Did I do that? - Understanding action & artifacts w/ Matthew Seyer & David Cowen - SANS DFIR Summit

By default, when we look at forensic artifacts, the action has already occurred. Have you ever been curious what an action or application would leave behind and how it would appear in your forensics tools? Or, maybe you have seen something in a forensic artifact and wondered what caused it. So many artifacts and so many questions!

Tools like Process Monitor have always assisted in exploring how applications and actions impact the file system. The forensic challenge arises though when you want to see changes to binary structures or internals that are contained within files or registry values to better associate an action to an artifact. For example, answering questions like, “How can an executable have been run by a user without updating the run count?”

What if there was a way to see artifact data change, to connect the dots between what we see left behind in artifacts, and the actions that caused it? In this talk you will learn how to utilize the Windows API to view changes in forensic artifacts in real-time and better understand how actions generate forensic data. We will also demonstrate NEW (and FREE) tools and techniques to enable this type analysis.

Matthew Seyer, @forensic_matt, Manager, KPMG
David Cowen, @HECFBlog, Managing Director, KPMG #instructor

DFIRCON 2020 - Live Online
Virtual, US Eastern | Mon, Nov 2 - Sat, Nov 7, 2020

Courses Available:
FOR308: Digital Forensics Essentials - NEW
FOR498: Battlefield Forensics & Data Acquisition
FOR500: Windows Forensic Analysis
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
FOR518: Mac and iOS Forensic Analysis and Incident Response
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
FOR578: Cyber Threat Intelligence
FOR585: Smartphone Forensic Analysis In-Depth
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques