BSidesPGH

Training Thursday June 21st at Left Field!
Conference Friday June 22nd at Rivers Casino!

BSidesPGH is a volunteer-run information security conference held in Pittsburgh. Security BSides is a global series of community-driven conferences presenting a wide range of information security topics.

CODE OF CONDUCT

TRAINING


Please register for our full day of training here.  Cost is $50.

 

BSides Pittsburgh is offering a day of training to sharpen your InfoSec skills. The base requirements for the day are yourself and a laptop with wireless connectivity and a VM platform (we suggest VMWare Player).  See the prerequisite sections of each training below for more specific requirements.

Note: Course fee's cover the training space and resources. Our training is volunteer run, and lunch will be on your own.

 


9:00-11:00      Training 1 - Incident Response Evidence Collection / Triage

11:00-12:00   Training 2 - No Disassembly Required (Part 1)

12:00-1:00      Lunch

1:00-4:30        Training 2 - No Disassembly Required (Part 2)

4:30-5:00        Cleanup


Title: Training 1 - Incident Response Evidence Collection / Triage

Trainer
John Meyers - Senior Incident Response Analyst, NTT Security

Abstract
Incident Response succeeds or fails at evidence collection. If you don't collect evidence properly or soon enough, you might not be able to determine the root cause of the incident. I will explain how and when to start your evidence collection process, verifying your evidence, hashing your evidence, and the concept of working copies to examine your evidence. The demonstration will include capturing disk image and device memory using FTK Imager.

Incident triage is the process reviewing gathered evidence in an expedient manner to answer important questions. Topics will include the usefulness of artifacts including Memory, Windows Registry, Browser History and Event Logs. Memory triage would cover basic usage of Volatility to find running processes, network connections and review other artifacts available in memory. Disk triage would cover locations of key artifacts including Registry, Browser History and Event Logs as well as tools to analyze these artifacts.

Prerequisites
In order to follow along, attendees will need to bring a Windows 7/10 laptop with administrator access to the operating system. Tools used during the demo will include:

  1. FTK Imager 4.2.0.13 https://accessdata.com/product-download/ftk-imager-version-4.2.0
  2. Volatility 2.6 http://www.volatilityfoundation.org/releases
  3. Registry Explorer 1.0.0.2 https://ericzimmerman.github.io
  4. Browser History View v2.15 https://www.nirsoft.net/utils/browsing_history_view.html
  5. Event Log Explorer v4.6 https://eventlogxp.com/download.html

Please have them installed on your laptop prior to the demo, artifacts to examine will be provided during the demo.


Title: Training 2 - No Disassembly Required

Trainers
Nate Guagenti - Utility Man, R3doubt
Brian Satira - Malware Analyst, R3doubt

Abstract
Does malware analysis seem like an arcane process involving hours of staring at assembly in OllyDbg or IDA? Is the only alternative relying on an "auto-magically" generated report from a sandbox? Many of the malware variants that today's analyst will face during incident response, however, are not compiled binaries like Windows PE files, and do not require a knowledge of assembly to manually analyze. The goal of our training is to equip frontline defenders with skills to begin more advanced analysis of common malware variants, and help them avoid over-reliance on automated tools that may be defeated by anti-forensics. We will present techniques for analyzing obfuscated JavaScript and VBA/VBS downloader scripts embedded in phishing email attachments. We will demystify malicious PowerShell being used for post-exploitation activities or how an adversary can try to regain a foothold via a PHP tiny webshell. This talk is for anyone on a blue team without a dedicated malware analyst, or anyone interested in malware analysis, but intimidated by all that hex.