Workshop: Hands-On Elasticsearch for Digital Forensics: Learning from Windows eBPF Logs

Authors: Philgeun Jin and Namjun Kim

DFRWS APAC 2025

Abstract

This workshop explores how Elasticsearch can be applied as a practical tool for forensic analysis and incident response. Participants will gain hands-on experience with search and visualization techniques in Elasticsearch and Kibana, and apply them to real forensic datasets, including Windows eBPF-based data provided by the instructors. The environment is designed to give attendees practical analysis experience, allowing them to work through exercises that involve detecting and investigating malicious activities. The session concludes with a brief exercise that introduces the use of AI in forensic analysis.

Learning Objectives

By the end of this workshop, participants will be able to:

• Use Elasticsearch and Kibana to search, filter, and visualize forensic log data.
• Analyze prepared Windows eBPF-based datasets to detect and investigate malicious activities.
• Apply centralized log analysis methods to conduct DFIR investigations more effectively.
• Gain introductory experience with AI-driven log analysis techniques for future DFIR applications.

Experience Level

This workshop is suitable for participants at the beginner to intermediate level. A basic understanding of DFIR and prior experience with log analysis will make the session more beneficial.

Description

This workshop introduces the use of Elasticsearch and Kibana for digital forensics and incident response (DFIR). After a brief overview of key concepts, participants will engage in hands-on exercises using Windows eBPF-based incident datasets prepared by the instructors. Through these exercises, attendees will directly perform forensic investigations, focusing on search techniques to examine malicious activities and uncover attack patterns. Throughout the session, participants will apply Elasticsearch queries and dashboards in a controlled environment to detect and analyze threats, gaining practical experience in forensic investigation. The workshop concludes with an exercise that introduces AI-based approaches to forensic log analysis, providing insights into how emerging technologies can complement traditional DFIR workflows.

Preparation Details

No additional software installation is required. Participants only need a laptop with a modern web browser (Chrome recommended). All exercises will be conducted through a web-based interface.

 

Biography

Philgeun is a security researcher with interests in AI-driven security, threat intelligence, and DevSecOps. He is currently pursuing a Ph.D. at Sungkyunkwan University. Previously, he worked as a blue team engineer, focusing on incident response and the deployment of security solutions. He enjoys sharing knowledge and engaging with the security community.

Namjun is a security service developer with expertise in eBPF-based security, digital forensics, and threat intelligence engineering. He works at NCSOFT Corporation, focusing on secure pipelines and security automation. Outside of work, he contributes to open-source projects, experiments with LLM-driven security automation, participates in CTFs, and enjoys engaging with the security community.

 

Downloads