18 Demo: Client searching Search Box Server Statistics
19 Exercise: Finding clients Find all the windows clients Find the client that has a user gladstone - When was it installed? Find client OS release breakdown stats
20 Solution: Finding clients Top left search box: - windows - gladstone or user:gladstone (faster) Install date: First Seen in client summary line (note all times are UTC) Show statistics -> Clients -> All -> OS Release Breakdown
21 Smart Server, basic client Time travel backwards Faster build/fix/deploy Less updating Simpler backwards compatibility Leak less intent
22 Server Frontends pass messages Workers do the real work Everything is asynchronous Queue work on the server GRR Cronjobs perform regular tasks
23 Datastore Abstracted: easy to switch MySQL Advanced SQLite (sharded) Versioned Data -> axis of time
24 Demo: Settings Datastore.implementation Client.control_urls Note: lines highlighted in blue are modified from defaults.
25 Demo: VFS browse and download Refresh, recursive refresh Multiple versions of /etc/lsb-release Download new version Text/Hex views
26 Exercise: VFS time travel On client-ubuntu-trusty-m a malicious modification has been made to /home/gcastle/. bashrc What was it?
27 Solution: VFS time travel Browse Virtual Filesystem -> fs -> os -> home > gcastle ->.bashrc Click Age window and download latest and oldest. Diff. Find LD_PRELOAD line.
28 GRR It s a botnet essentially
30 Authorization, Auditing 2-party authorization for machine access DB logging Audit events Approval s with justifications
31 Demo: Flows/hunts run recently Show Statistics -> Server -> Flows Hunts
32 Fast, reliable, remote. Advanced live forensics at scale.
33 Be really really good at collecting Filesystem/Registry artifacts (Sleuthkit) Memory artifacts (Rekall) From difficult-to-specify locations
34 Demo: Running FileFinder Search by: path, name, contents (literal / regex), time For matches: download, hash, send to socket, just report existence
35 Exercise: FileFinder Pick a windows machine and: - Get a list of all DLLs (*.dll) in C: \Windows\System32 - Get the partition boot sector C:\$BOOT Windows API will hide this! Requires TSK - There is a file containing the string "malware" in C:\Temp. Try to find it.
41 Memory Acquisition Drivers for Win and OS X Linux is trickier: - /proc/kcore - or driver per kernel
42 Demo: Memory Collector Download a small chunk of memory
43 Exercise: Grep raw memory On a windows client, use the Memory Collector to find a short string (eg. svchost ) in memory and inspect the context. Use action NONE Also, just get the FIRST_HIT, not all of them
44 Solution: Grep memory Memory->Memory Collector Condition: Literal match, FIRST_HIT Action: NONE (reports the literal match and some context)
45 Memory Forensics Memory analysis framework Built into GRR client Live memory analysis
46 Demo: lsmod on ubuntu
47 Exercise: Rekall lsof Get a list of file handles from raw memory on a ubuntu machine Use lsof plugin
61 Collection Problems We mostly want to collect the same things, but: - Too many details to remember - No good way to share - Too much duplicate code
62 As seen in the wild HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History HKU\S xxxxxxxxx-xxxxxxxxx-xxxxxxxxxxxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLoca tion /Users/<user>/Library/Mail Downloads/ /home/user/.local/share/trash/
63 What do I do with these? HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History HKU\S xxxxxxxxx-xxxxxxxxx-xxxxxxxxx- xxxx\software\microsoft\windows\currentversion\uninstall\dropbox\installloc ation /Users/<user>/Library/Mail Downloads/ /home/user/.local/share/trash/
64 Common language for interpolation %%users.localappdata%%\google\chrome\user Data\*\History HKEY_USERS\%%users.sid%% \Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation %%users.homedir%%/library/mail Downloads/ %%users.homedir%%/.local/share/trash/
66 Artifact repository: get it here ~200 artifacts: github.com/forensicartifacts/artifacts Independent and reusable by any tool Used and maintained by us Review, bug reports, patches very welcome
67 Demo: Collect Run Keys
68 Exercise: Artifact Collector Linux machines are beaconing to sysupdate81. appspot.com Suspect malicious cronjob Use AllLinuxScheduleFiles artifact to download cron files Download results, find malicious one Which machines was it on?
69 Solution: Artifact Collector Hunt Manager -> + -> Collectors -> ArtifaceCollectorFlow AllLinuxScheduleFiles GenerateZip Download, unzip: grep -r sysupdate * find -type l -ls grep [hash match from grep]
70 What s coming Event triggered collection, powerful API Usability improvements Simple cloud server deployment More data export options
71 Great, how do I try it? Run the server docker image Open a browser Download and install the client on a machine
GRR Rapid Response Practical IR with GRR OSDF 2013 Darren Bilby, Joachim Metz - Google Agenda Presentation: GRR Architecture Presentation: Hunting Exercise 1: Installation and doing something useful Break
GRR Rapid Response An exercise in failing to replace yourself with a small script. Darren Bilby - Digital Janitor - Google Tech Lead Incident Response / Forensics Agenda Why GRR? What we built Demo 1 Key
Forensic and Log Analysis GUI David Collett I am not representing my Employer April 2005 1 Introduction motivations and goals For sysadmins Agenda log analysis basic investigations, data recovery For forensics
Agent - OSDFCon 2017 We will remember it for you wholesale! Michael Cohen firstname.lastname@example.org is an open source project released under the GPL. It is not an official Google product, and does not
Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers. Michael Cherny @chernymi Sagie Dulce @SagieSec
Registry 9 Data and Management System Registry 9 is a complete and fully integrated statistical data and metadata management system using. Whether you require a metadata repository supporting a highperformance
ForeScout CounterACT Core Extensions Module: IOC Scanner Plugin Version 2.2 Table of Contents About the CounterACT IOC Scanner Plugin... 4 Use Cases... 5 Broaden the Scope and Capacity of Scanning Activities...
Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,
Docker Swarm installation Guide How to Install and Configure Docker Swarm on Ubuntu 16.04 Step1: update the necessary packages for ubuntu Step2: Install the below packages to ensure the apt work with https
OPENSTACK: THE OPEN CLOUD Anuj Sehgal (email@example.com) AIMS 2012 Labs 04 June 2012 1 Outline What is the cloud? Background Architecture OpenStack Nova OpenStack Glance 2 What is the Cloud?
Distributed CI: Scaling Jenkins on Mesos and Marathon Roger Ignazio Puppet Labs, Inc. MesosCon 2015 Seattle, WA About Me Roger Ignazio QE Automation Engineer Puppet Labs, Inc. @rogerignazio Mesos In Action
Here to take you beyond EMBEDDED LINUX ON ARM9 Weekend Workshop Embedded Linux on ARM9 Weekend workshop Objectives: Get you exposed with various trends in Embedded OS Leverage Opensource tools to build
Git Ľubomír Prda IT4Innovations firstname.lastname@example.org email@example.com VCS Version Control System Versioning - creation and management of multiple releases of a product, all of which have the same general
Kubernetes The Path to Cloud Native Eric Brewer VP, Infrastructure @eric_brewer August 28, 2015 ACM SOCC Cloud Na*ve Applica*ons Middle of a great transition unlimited ethereal resources in the Cloud an
Exercises Cacti Installation and Configuration Exercises Your Mission... Install Cacti Create device entry for your local router Create device entries for your local servers Create entries for class router
Version Control Ken Bloom Linux User Group of Davis March 1, 2005 You ve probably heard of version control systems like CVS being used to develop software. Real briefly, a version control system is generally
Database Developers Forum APEX 20.05.2014 Antonio Romero Marin, Aurelien Fernandes, Jose Rolland Lopez De Coca, Nikolay Tsvetkov, Zereyakob Makonnen, Zory Zaharieva BE-CO Contents Introduction to the Controls
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
Andrew Pollack Northern Collaborative Technologies English is the only (spoken) language I know I will try to speak clearly, but if I am moving too quickly, or too slowly, please make some kind of sign,
SECURITY AUTOMATION BEST PRACTICES A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1 Introduction The best security postures are those that are built
Version 1.0 October 2016 OSS Remote Firmware Updates for IoT-like Projects Silvano Cirujano Cuesta Unrestricted Siemens AG 2016 Siemens About me Software Engineer at Siemens Embedded Linux Corporate Competence
Advania Fall Conference Securing the Modern Data Center with Trend Micro Deep Security Okan Kalak, Senior Sales Engineer firstname.lastname@example.org Infrastructure change Containers 1011 0100 0010 Serverless Public
Manually Java 7 Update 21 64 Bit Windows Oracle strongly recommends that all Java SE 7 users upgrade to one of these releases. created with javadoc versions included with JDK 5u45, 6u45, 7u21 and earlier.
Oracle Application Express: Administration 1-2 The suggested course agenda is displayed in the slide. Each lesson, except the Course Overview, will be followed by practice time. Oracle Application Express:
Verified Boot: Surviving in the Internet of Insecure Things Randall Spangler Chrome OS Firmware Lead Introduction Who am I? Chrome OS firmware engineer since 2009 Co-architect of the Chrome OS verified
Reporting with MunkiReport John Eberle (@tuxudo) and Rick Heil (@refreshingapathy) John: Mac Admin @ University of Pittsburgh @tuxudo @tuxudo github.com/tuxudo Rick: Senior IT Manager @ Myelin @refrshingapathy
Table of Contents Logging In... 2 Adding Your Google API Key... 2 Project List... 4 Save Project (For Re-Import)... 4 New Project... 6 NAME & KEYWORD TAB... 6 GOOGLE GEO TAB... 6 Search Results... 7 Import
The Long Road from Capistrano to Kubernetes Tobias Schwab, Co-Founder of PhraseApp Slides: http://bit.ly/cap-to-kube How to deploy Ruby on Rails? Deploying Ruby on Rails required on all servers: OS + system
Human-Computer Interaction Design COGS120/CSE170 - Intro. HCI Instructor: Philip Guo, Lab TA: Sean Kross Lab 1 - Version control and HTML (2017-10-06) by Michael Bernstein, Scott Klemmer, Philip Guo, and
Computer Forensics (CFRS) 1 COMPUTER FORENSICS (CFRS) 500 Level Courses CFRS 500: Introduction to Forensic Technology and Analysis. 3 credits. Presents an overview of technologies of interest to forensics
Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
NGFW Security Management Center Release Notes 6.3.4 Revision A Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 5 New features on page 5
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
Comodo Dragon Software Version 20.0 User Guide Guide Version 20.0.070312 Comodo Security Solutions 525 Washington Blvd. Jersey City, NJ 07310 Table of Contents 1. Comodo Dragon - Introduction... 4 2. System
An Overview of Search Engine Hai-Yang Xu Dev Lead of Search Technology Center Microsoft Research Asia email@example.com July 24, 2007 1 Outline History of Search Engine Difference Between Software and
1 Android & iphone A Comparison Stefan Tramm JUGS, Jahresevent 2008-12-11 2 Agenda I Situation II Comparison III Essence 3 Situation before 2007 Three platforms J2ME Symbian Windows Mobile all the same
Our Mission: Increase Volunteerism in our Public Schools Make Volunteer Coordinators and Board and Committee Members jobs as easy as possible. Improve Communication within the School Population related
CloudI Integration Framework Chicago Erlang User Group May 27, 2015 Speaker Bio Bruce Kissinger is an Architect with Impact Software LLC. Linkedin: https://www.linkedin.com/pub/bruce-kissinger/1/6b1/38
Zenoss Resource Manager Planning Guide Release 6.0.1 Zenoss, Inc. www.zenoss.com Zenoss Resource Manager Planning Guide Copyright 2017 Zenoss, Inc. All rights reserved. Zenoss, Own IT, and the Zenoss logo
3CX Mobile Device Manager Manual 1 Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: firstname.lastname@example.org Information in this document is subject to change without notice. Companies names and data used in examples
Agent vs Agentless Log Collection Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
Cloud Contact Center Software Five9 Plus Adapter for Agent Desktop Toolkit Administrator s Guide September 2017 The Five9 Plus Adapter for Agent Desktop Toolkit integrates the Five9 Cloud Contact Center
Developing and Testing Java Microservices on Docker Todd Fasullo Dir. Engineering Agenda Who is Smartsheet + why we started using Docker Docker fundamentals Demo - creating a service Demo - building service
Copyright RES Software Development B.V. All rights reserved. Commercial Computer Software documentation/data Restricted Rights. RES and RES ONE are registered trademarks and service marks of RES Software
Cyber Security, Big Data and Risk Mark Seward, Sr. Director, Security and Compliance, Splunk In-Depth Seminars D24 CRISC CGEIT CISM CISA AGENDA Why are attacks successful? How does big data help Changing
Linux Essentials Linux Essentials is a professional development certificate program that covers basic knowledge for those working and studying Open Source and various distributions of Linux. Exam Objectives
WebSphere Puts Business In Motion Put People In Motion With Mobile Apps Use Mobile Apps To Create New Revenue Opportunities A clothing store increases sales through personalized offers Customers can scan
How Disaster Recovery Works Technical White Paper How Disaster Recovery Works THE TECHNOLOGY BEHIND CLOUDENDURE S ENTERPRISE-GRADE DISASTER RECOVERY SOLUTION Introduction Disaster Recovery is a Software-as-a-Service
Introduction to Information Retrieval http://informationretrieval.org IIR 20: Crawling Hinrich Schütze Center for Information and Language Processing, University of Munich 2009.07.14 1/36 Outline 1 Recap
Baremetal with Apache CloudStack ApacheCon Europe 2016 Jaydeep Marfatia Cloud, IOT and Analytics Me Director of Product Management Cloud Products Accelerite Background Project lead for open source project
@joerg_schad Nightmares of a Container Orchestration System 2017 Mesosphere, Inc. All Rights Reserved. 1 Jörg Schad Distributed Systems Engineer @joerg_schad Jan Repnak Support Engineer/ Solution Architect
Using AWS to Build a Large Scale Dockerized Microservices Architecture Dr. Oliver Wahlen moovel Group GmbH Frankfurt, 30. Juni 2016 The moovel Group GmbH Our vision is an ecosystem that simplifies mobility
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 email@example.com 1 Introduction
Components in Joomla Instructor for this Workshop Web Development School of Arts and Sciences TABLE OF CONTENTS Welcome... 4 What is Joomla?... 4 What is a Component?... 4 Joomla Weblinks... 5 Sample Use
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
Real-time, Unified Endpoint Protection Real-Time, Unified Endpoint Protection is a next-generation endpoint protection company that delivers realtime detection, prevention and remediation of advanced threats
WatchGuard Dimension v2.0 Update 2 Release Notes Build Number 483146 Revision Date 13 August 2015 On 13 August 2015, WatchGuard released Dimension v2.0 Update 2. This update resolves an issue that caused
OWASP BUCHAREST APPSEC CONFERENCE 13 OCTOBER 2017 The OWASP Foundation http://www.owasp.org N different strategies to automate OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor
ImageTag, Inc. 2016 Contents Introduction... 2 Logging Into Your KwikTag Client... 3 KwikTag Tabs and Your Landing Page... 4 Drawers Tab Features and Functions... 7 My Lists... 7 The KwikTag Library...
Docker 101 Workshop Eric Smalling - Solution Architect, Docker Inc. @ericsmalling Who Am I? Eric Smalling Solution Architect Docker Customer Success Team ~25 years in software development, architecture,
January 28 29, 2014San Jose Open Network Linux A Common Linux Platform for OCP Switches Rob Sherwood Big Switch Networks CTO Outline Proposed in November OCP workshop Goal: Common community target à faster
containerization: more than the new virtualization Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker
9 Reasons To Use a Binary Repository for Front-End Development with Bower White Paper Introduction The availability of packages for front-end web development has somewhat lagged behind back-end systems.
ObserveIT 7.1 Release Notes In This Document About This Release... 2 New Features and Enhancements... 2 Backward Compatibility... 3 New Supported Platforms... 3 Resolved Issues... 4 Known Issues... 4 Limitations...
Improving the Magento 2 Developer Experience Alan Kent Magento Chief Architect Consistent Magento 2 Feedback I have been working on some larger Magento 2.1 EE solutions for a few months now and I really
Data Onboarding Where Do I begin? Luke Netto Senior Professional Services Consultant @ Splunk September 26, 2017 Washington, DC Forward-Looking Statements During the course of this presentation, we may
AMGA metadata catalogue system Hurng-Chun Lee ACGrid School, Hanoi, Vietnam www.eu-egee.org EGEE and glite are registered trademarks Outline AMGA overview AMGA Background and Motivation for AMGA Interface,
Microsoft Cloud Workshop Containers and DevOps Hackathon Learner Guide September 2017 2017 Microsoft Corporation. All rights reserved. This document is confidential and proprietary to Microsoft. Internal
ISLET: An Attempt to Improve Linux-based Software Training Jon Schipp, AIDE 2015 firstname.lastname@example.org, @Jonschipp, jonschipp.com About me: Security Engineer for the National Center for Supercomputing Applications
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access