Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion - SANS Tactical Detection & Data Analytics Summit
- Hilton Scottsdale Resort and Villas, 6333 North Scottsdale Road Scottsdale, AZ, 85250
- Start Date:
- December 4, 2018 9:00 AM
- End Date:
- December 5, 2018 6:00 PM
The SANS Tactical Detection & Data Analytics Summit brings together leading security practitioners to present real-world case studies that demonstrate how to utilize high-value log sources, monitoring tools, and sound analysis techniques as a robust detection capability.
Kroll's Mari DeGrazia and Scott Hanson, directors in our Cyber Risk practice, have been invited to demonstrate how to pull back the MFT and the NTFS Index Attribute to discover evidence of deleted evidence. More details about their session below:
Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion
Date/time: 12/5 10:40-11:15 am
While endpoint threat monitoring tools are powerful, many lack ways to quickly and efficiently recover evidence of deleted information. This deleted information may include evidence of staging tools, exfiltration files and malware that attackers clean up as they go. How can you track an attacker through your environment if they are cleaning up after themselves? Learn how to pull back and leverage two files on the system, the MFT and the NTFS Index Attribute, to discover evidence of deleted files. Once an attacker’s favorite staging location is known, this technique can be scaled up and automated to sweep an environment to locate and analyze evidence of deleted files.
Learn more about Mari DeGrazia
Learn more about Scott Hanson