Investigating a suspected computer compromise or intrusion can be difficult. In a sense, that is by design. Malicious actors can go to great lengths to hide their activities and tools. Attrition Forensics attempts to outline how to investigate a compromise or intrusion involving modern Windows systems when the attacker is particularly good and the investigation particularly difficult. It presents a tool neutral view of forensics focused on developing and exhaustively analyzing evidence, with particular emphasis on identifying what sophisticated attackers have attempted to conceal or remove. The word “attrition” is used not to suggest a contest between attacker and defender, but rather to describe a process where evidence is systematically exhausted to satisfy the investigation. This presentation will look into the goals and methodologies involved in compromise investigations and discuss the sorts of evidence that an investigator might consider in trying to answer the what, when, who, how, and why questions of a compromise or intrusion investigation.
October 21, 2014 | Tech 2 (801a) | 13:25 – 14:25