If you’re performing incident handling, you probably already faced this situation: “Friday, 5PM, your phone rings because a customer detected some suspicious activity on a server or a workstation. Of course, it must be investigated “as soon as possible”. The server is physically located 500km away, not easy to start to investigate. Why not use a toolbox that can be booted on any system (server, workstation, physical, virtual, cloud, …) and launch some investigations in a safe way but under the customer’s control and supervision?
During this talk, I’ll present you “Bitscout”, a customizable live CD based on free tools and created to perform remote forensic investigations. This project was created by Vitaly Kamluk but I already submitted some pull requests to improve the project and used it in real cases!
After a quick review of an incident handling process and its classic issues, I will present the tool itself and compare it to classic solutions based on agents. The architecture will be described and several use cases will be demonstrated (ex: booting the compromized server, take a memory image, scanning the filesystem, etc). Several demos will be prepared (crossing fingers ;-)
Xavier Mertens is a freelance security consultant based in Belgium. With 12+ years of experience in information security, his job focuses on protecting his customers’ assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, a security blogger and co-organizer of the BruCON security conference.