10-23, 16:45–17:15 (Europe/Luxembourg), Europe - Main Room
CTI practitioners have threat intelligence databases; what about digital forensics practitioners? How can they organize knowledge and ensure that investigations are carried out in a repeatable manner? In the same way that threat intelligence describes attackers, capabilities, and infrastructure, Digital Forensics Intelligence describes the relationship between systems, questions, and investigation techniques.
Enter DFIQ (Digital Forensics Investigative Questions; https://dfiq.org/): a framework used to model scenarios, questions and approaches in digital forensics investigations. This talk will take a deeper dive into the DFIQ model, and more importantly the different ways it is practically used to facilitate forensic investigators' day-to-day activities, ensure repeatable conclusions of investigations, and knowledge sharing among analysts. We'll discuss how DFIQ is stored in Yeti, used in Timesketch, and can be used to leverage end-to-end collection and analysis workflows to accelerate and structure investigations in large enterprise environments.
High level talk overview:
- DFIQ - in theory
-
DFIQ objects: Scenarios, Facets, Questions, and Approaches
- Codifying a common scenario with DFIQ objects
-
DFIQ - in practice
- open source challengesDFIQ Schema evolution,
- Implementation
- Storing, editing, building a DFIQ graph in Yeti
- Using DFIQ to structure an investigation in Timesketch
- Examples of full end-to-end evidence collection and analysis workflows with dfTimewolf, GRR / Velociraptor, Plaso, Timesketch
Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.