Dr Mike Cohen
Dr. Michael Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques.

He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specializing in digital forensics, network and memory forensics.

In 2010 he joined Google, where he created tools in support of the incident response team.

Michael has recently founded Velocidex Enterprises - the company behind Velociraptor - an advanced DFIR and endpoint visibility tool.

Tutorial: Enterprise Hunting and Incident Response with Velociraptor

Technical Level (3 being the highest score): 2

The life of an information security professional is a hectic one. It seems like you are fighting fires every day and always behind the eight ball. You know you should be proactively hunting for emerging threats in your network but the tools at your disposal simply do not scale.

You can check each machine individually for hardening and policy compliance but you have many thousands of endpoints deployed, it is hard enough to keep up with the alerts.

This workshop is an introduction to forensic analysis and incident response for information security professionals. We cover the basics of modern DFIR techniques exposing artifacts such as process analysis (VAD, Mutants, Handles), low level NTFS analysis ($I30 carving, timelining, recovery of deleted files), evidence of execution (prefetch files, amcache, SRUM) and event log collection and analysis.

To illustrate the investigative process, we will use a new open source endpoint visibility tool called Velociraptor. Velociraptor is a powerful endpoint tool implementing many advanced DFIR techniques and will allow us to easily demonstrate many of the techniques we will learn in the limited time.

Some of the scenarios we cover include;

A domain account was compromised. Where did the attacker laterally move to?

Malware was delivered via a phishing email. Where other user in the domain had executed the same malware?

Uncovering common malware persistence mechanisms.

We will begin by reviewing the common forensic artifacts left behind on modern Windows systems. We then consider how these may be used in practice to address common DFIR scenarios.

Finally we consider how to proactively hunt for attackers using low level forensic analysis. Using Velociraptor’s endpoint monitoring feature we will develop effective endpoint monitoring rules to detect future compromise quickly and efficiently.

Securing our communities – introducing CCX Digger, a new tool for detecting evidence of compromise by a foreign APT

Technical Level (3 being the highest score): 2

CCX Digger is a free and open source project designed to help Australian organisations determine if they have been impacted by a recent high profile advanced persistent threat (APT). CCX Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities.

During 2020, especially in the May to June period, Australia experienced a significant increase in cyber incidents targeting all levels of government and across a wide range of industry sectors. The threat actors responsible combined basic attack techniques with more sophisticated elements that are more difficult to detect. The threat actor is known to leave implants on compromised networks to facilitate re-entry.

In this presentation, project collaborators Nick Klein and Jay Banerji (CyberCX) and Dr Michael Cohen (Velocidex Enterprises) will launch CCX Digger and demonstrate how it can help system owners determine whether their networks may have been compromised by these methods.

Secure your place now!