Date and Time:
Tuesday, March 19, 14:00 – 18:00
This workshop is hybrid (online and face-to-face).
Description:
DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is an open-source collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS would. It rather provides a forensically relevant snapshot of machines running Microsoft Windows. Along the years, it has evolved to become stable and reliable software to faithfully collect unaltered data. Meant to scale up for use on large enterprise networks, it supports fine-tuning to have low impact on production environments.
This workshop is an introduction to how to use DFIR-Orc to perform incident response that will give you hands-on experience. It will also focus on one of DFIR-ORC embedded tool: FastFind, that can be used to conduct large scale indicator of compromise searches across your enterprise network.
We will demonstrate how to configure DFIR-Orc to collect data relevant to incident response use cases. Each participant will be encouraged to build their own configuration to decide what to collect even though we will provide examples that will likely target generic artifacts that can be found on anyone’s machine (Event logs, registry hives etc…). Everyone will be able to execute the binary on their own host, provided that they have administrative privileges on their Windows box (being inside a VM or not). The collected data will stay on each one’s own computer at all time.
The capabilities of the embedded subcommand FastFind will be demonstrated in the same way: only locally on one’s own machine.
Preparation Details:
This workshop requires a Microsoft Windows environment (Windows 7+) where you can have administrative privileges. The latest release of DFIR-Orc_x64.exe (v10.2+, around 6Mb) is available on our github repository: https://github.com/DFIR-ORC/dfir-orc/releases, please be sure to download it ahead of time in case of Internet mishaps. You can also download the github repository dedicated to the configuration of the tool to have a baseline for the hands-on exercise: https://github.com/DFIR-ORC/dfir-orc-config Other than that, Notepad++ or any other text editor you are comfortable with to edit XML files is required.
Workshop organiser:
Blanche Lagny, Sébastien Chapiron (ANSSI, France)
Blanche Lagny has been a forensic investigator at the French government CERT, part of the French Network and Information Security Agency for the last 7 years. Interested in DFIR research on all kinds of systems, she favors in-depth studies of artefacts on operating systems. Her previous work includes a paper on a windows artefact, the AmCache, to help understand its inner workings. Since the open-sourcing of DFIR-ORC 4 years ago, she has been more involved with its development and is currently in charge of the project documentation.
Sebastien Chapiron has more than 10 years of experience in the Digital Forensics and Incident Response field. With a background of system administration he has also started to engage in devops activities to support DFIR teams. He participated in the development of several tools, including some around DFIR-Orc, a data collection tool that he helped maintain and for which he provided support to the community.