Events

Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion - SANS Tactical Detection & Data Analytics Summit

Location:
Hilton Scottsdale Resort and Villas, 6333 North Scottsdale Road Scottsdale, AZ, 85250
Start Date:
December 4, 2018 9:00 AM
End Date:
December 5, 2018 6:00 PM

The SANS Tactical Detection & Data Analytics Summit brings together leading security practitioners to present real-world case studies that demonstrate how to utilize high-value log sources, monitoring tools, and sound analysis techniques as a robust detection capability.

Kroll's Mari DeGrazia and Scott Hanson, directors in our Cyber Risk practice, have been invited to demonstrate how to pull back the MFT and the NTFS Index Attribute to discover evidence of deleted evidence. More details about their session below:

Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion

Date/time: 12/5 10:40-11:15 am

While endpoint threat monitoring tools are powerful, many lack ways to quickly and efficiently recover evidence of deleted information. This deleted information may include evidence of staging tools, exfiltration files and malware that attackers clean up as they go. How can you track an attacker through your environment if they are cleaning up after themselves? Learn how to pull back and leverage two files on the system, the MFT and the NTFS Index Attribute, to discover evidence of deleted files. Once an attacker’s favorite staging location is known, this technique can be scaled up and automated to sweep an environment to locate and analyze evidence of deleted files.

Learn more about Mari DeGrazia
mari_degrazia-140.jpg

 

 

 

 

Learn more about Scott Hanson
scott-hanson-140.jpg









REGISTER