Tony Drake has been working in security and security adjacent roles for almost 3 decades. Over the years he has held positions ranging from UNIX and Linux administration to system architecture, engineering, application security, security administration, IR, Forensics and "hey security guy". He currently is the Lead Researcher for Threat Intelligence at the Intercontinental Exchange where he works on long term tactical security challenges to advance the next generation of security solutions.
Murphy's law says anything that can go wrong will. A colleague of my mom during her professional career once quipped that McGillicudy's law says Murphy was an optimist. Most of us here have instrumented environments, tools, run books, techniques and procedures. We know how to take those tools and find evil and eradicate from our environment. That's great, when the malicious activity is on a known server that was built to the corporate image and all tools are installed properly, functioning perfectly, and reporting back regularly. I don't think I have ever worked a case like that. Forensics cases happen on systems that are new, old, unknown, shadow IT, forgotten about in some corner and result in an email telling you that your system is part of a DDoS on their network and to cut it out, or an email from admin saying "I found this strange file on my server and I didn't put it there". What do you do now? Once you have gotten the resulting panic out of your system, refilled your soda and taken a deep breath, you have to triage and do forensics on this unknown orphan system from who knows where built with who knows what for anyone's guess at a purpose. How do you do that? You improvise! That is what this talk is about. This talk will discuss windows OS built in commands, free and open source tools, and techniques to solve this problem.