Remote Forensic Investigations For The Win

Settings

Always show controls

Qualities

UbiCast player

Keyboard shortcuts

Action

Key

Play / Pause

K or space

Mute / Unmute

Toggle fullscreen mode

Select next subtitles

Select next audio track

Toggle automatic slides maximization

Seek 5s backward

left arrow

Seek 5s forward

right arrow

Seek 10s backward

shift + left arrow or J

Seek 10s forward

shift + right arrow or L

Seek 60s backward

control + left arrow

Seek 60s forward

control + right arrow

Seek 1 frame backward

alt + left arrow

Seek 1 frame forward

alt + right arrow

Decrease volume

shift + down arrow

Increase volume

shift + up arrow

Decrease playback rate

Increase playback rate

Seek to end

end

Seek to beginning

beginning

Loading Click here to add:

Information on this media

55 views

If you’re performing incident handling, you probably already faced this situation: “Friday, 5PM, your phone rings because a customer detected some suspicious activity on a server or a workstation. Of course, it must be investigated “as soon as possible”. The server is physically located 500km away, not easy to start to investigate. Why not use a toolbox that can be booted on any system (server, workstation, physical, virtual, cloud, …) and launch some investigations in a safe way but under the customer’s control and supervision?

During this talk, I’ll present you “Bitscout”, a customizable live CD based on free tools and created to perform remote forensic investigations. This project was created by Vitaly Kamluk but I already submitted some pull requests to improve the project and used it in real cases!

After a quick review of an incident handling process and its classic issues, I will present the tool itself and compare it to classic solutions based on agents. The architecture will be described and several use cases will be demonstrated (ex: booting the compromized server, take a memory image, scanning the filesystem, etc). Several demos will be prepared (crossing fingers ;-)