Digital Surveillance and Cyberespionage at Scale + Windows 10 DFIR Challenges

This inaugural Meetup will feature two Volexity speakers: Steven Adair and Andrew Case. For the first session, Steven will be discussing a topic he presented at RSA 2019 earlier this year, “Digital Surveillance and Cyberespionage at Scale,” in which he discussed OceanLotus, one of the most advanced and pervasive threat groups. For the second session, Andrew will present “Windows 10 DFIR Challenges,” a talk he recently gave at BSides Las Vegas 2019.

The Meetup will be hosted at Spaces Wiehle Metro, 1900 Reston Metro Plaza, Reston, VA. Doors will open at 6:30PM and first session will begin at 7:00PM. We have limited seating so be sure to reserve your spot!

ABSTRACTS

Session I: Digital Surveillance and Cyberespionage at Scale
Learn how OceanLotus, one of the most advanced and pervasive threat groups that is active today, manages its tracking, exploitation, and command and control operations around the world. There is a good chance you have been tracked by OceanLotus without even knowing it. This talk will show how a digital surveillance campaign can turn into a cyberespionage operation

Session II: Windows 10 DFIR Challenges
Microsoft has added a significant number of features to Windows 10 that affect the types of evidence that can be found both on disk and in memory during digital forensic and incident response investigations. These features include new event logging sources, new artifacts of program execution and file access, compression of in-memory data stores, native support for Linux virtual machines, and much more. The inclusion of these features necessitate that blue team members update a significant portion of their workflow to fully capture events that previously occurred on the system. These features also force red team members to update their workflows if they wish to operate in a stealthy manner. During this presentation, the full range of these new features will be presented along with how they can be accessed, analyzed, and understood. This will include discussion of open source tools along with analysis methodologies. By the end of the presentation, attendees who work in a wide variety of information security roles will understand how Windows 10 changes their daily workflow and how to best take advantage of the new features. With Windows 7 reaching its official end-of-life in January 2020, now is the time to learn these new skills.

SPEAKER BIOS

Steven Adair (Twitter: @stevenadair) is the founder and President of Volexity, Inc, an information security firm specializing in assisting organizations with incident response, digital forensics, threat intelligence, network security monitoring, and trusted security advisory. Steven currently leads a team of experts that frequently deal with advanced and complex cyber intrusions from nation-state level intruders targeting everyone from small think tanks to large global defense contractors.

Andrew Case (Twitter: @attrc) is the Director of Research at Volexity and a core developer of the Volatility memory analysis framework. His professional experience includes digital forensic investigations, incident response handling, malware analysis, penetration tests, and source code audits. Andrew is a co-author of the award-winning book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory”. Andrew also co-teaches the “Digital Forensics & Incident Response” class at Black Hat. Andrew’s primary research focus is physical memory analysis, and he has presented his research at conferences including Black Hat, RSA, SecTor, SOURCE, BSides, OMFW, GFirst, and DFRWS.