Incident Response with Live Linux Forensics
Has an incident occurerd? How to find that out.
Schedule

Presented by:

C6741f09f444e6d4f069fa0c7c6fdd69

Gary Smith

from Pacific Northwest National Laboratory

Gary started out his professional career as a chemist/materials engineer. His start down the path to the Dark Side of Computing began when he wrote a program to design an optimal extruder screw rather than face thousands of calculations with a slide rule (yes, a slide rule.) Since then, he's done a lot of different things in computing. Always a glutton for punishment, he wrote his own sendmail.cf from scratch. Around 1993, Gary started doing computer security when the semiconductor company he was working for was forced to get on the Internet to send/receive Integrated Circuit designs faster and a firewall/Internet gateway was needed. Since then, Gary's been involved in firewalls, intrusion detection system and application hardening, and anti-spam filters. Gary really does computer security to support his bicycling habit. He has more bikes than most other people have computers. And they're a lot more expensive.

A major part of incident response is answering the question, "Do we have an incident?" To answer that question you can use live Linux forensics. In this presentation, we will look at the some of the steps in incident response, specifically, the preparation phase. Next we'll look at what forms of information we can gather from a live Linux system and its forensic value. Finally, we'll look at scripts to automate the process of gathering forensic evidence. If the demo gods are smiling on us, there will be a demo of gathering forensic information from a system suspected of having an incident and answering the question, "Do we have an incident?"

Date:
2018 April 29 - 03:45
Duration:
45 min
Room:
CC-200
Conference:
LinuxFest Northwest 2018
Language:
Track:
Security
Difficulty:
Medium

Happening at the same time:

  1. ROSECODE
    2. Start Time:
    2018 April 29 03:45

    Room:
    G-103

  2. Don't Fear the Patent Clause!
    3. Start Time:
    2018 April 29 03:45

    Room:
    CC-114

  3. Incident Response with Live Linux Forensics
    4. Start Time:
    2018 April 29 03:45

    Room:
    CC-200

  4. Privacy on the blockchain
    5. Start Time:
    2018 April 29 03:45

    Room:
    HC-108

  5. Hybrid multi-cloud infrastructure as code using Terraform
    6. Start Time:
    2018 April 29 03:45

    Room:
    CC-208

  6. Arduino, ESP8266 and 433 Mhz Devices
    7. Start Time:
    2018 April 29 03:45

    Room:
    CC-236

  7. Old Dogs & New Tricks
    8. Start Time:
    2018 April 29 03:45

    Room:
    CC-115

  8. Using osquery via Fleet for Client/Server visibility
    9. Start Time:
    2018 April 29 03:45

    Room:
    CC-235

  9. Picking Up the Pieces, Issues And Challenges Controlling Your Data
    10. Start Time:
    2018 April 29 03:45

    Room:
    HC-103 Postgres