Forensic Incident Response

by James Habben & John Lukach

• Security Event Bus Implementation
• Using AWS Cloud9 as a Bastion Host
• Amazon Linux Triage for Anyone and Everyone
• Catching that VPC Flow Log Wave
• Capture Lambda Public IP Address
• Identify Python Version of CDK
• CloudTrail Principles for Success
• Route53 Public Host Zone Pattern
• Privileged Account Identification
• Validating GitHub Webhooks with Python
• GitHub OpenID with AWS CDK
• Serverless Forensic Imager
• System Manager Quick Setup
• Getting Started - AWS Cloud Development Kit
• Snapshot 4n6ir Imager Initial Release
• Processing Progress in Axiom
• NTFS Object IDs in EnCase - Part 3
• NTFS Object IDs in X-Ways
• NTFS Object IDs in EnCase - Part 2
• NTFS Object IDs in EnCase
• Parsing CFBundleURLSchemes from MacOS Apps
• Show and Search for Owner ID in X-Ways
• Show and Search for NTFS Owner in EnCase
• Show Your Timezone in X-Ways
• Show Your Timezone in EnCase
• Living with a Credit Freeze
• Reputations and PCI Data Breaches
• Evolve Version 1.6
• Malicious USB Devices
• Skills and Knowledge for InfoSec
• Infosec Jobs
• Compile Time Analysis of NotPetya
• Soft Skills: Respect
• Fileless Application Whitelist Bypass and Powershell Obfuscation
• Layers Are Important
• Soft Skills: Be Present
• Real Self Improvement
• CCM_RecentlyUsedApps Update on Unicode Strings

• Windows Prefetch: Tech Details of New Research in Section A & B

• Windows Prefetch: Overview of New Research in Sections A & B

• BsidesSLC Experience and Offer to Help
• CCM_RecentlyUsedApps Properties Forensics
• Secret Archives of Execution Evidence: CCM_RecentlyUsedApps
• BSides Los Angeles - Experience and Slides
• Windows Elevated Programs with Mapped Network Drives
• GUIs are Hard - Python to the Rescue - Part 1
• Reporting: Benefits of Peer Reviews
• Report Rapport
• Building Python Packages, By a Novice
• Blocks in Practical Use
• Block Hunting
• Unified We Stand
• Say Uncle
• Crashing into a Hint
• I Got This!
• Analyzing IEaaS in Windows 8