in the slides.
Hitchhiker's Guide to free Oracle tuning toolsBjoern Rost
Instance and SQL tuning with EM12c Cloud Control is so easy, it is not even much fun
anymore. Also, not every customer may have the appropriate license or database
edition, or all you have available remotely is a command-line login to a database.
This presentation showcases a few open-source database tuning tools such as Snapper
and ASH replacements that DBAs can use to gather and review metrics and wait events
from the command line and even in standard edition.
Pardus Kurulumu
PARDUS, Debian GNU/Linux [1] temelli açık kaynak kodlu bir işletim sistemidir. İnternet üzerinden ücretsiz olarak indirilebilmekte ve kolay kurulabilmektedir. Kişisel veya kurumsal kullanımlar için Pardus’un rekabet edebilir ve sürdürülebilir bir işletim sistemi haline getirilmesi için TÜBİTAK ULAKBİM bünyesinde geliştirme ve idame çalışmaları devam ettirilmektedir.
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
Join us to hear about a new Oracle product that monitors Oracle and non-Oracle database traffic, detects unauthorized activity including SQL injection attacks, and blocks internal and external threats from reaching the database. In addition this new product collects and consolidates audit data from databases, operating systems, directories, and any custom template-defined source into a centralized, secure warehouse. This new enterprise security monitoring and auditing platform allows organizations to quickly detect and respond to threats with powerful real-time policy analysis, alerting and reporting capabilities. Based on proven SQL grammar analysis that ensures accuracy, performance, and scalability, organizations can deploy with confidence in any mode. You will also hear how organizations such as TransUnion Interactive and SquareTwo Financial rely on Oracle today to monitor and secure their Oracle and non-Oracle database environments.
There exist some valid reasons to rebuild indexes on an Oracle database (not many). This presentation is about some of those reasons and how to automate such online index rebuild.
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법Ji-Woong Choi
MySQL 소개
간략한 소개
version history
MySQL 사용처
제품 군 변화
시장 변화
MySQL 구성
MySQL 클라이언트 / 서버 개념
클라이언트 프로그램
MySQL 설치
MySQL 버전
MySQL 설치
MySQL 환경 설정
환경설정, 변수 설정
MySQL 스토리지 엔진 소개
MySQL tuning 소개 및 방법
데이터 백업/복구 방법
백업
복구
MySQL Upgrade
Modern query optimisation features in MySQL 8.Mydbops
MySQL 8 (a huge leap forward), indexing capabilities, execution plan enhancements, optimizer improvements, and many other current query tweak features are covered in the slides.
Building an enterprise forensics response serviceSeccuris Inc.
What issues are enterprises facing that require digital forensics?
• In-depth technical issues within the IT environment
o Complex attack / virus analysis
o Packet analysis
o Complex environment investigation coordination (VMWare)
• Separation of duties / transparency issues with IT staff
o Integrity and audit-ability issues from regulators and common due diligence requirements
• System Audit Functionality verification
o Audit System Investigation / Recovery
• Ensure systems are preserved for forensic investigation*
o Banking Standards
o NIST Standards
o PCI
o US State Laws
• Legal issues such as eDiscovery
o Prepare, Preserve & Produce electronically stored information
• Privacy issues from legislation, regulation and clients
o “DNA Forensics” – Identification for good & evil
• Records Management issues
o Historical Data Retrieval
o Data reconstruction
• Human Resources issues / employee investigations
o Inappropriate Use
o Harassment / Workplace Safety
o Loss management issues / evidence verification
o Theft / Fraud investigation support
o Sabotage
What is an Enterprise Forensics Response Service?
• Enables business owners to actively enforce corporate policy and protect and preserve digital assets through the use of forensic methods.
• Handles investigation requests from many different parts of the organization
o IT (Network / Applications)
o Internal Audit / Compliance
o Legal
o Privacy
o Records Management
o Human Resources / Employee Managers
o Loss Management / Physical Security
• An Enterprise Architectural Perspective of an EDF Service (Overview)
o Conceptual linkages to the business & information security strategy
o Logical service definition, examples of peer services
o Physical mechanisms that the EDF service is comprised of
o Examples of components that the EDF service utilizes
- What does the presentation cover?
• Identification & definition of required forensic services
• Review of common service mechanisms and components
• Considerations for implementing & service management in the enterprise
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
A talk describing the field of computer forensics and its relation with incident response. Live forensics, timelines, registry, smartphones, cloud forensic, ethics, writing and defending reports are issues that will be covered.
An Introduction to Computer Forensics Field ... Some Information's about the Field .. Some Demos ... How to be a Forensic expert ... Forensics Steps .... Dark Side of Forensics .... and lot more great Information's .....
Incident Response in the age of Nation State Cyber AttacksResilient Systems
One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and critical infrastructure being the target of a cyber-attack is quite real. More than ever before, corporate preparation and response plans are necessary for any entity operating in the digital age.
This webinar will examine how an organization's incident response framework can help limit the exposure of intellectual property and critical infrastructure to outside, malicious parties. Our presenters will review how to construct corporate response plans that yield best-of-breed preparedness.
Our featured speakers for this timely webinar are:
-Mike Gibbons, Managing Director, Alvarez and Marsal, former FBI Special Agent as Unit Chief, overseeing all cyber crime investigations
-Art Ehuan, Managing Director, Alvarez and Marsal, former FBI Supervisory Special Agent assigned to the Computer Crimes Investigations Program
-Gant Redmon, Esq. CIPP/US General Counsel and Vice President of Business Development at Co3
BriMor Labs Live Response Collection - OSDFCONBriMorLabs
Presentation by Brian Moran of BriMor Labs on the Live Response Collection given during the Basis Technology Open Source Digital Forensics Conference (OSDFCON) on October 28, 2015
Exploring billion states of a program like a pro. How to cook your own fast a...Maksim Shudrak
The main purpose of this talk is to introduce DBI, delve deeper in this topic, demonstrate the power of this technique, and consider typical problems of its application for "industrial" tasks. Audience will get acquainted with DBI in general, will understand in which fields it is successfully applied, what are potential problems of this technique related to implementation of their own tool based on presented frameworks (Intel PIN and DynamoRIO), and see real examples of the technique used for heap-based bug detection in heavyweight programs along with dynamic malware analysis.
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
Основная цель доклада — познакомить аудиторию с динамической бинарной инструментацией (DBI), углубиться в эту тему, продемонстрировать основные преимущества этой методики, а также рассмотреть типичные проблемы, связанные с ее применением на практике. Слушатели узнают об основных аспектах технологии DBI, поймут, в каких сферах ее можно использовать, а также познакомятся с потенциальными проблемами при написании собственной утилиты на основе DBI-фреймворков Intel PIN и DynamoRIO. Докладчик на реальных примерах покажет, как DBI может применяться для поиска ошибок типа переполнения кучи в «тяжеловесных» программах и для динамического анализа вредоносного кода.
Inception: A reverse-engineer horror HistoryNelson Brito
Inception @ 2016 IBM Systems Technical University
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
An Introduction To Software Development - Testing, Continuous integrationBlue Elephant Consulting
This presentation is a part of the COP2271C college level course taught at the Florida Polytechnic University located in Lakeland Florida. The purpose of this course is to introduce Freshmen students to both the process of software development and to the Python language.
The course is one semester in length and meets for 2 hours twice a week. The Instructor is Dr. Jim Anderson.
A video of Dr. Anderson using these slides is available on YouTube at:
http://youtu.be/4_PoQseQUaY
Memory Forensic: Investigating Memory Artefact (Workshop)Satria Ady Pradana
Workshop of memory forensic
Atmajaya University
Yogyakarta, 2017-04-29
What is memory forensic? How could it be important? How can we use memory forensic in certain case? Should we do memory forensic?
This is the workshop side with hands-on material.
Similar to BriMor Labs Live Response Collection (20)
Adjusting OpenMP PageRank : SHORT REPORT / NOTESSubhajit Sahu
For massive graphs that fit in RAM, but not in GPU memory, it is possible to take
advantage of a shared memory system with multiple CPUs, each with multiple cores, to
accelerate pagerank computation. If the NUMA architecture of the system is properly taken
into account with good vertex partitioning, the speedup can be significant. To take steps in
this direction, experiments are conducted to implement pagerank in OpenMP using two
different approaches, uniform and hybrid. The uniform approach runs all primitives required
for pagerank in OpenMP mode (with multiple threads). On the other hand, the hybrid
approach runs certain primitives in sequential mode (i.e., sumAt, multiply).
Global Situational Awareness of A.I. and where its headedvikram sood
You can see the future first in San Francisco.
Over the past year, the talk of the town has shifted from $10 billion compute clusters to $100 billion clusters to trillion-dollar clusters. Every six months another zero is added to the boardroom plans. Behind the scenes, there’s a fierce scramble to secure every power contract still available for the rest of the decade, every voltage transformer that can possibly be procured. American big business is gearing up to pour trillions of dollars into a long-unseen mobilization of American industrial might. By the end of the decade, American electricity production will have grown tens of percent; from the shale fields of Pennsylvania to the solar farms of Nevada, hundreds of millions of GPUs will hum.
The AGI race has begun. We are building machines that can think and reason. By 2025/26, these machines will outpace college graduates. By the end of the decade, they will be smarter than you or I; we will have superintelligence, in the true sense of the word. Along the way, national security forces not seen in half a century will be un-leashed, and before long, The Project will be on. If we’re lucky, we’ll be in an all-out race with the CCP; if we’re unlucky, an all-out war.
Everyone is now talking about AI, but few have the faintest glimmer of what is about to hit them. Nvidia analysts still think 2024 might be close to the peak. Mainstream pundits are stuck on the wilful blindness of “it’s just predicting the next word”. They see only hype and business-as-usual; at most they entertain another internet-scale technological change.
Before long, the world will wake up. But right now, there are perhaps a few hundred people, most of them in San Francisco and the AI labs, that have situational awareness. Through whatever peculiar forces of fate, I have found myself amongst them. A few years ago, these people were derided as crazy—but they trusted the trendlines, which allowed them to correctly predict the AI advances of the past few years. Whether these people are also right about the next few years remains to be seen. But these are very smart people—the smartest people I have ever met—and they are the ones building this technology. Perhaps they will be an odd footnote in history, or perhaps they will go down in history like Szilard and Oppenheimer and Teller. If they are seeing the future even close to correctly, we are in for a wild ride.
Let me tell you what we see.
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Discussion on Vector Databases, Unstructured Data and AI
https://www.meetup.com/unstructured-data-meetup-new-york/
This meetup is for people working in unstructured data. Speakers will come present about related topics such as vector databases, LLMs, and managing data at scale. The intended audience of this group includes roles like machine learning engineers, data scientists, data engineers, software engineers, and PMs.This meetup was formerly Milvus Meetup, and is sponsored by Zilliz maintainers of Milvus.
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeWalaa Eldin Moustafa
Dynamic policy enforcement is becoming an increasingly important topic in today’s world where data privacy and compliance is a top priority for companies, individuals, and regulators alike. In these slides, we discuss how LinkedIn implements a powerful dynamic policy enforcement engine, called ViewShift, and integrates it within its data lake. We show the query engine architecture and how catalog implementations can automatically route table resolutions to compliance-enforcing SQL views. Such views have a set of very interesting properties: (1) They are auto-generated from declarative data annotations. (2) They respect user-level consent and preferences (3) They are context-aware, encoding a different set of transformations for different use cases (4) They are portable; while the SQL logic is only implemented in one SQL dialect, it is accessible in all engines.
#SQL #Views #Privacy #Compliance #DataLake
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Learn SQL from basic queries to Advance queriesmanishkhaire30
Dive into the world of data analysis with our comprehensive guide on mastering SQL! This presentation offers a practical approach to learning SQL, focusing on real-world applications and hands-on practice. Whether you're a beginner or looking to sharpen your skills, this guide provides the tools you need to extract, analyze, and interpret data effectively.
Key Highlights:
Foundations of SQL: Understand the basics of SQL, including data retrieval, filtering, and aggregation.
Advanced Queries: Learn to craft complex queries to uncover deep insights from your data.
Data Trends and Patterns: Discover how to identify and interpret trends and patterns in your datasets.
Practical Examples: Follow step-by-step examples to apply SQL techniques in real-world scenarios.
Actionable Insights: Gain the skills to derive actionable insights that drive informed decision-making.
Join us on this journey to enhance your data analysis capabilities and unlock the full potential of SQL. Perfect for data enthusiasts, analysts, and anyone eager to harness the power of data!
#DataAnalysis #SQL #LearningSQL #DataInsights #DataScience #Analytics
1. BRIMOR LABS LIVE RESPONSE COLLECTION
or…
How to Leverage Incident Response
Experience for FREE!!
Brian Moran
Digital Strategy Consultant- BriMor Labs
Millersville, Maryland
9 OCTOBER 2015
2. A Brief List of Topics
• Introduction
• Glance into the life of an incident responder
• “Can I do this better, faster, stronger?”
– (All right, not stronger. Just in an easier way.)
• Overview of Live Response Collection
• Questions/Comments
BriMor Labs - 2015
3. The Introductory Introduction
• Hello, my name is Brian Moran
– Hi Brian!
• 13+ years Air Force Active Duty
– 10 years mobile exploitation/DFIR experience
• Co-winner: Unofficial Forensic 4Cast Awards 2012
-- Best Photoshop of Lee Whitfield
• Worked here….
BriMor Labs - 2015
5. The Life of an Incident Responder
• Digital Forensics/Incident Response (DFIR) is
how I decided to pay the bills.
• First rule of incident response is always expect
the EXACT opposite of what a client tells you
BriMor Labs - 2015
6. BriMor Labs - 2015
The Life of an Incident Responder
• For example, clients typically see Incident
Responders like this
10. The Life of an Incident Responder
• So we are immediately held to high
expectations.
• Then the client describes their problem
BriMor Labs - 2015
11. BriMor Labs - 2015
The Life of an Incident Responder
• How the client makes their network
infrastructure sound.
12. BriMor Labs - 2015
The Life of an Incident Responder
13. BriMor Labs - 2015
The Life of an Incident Responder
• Actual undoctored photo of network
infrastructure
14. BriMor Labs - 2015
The Life of an Incident Responder
15. BriMor Labs - 2015
The Life of an Incident Responder
• This leads to most DFIR professionals feeling
like this.
16. BriMor Labs - 2015
The Life of an Incident Responder
17. BriMor Labs - 2015
The Life of an Incident Responder
• But I digress, a glimpse into my life is not the
reason for this briefing
18. Don’t believe marketing hype
• “Oh, we spent $$$ on $Vendor product, so we
are safe”
• Any “tool”, regardless of the price, is still a
“tool”
BriMor Labs - 2015
25. Remember, attackers are clever too
AKA “Hiding in plain sight”
• Have you checked lately to make sure nothing
else is in that your expensive cyber security
tool folder?
BriMor Labs - 2015
27. Remember, attackers are clever too
AKA “Hiding in plain sight”
BriMor Labs - 2015
– Folder is probably whitelisted from security
application scans…which is perfect for malware
staging
– Could also be attackers with a sense of humor
28. Can We Build This? Yes We Can!
• Many times we have to collect data from multiple
systems, as quickly as we can
• Some tools exist to do this, but I wanted
something that was
– Repeatable
– Portable
– Customizable
– Easy to use
– And most importantly….FREE!!!
BriMor Labs - 2015
29. Live Response Collection
• A single, downloadable .zip file that can be run from any
location
– Administrative privileges allows more collection of data, but not
necessary
• Major operating systems are currently covered
– Windows (XP, Vista, 7, 8, 10, Server 2003, 2008, 2012)
– OS X
– Unix/Linux
• Development on all platforms is always continuing
• https://www.brimorlabs.com/Tools/LiveResponse.zip
BriMor Labs - 2015
30. Windows Live Response
• Collection of built-in system commands and
freely available tools
– Automated memory dump, gateway ARP
correlation, network connections, registry entries,
Sysinternals, etc.
• The executable presents an easy to
understand GUI, so ANYONE can use it!
BriMor Labs - 2015
31. Windows Live Response
• Six options to choose from:
– Secure Complete
• runs Secure-Complete_Windows_Live_Response.bat
– Secure Memory Dump
• runs Secure-Memory_Dump_Windows_Live_Response.bat
– Secure Triage
• runs Secure-Triage_Windows_Live_Response.bat
BriMor Labs - 2015
32. Windows Live Response (cont.)
• Six options to choose from:
– Complete
• runs Complete_Windows_Live_Response.bat
– Memory Dump
• runs Memory_Dump_Windows_Live_Response.bat
– Triage
• runs Triage_Windows_Live_Response.bat
• GUI is just an HTML application, so you can customize
the batch scripts (not the names) and the GUI will still
work!
BriMor Labs - 2015
34. Complete option
• Complete performs the following items:
– Memory Dump (using Belkasoft RAM Capture)
– Volatile data (using variety of tools)
– Disk imaging (using FTK command line)
• Disk imaging images all mounted drives, with the exception
of network shares
– Images will only be created if tool is run from an external (non-
OS) drive (ie Can’t run it from C: )
– Also performs destination free space check prior to each
imaging iteration
Processing time depends on number and size of drives
BriMor Labs - 2015
35. Memory Dump option
• Memory dump performs the following items:
– Memory Dump (using Belkasoft RAM Capture)
– Volatile data (using variety of tools)
• Memory dump can be created using other
tools too, but I prefer Belkasoft RAM Capture
Processing time depends on size of memory
(15-30 minutes usually)
BriMor Labs - 2015
36. Triage option
• Triage performs the following items:
– Volatile data (using variety of tools)
• Uses a combination of built-in Windows
commands and third party tools to gather
data
Processing time depends on amount of data to
be collected (5 - 15 minutes usually)
BriMor Labs - 2015
37. “Secure” options
• Secure option is used when you want to protect
collected data (Complete, Memory Dump, Triage)
– Randomly generated 16 character password
– Uses 7zip to compress and encrypt the data
– Sdelete used to securely delete data – makes data
recovery very difficult (*I will never say impossible)
Remember to copy the password. Without the
password, brute forcing the data is the only way
in!
BriMor Labs - 2015
38. Windows LRC folder structure
• The folder structure has changed to give users
minimal presentation
– This also makes finding the collected data easier
BriMor Labs - 2015
40. Windows_Live_Response/Scripts
• This folder contains all six versions of the
scripts that are run by the Live Response
Collection
– You can edit the contents of the scripts and run
certain tools (or add tools) as long as you follow
the structure and do not change the name of the
script!
BriMor Labs - 2015
42. Windows_Live_Response/Scripts/
Windows Modules
• This folder contains all of the “modules” utilized
by the batch scripts
– Since they share so much code, only having to
maintain one item instead of six is much easier
– Makes customization of LRC for your own
environment even EASIER!!
– Blog post on writing your own module:
http://www.brimorlabsblog.com/2015/09/introducing
-windows-live-response.html
BriMor Labs - 2015
44. Windows_Live_Response/Tools
• This is where all of the third party tools are
saved.
– The file “Windows_Complete_Tool_List.xslx” lists
all of tools, downloadable URL, and date the tool
was updated
– You can add your own tools, but if you do,
remember to update the script(s) accordingly!
BriMor Labs - 2015
45. Live Response Collection Windows
output
• Attempted to give user guidance as much as
possible
– If something may take awhile, the script prints a
nice message to the screen
– Tries to be as “polite” as possible!
BriMor Labs - 2015
47. Script output
• Script saves data to a folder with the computer
name and date/time stamp under the folder from
where the script was run
• Two folders and two text files
– “ForensicImages”
– “LiveResponseData”
– COMPUTERNAME_YYYYMMDD_HHMMSS_File_Hashe
s.txt
– COMPUTERNAME_YYYYMMDD_HHMMSS_Process_D
etails.txt
BriMor Labs - 2015
49. COMPUTERNAME_YYYYMMDD_
HHMMSS_File_Hashes.txt
• Text file containing the MD5 and SHA256 of
every collected/generated file and the full
path to that file
– Excludes “DiskImage” folder
– But does include memory dump, if created
BriMor Labs - 2015
53. “ForensicImages” folder
• Location where forensic images are stored
– “DiskImage” – location of disk images created by
the script (or manually)
– “Memory” – location of memory dumps created
by the script (or manually)
BriMor Labs - 2015
55. “ForensicImages/DiskImage”
folder
• The “Complete” option will store created
image(s) in this folder
– Uses AccessData’s FTK Imager command line to create
an E01 image, with a compression level of “4” and
fragment size of 4096M (4GB)
– Built-in checks to prohibit automated imaging of the
OS drive to itself
– Images ALL mounted drives (except network shares)
• Will not image the destination drive
– Built-in checks to ensure destination drive has enough
free space for image
BriMor Labs - 2015
57. “ForensicImages/Memory” folder
• The “Complete” and “MemoryDump” option will
store created memory dump in this folder
– Uses Belkasoft’s RamCapture to create a memory dump
– Filename:
“COMPUTERNAME_YYYYMMDD_HHMMSS_mem.dmp”
• You can customize and use other tools if you like,
but I’ve had the best experience with Belkasoft
BriMor Labs - 2015
58. “LiveResponseData” folder
• Contains a total of five subfolders
– “BasicInfo” – Various types of system Information
– “CopiedFiles” – Files copied from the system
– “NetworkInfo” – Network information about the
system
– “PersistenceMechanisms” – Ways that items can
persist on the system (cough cough malware)
– “UserInfo” – User information
BriMor Labs - 2015
62. BriMor Labs - 2015
“LiveResponseDataCopiedFiles”
folder
• Contains files copied from the system, including:
– Web browser (Internet Explorer, Firefox, Chrome)
– Event Logs
– Logfile
– MFT
– Prefetch
– Registry Hives
– USNJrnl
NOTE: Files copied into folder associated with the
type of file that was copied
66. “LiveResponseDataPersistence
Mechanisms” folder
• Contains information related to persistence
mechanisms on the system including:
– Autoruns
– Loaded drivers
– Scheduled tasks
NOTE: More often than not, if you have an
infected system, you will find the evidence in here
BriMor Labs - 2015
69. What you see is what you get
• Script output is plain-text or html. No unique
obfuscation attempts or proprietary file
formats
– Memory dump, disk image(s), and copied files are
obvious exceptions
• Can write/create your own parsing mechanism
BriMor Labs - 2015
70. Examples of gathered data
• ZeroAccess and POS RAM scraper present in
CurrentVersionRun output from autoruns
BriMor Labs - 2015
74. Examples of gathered data
• Another POS RAM scraper, using running as a
service as the persistence mechanism
– “Funny” story about this malware…ask me after
the presentation!
BriMor Labs - 2015
76. Examples of gathered data
• Poweliks malware present in autoruns output
– Malware is stored entirely in registry key, it does
not “write itself to disk” in a typical fashion
BriMor Labs - 2015
78. Short Case Study
• A user complains their system is running slow
• IT admin runs “Complete” version of the Live
Response Collection…just in case
• Events (sort of) occur in real time
BriMor Labs - 2015
79. Short Case Study
• First stop is “autorunsc.txt” file. Strange entry
noted under the “CurrentVersionRun” path.
BriMor Labs - 2015
80. Short Case Study
• “msofficeservice” kind of seems legitimate
• Hmm..maybe not, since the company is
“Google Labs”
BriMor Labs - 2015
81. Short Case Study
• Since we have the hashes, lets do a quick
Google search
BriMor Labs - 2015
82. BriMor Labs - 2015
Short Case Study
• File detected as malicious by virustotal
– 23/45 back in 2012
84. BriMor Labs - 2015
Short Case Study
• Since we have the disk image, let’s check out
the folder where the executable resides
85. Short Case Study
• We can mount the image using FTK Imager
Lite (included in the Live Response Collection)
• Browse to
“Windows_Live_ResponseToolsFTK_Imager_
Lite_3.1.1” and run “FTK Imager.exe”
BriMor Labs - 2015
103. Short Case Study
• Two files
– msofficeservice.exe
– winrnfsl32.dll
• Maybe the dll is needed by the exe. We can
look at it in the hex editor pane in FTK Imager
BriMor Labs - 2015
108. Short Case Study
– Bonus points for you if you can tell what I was
doing on the last entry!
BriMor Labs - 2015
109. BriMor Labs - 2015
Short Case Study Summary
• We identified a strange file thanks to the
output of autoruns
• Searching for the hash determined the file was
malicious
• A quick check of the folder reveals not only is
the file malicious, it is actually a key logger
111. BONUS: Can use buatapa to
accomplish VirusTotal lookups
• buatapa is a small Python script (based heavily on
Brian Baskin’s noriben) to parse autorun.csv files
generated by autoruns
– Point script at autoruns csv file and let it run
– Attempts to find VirusTotal hits, strange Unicode
characters in paths, and entries similar to powileks
• http://www.brimorlabsblog.com/2015/08/publicly-
announcing-buatapa.html
BriMor Labs - 2015
114. BriMor Labs - 2015
Checklists for each OS!
• A checklist is included for each operating
system
– Creates starting place for “what” to collect
• You can put your company logo at the top…
• …And you now have an incident response
collection plan for each operating system!
117. Why free?!?!
• Because it saves your business time, money, and resources!
• How?
– Initial data gathering can help you reveal problems without the
need for external consulting
– If you want external help, providing already gathered data can
expedite incident response lifecycle
– Scripts collect data from “common” areas incident
responders/digital forensic analysts look at first
– If scripts can help DFIR consultant remotely diagnose issue
remotely, no need to pay travel, lodging, incidentals, etc. costs
BriMor Labs - 2015