Please register for our full day of training here. Cost is $50.
BSides Pittsburgh is offering a day of training to sharpen your InfoSec skills. The base requirements for the day are yourself and a laptop with wireless connectivity and a VM platform (we suggest VMWare Player). See the prerequisite sections of each training below for more specific requirements.
Note: Course fee's cover the training space and resources. Our training is volunteer run, and lunch will be on your own.
11:00-12:00 Training 2 - No Disassembly Required (Part 1)
Title: Training 1 - Incident Response Evidence Collection / Triage
John Meyers - Senior Incident Response Analyst, NTT Security
Incident Response succeeds or fails at evidence collection. If you don't collect evidence properly or soon enough, you might not be able to determine the root cause of the incident. I will explain how and when to start your evidence collection process, verifying your evidence, hashing your evidence, and the concept of working copies to examine your evidence. The demonstration will include capturing disk image and device memory using FTK Imager.
Incident triage is the process reviewing gathered evidence in an expedient manner to answer important questions. Topics will include the usefulness of artifacts including Memory, Windows Registry, Browser History and Event Logs. Memory triage would cover basic usage of Volatility to find running processes, network connections and review other artifacts available in memory. Disk triage would cover locations of key artifacts including Registry, Browser History and Event Logs as well as tools to analyze these artifacts.
In order to follow along, attendees will need to bring a Windows 7/10 laptop with administrator access to the operating system. Tools used during the demo will include:
- FTK Imager 220.127.116.11 https://accessdata.com/product-download/ftk-imager-version-4.2.0
- Volatility 2.6 http://www.volatilityfoundation.org/releases
- Registry Explorer 18.104.22.168 https://ericzimmerman.github.io
- Browser History View v2.15 https://www.nirsoft.net/utils/browsing_history_view.html
- Event Log Explorer v4.6 https://eventlogxp.com/download.html
Please have them installed on your laptop prior to the demo, artifacts to examine will be provided during the demo.
Title: Training 2 - No Disassembly Required