It is not unusual for CERT/CSIRT/SOC teams to use collection and live forensics tools in their incident response workflow. Programs such as Velociraptor, KAPE or DFIR-ORC can legitimately access low-level filesystem data and memory for the purposes of extracting forensic artifacts.

In this talk, we will show how these tools can be abused for credential access and why they might be overlooked by security teams. We will also discuss detection opportunities and what events to monitor in order to effectively counter these techniques.