As some of you already know, I will have the honor to speak at the upcoming RSA Conference on May 17th.
In a previous post I gave some more details about what the talk will be about (without spoiling the talk, of course), since the original abstract I wrote was somewhat generic.
Since the talk (and the work behind it) is based on several other projects and background technical knowledge that, due to time constraints, I will only discuss very briefly, I wanted to give you the opportunity to check them beforehand so you can make the most of it.
For the most low-level technical people in the audience you will probably have MUCH more fun if you understand at the low level what's going on behind the scenes.
However, note that reviewing these references is not necessary to fully understand the talk, the presentation is self-contained. As mentioned, I wrote this post only for those of you who want to get familiar with the low level technology details beforehand.
TIP: Pay special attention to Technique T1053.005 / Scheduled Tasks.
Visit our DS4N6 Tools page to learn more about several of the tools / formats we will be talking about:
|ds4n6_lib||python library that provides an easy way to ingest forensic tool output (plaso, kape, kansa, volatility, etc.) in Jupyter and perform multiple types of Data Science and Machine Learning analysis.|
|DAISY||DAISY (DFIR Data Science & AI) is a Virtual Machine designed to carry out Data Science and Machine/Deep Learning Analysis on DFIR data|
|ADAM|| The DS ADversAry eMulator allows you to define a sequence of malicious artifact data and inject it in the multiple Artifact-specific DataFrames.
This allows you to test your detection capabilities by mimicking real attacks, all in a “virtual” DataFrame environment.
|D4ML||D4ML are the DS4N6 extensions for Machine Learning, i.e. easy-to-use ML functions that you can apply to your artifact-specific dataframes to, for instance, detect anomalies which may correspond to malicious events.|
|HAM||The Harmonized Artifact Model (HAM) is a model that harmonizes the output of different forensic tools so the underlying artifact data has the same format regardless of the tool that generated it.|
In my talk I will be discussing the use of a Machine Learning model called Autoencoder, and a very interesing variation, the LSTM Autoencoder.
If you want to get familiar with these models before the talk, to better understand what they are and how they work, check the following references:
These references will give you a general idea of what (LSTM) Autoencoders are, how they can be used for anomaly detection, and how they can be built in python/keras.
After the conference I will release the source code of the actual Autoencoders used in the presentation, and I will publish a couple of blog posts to explain in-depth how they are applied specifically to our DFIR scenario.
As mentioned before, you do not to be afraid if you don't have the time to, since the talk is self-contained and I will be explaining everything you need to know to understand the content presented.
But if you are able to review the content listed on this page beforehand, you will be ready to get 1000% of the content of my talk!!
I humbly believe that you will have quite some fun with my talk and you will learn quite a few things in different areas (DFIR, Data Science, Machine Learning), so it would be great to have you in the audience!
See you at the RSA Conference on May 17!