Open-Source DFIR Made Easy: The Setup - SANS Digital Forensics & Incident Response Summit 2017

A common challenge in the digital forensics and incident response (DFIR) community has been creating a DFIR toolkit that is cheap, simple to setup, scalable, and easy to use. Frequently, DFIR teams do not have the money to purchase, nor the time needed to develop a DFIR toolkit solution themselves. Although many open-source solutions exist, they typically require an advanced level of skill to setup and maintain. Alternatively, custom solutions present risk should the maintainer leave or become otherwise unable to maintain it. Another common issue faced by DFIR teams is the requirement for another agent constantly running on each host, exponentially consuming resources in already over-subscribed virtualized environments. This leads to the creation of custom scripts with varying levels of fidelity, based on the experience of the individual or team. This presentation will introduce and demonstrate the use of the “CyLR, CDQR Forensics – Virtual Machine” (CCF-VM). The CCF-VM was designed to provide an all-in-one solution to one of the most common issues facing DFIR teams. It provides a conveniently packaged, easy-to-use platform, designed from the ground up to enable teams to collect, process, and analyze critical forensics artifacts to triage and investigate intrusions both large and small. Including built-in, commonly used searches and dashboards, CCF-VM enables searching of both single or multiple hosts simultaneously based on analyst or incident needs. After completing this session, attendees will understand how to: collect data with CyLR; process forensic artifacts easily with CDQR; use Kibana (as setup in CCF-VM) for DFIR purposes; setup the CCF-VM; set up a CCF-VM DFIR toolkit for each analyst; and scale CCF-VM to the enterprise level. Stephen Hinck (@stephenhinck), Senior Technical Account Manager, ICEBRG Alan Orlikoski (@alanorlikoski), Senior Manager, Incident Response & Threat Protection Team