Powershell Forensics

Abstract

Assume Breach. The question is not "if" you will be breached, but when you will be breached. The capability to quickly triage suspicious indicators is more important than ever. Traditional digital forensics applications are great for individual investigations, but often abstract many of the underlying concepts and analyse more slowly. This workshop will teach you the basic functionality of PowerForensics, an open source forensics platform based in PowerShell. Additionally, we will discuss how to decipher forensic data to build a contextual story around the activity.

During the workshop you will:

learn PowerShell and powerforensics basics
understand the basics of the NTFS file system
recover deleted files
analyse system activity through forensic timelining

Jared Atkinson

Jared Atkinson is a Security Researcher who specializes on Digital Forensics and Incident Response. Jared spent two years leading the technical build out of Veris Group's Hunt capability. Before Veris Group, Jared spent 4 years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks.

Passionate about PowerShell and the Open Source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI based IDS, and maintains a DFIR focused blog at www.invoke-ir.com.