Date and Time:
Tuesday, March 21, 09:00 – 13:00

Workshop organiser:

Description:
At Fox-IT and NCC Group, we are always looking to push our incident response capabilities to the next level. Because we believe, no adversary, no matter how high-end, should be beyond our reach. This led to the development of “Dissect”, an enterprise investigation framework that we have now open-sourced and shared with the world.

With Dissect, you can go from intake call to patient zero in a matter of hours, even in infrastructures with thousands of systems. For example: we created a method to plug directly into hypervisors and collect forensic data from running virtual machines with zero downtime and effort, eliminating traditional software deployment bottlenecks, such as file locks. Dissect supports us, the analysts, from the moment of acquisition of artifacts, to normalization, processing, and analysis. It takes away concerns about how to access investigation data, so we can now focus on performing analysis, developing complex analysis plugins, and performing research. You know, the cool stuff that we want to brag about on birthday parties.

We will explain our methodology, how we handle data containers and filesystems and what types of data formats Dissect supports. Attendees will learn what Dissect is, get to know its capabilities, and how to use the Dissect framework to their advantage. The Dissect framework consists of multiple tools and attendees will learn how to use and combine these tools to solve forensic/incident response challenges! Interested?

Get a head start; by visiting the interactive playground at https://try.dissect.tools/, reading the documentation at https://docs.dissect.tools/, or by looking at the source code of the various Dissect projects at https://github.com/fox-it/dissect.

Attendees are expected to bring their own laptop with an SSH client.