BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//bsidesatl-2023//talk//FMGHZ3
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsidesatl-2023-FMGHZ3@pretalx.com
DTSTART;TZID=EST:20231014T130000
DTEND;TZID=EST:20231014T135000
DESCRIPTION:Murphy's law says anything that can go wrong will. A colleague 
 of my mom during her professional career once quipped that McGillicudy's l
 aw says Murphy was an optimist. Most of us here have instrumented environm
 ents\, tools\, run books\, techniques and procedures. We know how to take 
 those tools and find evil and eradicate from our environment. That's great
 \, when the malicious activity is on a known server that was built to the 
 corporate image and all tools are installed properly\, functioning perfect
 ly\, and reporting back regularly. I don't think I have ever worked a case
  like that. Forensics cases happen on systems that are new\, old\, unknown
 \, shadow IT\, forgotten about in some corner and result in an email telli
 ng you that your system is part of a DDoS on their network and to cut it o
 ut\, or an email from admin saying "I found this strange file on my server
  and I didn't put it there".  What do you do now? Once you have gotten the
  resulting panic out of your system\, refilled your soda and taken a deep 
 breath\, you have to triage and do forensics on this unknown orphan system
  from who knows where built with who knows what for anyone's guess at a pu
 rpose. How do you do that?   You improvise! That is what this talk is abou
 t. This talk will discuss windows OS built in commands\, free and open sou
 rce tools\, and techniques to solve this problem.
DTSTAMP:20260418T223626Z
LOCATION:Room 401
SUMMARY:Bare Knuckle Forensics for White Knuckle Moments - Tony Drake
URL:https://pretalx.com/bsidesatl-2023/talk/FMGHZ3/
END:VEVENT
END:VCALENDAR