8:45 am - 9:00 am
MT
2:45 pm - 3:00 pm UTC | Welcome & Opening Remarks |
9:00 am - 9:45 am
MT
3:00 pm - 3:45 pm UTC | In Person Speakers Keynote | TBA Information on this session is to come.
Show More
|
9:45 am - 10:00 am
MT
3:45 pm - 4:00 pm UTC | Break |
10:00 am - 10:35 am
MT
4:00 pm - 4:35 pm UTC | Virtual Track macOS Lockdown Mode: A DFIR Odyssey With increasing cyber threats, Apple introduced a robust security feature known as "Lockdown Mode." This session delves into the intricacies of Lockdown Mode, exploring its purpose and evolution. Initially designed to shield users from potential cyber threats, Lockdown Mode introduces a new layer of security by restricting certain functionalities on the Apple OS like iOS, macOS, watchOS, and iPadOS. Participants will gain insights into the operational changes when Lockdown Mode is activated on macOS, including what functionalities are restricted. Due to restrictions imposed on macOS, this raises intriguing questions from a DFIR perspective and how it changes traditional digital forensics. In this session, DFIR examiners will uncover the subtle yet significant artifacts generated, system log modifications, detection of LDM, and the implications for digital forensics and incident response (DFIR). We will delve into how this mode impacts user accounts and accessibility, altering the dynamics between security and user experience. Additionally, participants will explore the potential challenges and solutions for navigating these changes effectively. The session aims to equip digital forensics professionals with essential insights and skills to adapt to the evolving cybersecurity landscape. Key takeaways: 1. Lockdown Mode Restrictions: LDM imposes security measures to reduce the attack surface of the device. Attendees will gain insight into what restrictions are actually implemented. 2. Lockdown Mode Forensic Arefacts: When LDM is enabled, it generates specific forensic artefacts including logs which are crucial during forensic investigations. Demonstration of these artefacts is done for DFIR examiner awareness & its impact during investigation. 3. DFIR Implications of Lockdown Mode: LDM alters traditional DFIR techniques by restricting access to data and macOS functionalities. The attendees will gain a comprehensive insight into how to deal with LDM in Incident Response and Post-mortem Forensics.
Show More
|
10:00 am - 10:35 am
MT
4:00 pm - 4:35 pm UTC | In Person Speakers A North Korean Cyber Operation: Exposing ARP-Based Covert C2s, WebSocket Malware, and Video Conference Software Abuse This research uncovers a real-world covert remote-control system designed by a North Korean IT worker, who was caught operating within an unsuspecting organization. The forensic investigation that followed pieced together a highly sophisticated malware ecosystem, leveraging ARP-based payload execution, WebSockets for stealthy command & control, and Zoom for covert persistence and remote access. Through deep technical analysis and live attack demonstration, this session will break down how the attacker: • Built an advanced C2 infrastructure using WebSockets to control infected machines. • Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication. • Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques. • Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging. • Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active. By reverse-engineering the threat actor’s toolkit, we uncovered previously undocumented techniques used for network protocol abuse and application-layer persistence. The investigation highlights not only how these tactics were implemented by the North Korean IT worker, but also how defensive teams can detect and mitigate such stealthy attacks before they escalate into full-scale data exfiltration or espionage. This research not only provides insight into offensive security tactics but also delivers actionable detection and mitigation strategies for network defenders, threat hunters, and digital forensic investigators. Key Takeaways for Attendees: 1. Understand how attackers can bypass security controls using ARP packet injection as a C2 transport layer. 2. See how WebSockets are leveraged for persistent malware communication. 3. Witness a live demonstration of a covert ARP-based malware executing system commands without TCP/IP. 4. Gain insight into how Zoom was used as a stealthy RAT, and how attackers manipulated the application for long-term persistence and remote control.
Show More
|
10:35 am - 11:10 am
MT
4:35 pm - 5:10 pm UTC | Virtual Track Backdoors & Breadcrumbs: How threat actors persist in your Microsoft 365 Threat actors don’t just break in, they find creative ways to remain persistent. In this session, we will explore persistence techniques used in real-life Microsoft 365 incidents and how to identify them in your environment. From basic inbox rules to advanced techniques such as domain federation abuse, we’ll break down the tactics and techniques used by threat actors to maintain long-term access. For example, this talk will walk through what a threat actor needs to use SSPR to re-enter an account after the organization has changed the account password and reset sessions, and we'll also cover how threat actors have leveraged app passwords to initiate mass phishing campaigns even after being kicked out of the target account. Attendees will learn how to detect and investigate these persistence techniques using Microsoft logs, gain deeper insight into these techniques, and explore hardening strategies that help minimize risk. Key Takeaways: 1) There are several persistence mechanisms threat actors can leverage to maintain stealth hold of your environment. 2) The detection methods of these different persistence mechanisms can be included on your threat hunt playbooks and used to identified suspicious and malicious activity. 3) The techniques and remediations steps can complement your incident response playbooks to reduce the impact of more sophisticated threats. 4) Administrators can take actions to reduce the risk of successful persistence by threat actors.
Show More
|
10:35 am - 11:10 am
MT
4:35 pm - 5:10 pm UTC | In Person Speakers Playbook Power-Up: Applying Modular Design to Maintain IR Playbooks at Scale Jessica Gorman, Sr Director of Security Operations and Incident Response, Experian, Georgetown University With only 23% of surveyed security professionals stating their incident response (IR) playbooks are updated frequently enough to keep up with best practices, a new approach is needed to “power up” the way organizations maintain their playbooks. The rise of Security Orchestration, Automation, and Response (SOAR) technology offers promising potential for cybersecurity teams to modernize incident response processes, but the challenge of managing and updating IR playbooks at scale persists, especially when organizations find themselves managing dozens (or even 100+) of them. This presentation leverages research conducted through Georgetown University’s Cybersecurity Risk Management program and inspired by years of incident response experience to walk participants through a new proposed framework for evaluating and redesigning their IR playbooks. Using concepts of “modular” design, this research has found that application of these principles can streamline playbook update processes, leading to up to 50% time savings and potentially reducing risk of human error. Individuals responsible for managing process documentation and/or playbooks will come away with hands-on knowledge that can be applied to achieve real-world results.
Show More
|
11:10 am - 11:45 am
MT
5:10 pm - 5:45 pm UTC | Virtual Track From Identity Admins to Cloud Compromise: Detecting Modern Ransomware Attacks in the Financial Sector Human-operated ransomware groups have increased their focus on cloud environments, targetting identity administrators and cloud misconfigurations to gain persistent access. The financial sector is especially focused by Ransomware groups, given its high value target and reliance on cloud-based identity platforms, virtual infrastructure, and SaaS applications, which provide multiple avenues for compromise. By compromising identity admins and abusing misconfigured access controls, adversaries can stealthily pivot through cloud workloads and initiate domain-wide ransomware attacks. This session offers an in-depth examination of real-world Ransomware attack patterns by blending Cyber Threat Intelligence, DFIR insights, and detection methodologies, including: • Social engineering tactics against IT service desks and identity admins for initial access • Credential theft, session hijacking, and multi-factor authentication (MFA) bypass methods • Cloud-native intrusions leveraging federated identity abuse, misconfigured IAM roles, and token hijacking • Ransomware deployment targeting VMware ESXi, Microsoft Entra ID (Azure AD), AWS, and SaaS environments • Key forensic artifacts and detection strategies for post-compromise DFIR investigations • Proactive defense mechanisms to strengthen identity systems and cloud workloads against ransomware actors Attendees will gain the detection, response, and threat-hunting strategies necessary to combat these high-impact ransomware threats before they escalate into full-scale breaches in the financial sector.
Show More
|
11:10 am - 11:45 am
MT
5:10 pm - 5:45 pm UTC | In Person Speakers Think Like an Examiner: Strengthening Your Forensic & Response Mindset Cybersecurity professionals are often faced with complex, high-stakes investigations where quick decision-making and investigative accuracy are critical. However, many practitioners struggle to balance the rapid response required in Incident Response (IR) with the deep analytical mindset needed for Digital Forensics (DF). Without a structured investigative approach, security teams risk missing key evidence, drawing premature conclusions, or failing to remediate threats effectively. This presentation, “Think Like an Examiner: Strengthening Your Forensic & Response Mindset,” explores how cybersecurity professionals can develop a structured, examiner-focused approach that enhances both forensic accuracy and incident response agility. By shifting from a reactive mindset to an investigative mindset, examiners can improve their ability to analyze threats, preserve critical evidence, and make confident decisions in high-pressure environments.
Show More
|
11:45 am - 12:20 pm
MT
5:45 pm - 6:20 pm UTC | In Person Speakers Investigating a Malicious Script in Microsoft Intune: A DFIR Case Study The proliferation of cloud-based solutions has significantly transformed the landscape of enterprise security, with Microsoft Intune emerging as a pivotal tool for device and application management. This Digital Forensics and Incident Response (DFIR) case study delves into the forensic investigation of a malicious script within Microsoft Intune, highlighting procedural insights and analytical techniques. The incident, which occurred in 2023, involved unauthorized access to a client’s Azure tenant by Scattered Spider. This presentation discusses the forensic analysis conducted to recreate the attack and understand its impact. This presentation describes baseline configurations, forensic tools, and methodologies deployed to detect and analyze the attack. Key technical aspects discussed include leveraging the Graph API, tracking user actions, modification timestamps, and decoding PowerShell script contents with CyberChef.
Show More
|
12:20 pm - 1:30 pm
MT
6:20 pm - 7:30 pm UTC | Lunch |
1:30 pm - 2:05 pm
MT
7:30 pm - 8:05 pm UTC | In Person Speakers MDR to IR Handoffs: Stick The Landing Security leaders and teams rely on MDR providers to deliver 24/7 monitoring of security events, augment the expertise of internal SOC analysts, assist with or perform response actions, and offer assurance that adversaries are not present in the environment through threat hunting. But sometimes, an attack or incident becomes a breach, requiring specialized IR services offered through the MDR provider itself or an IR services firm and covered under attorney client privilege. In a time when the regulatory compliance clock starts ticking for most organizations, the rapid, thorough transfer of information between providers, even those at the same vendor, is critical. But roles and knowledge transfer points are often unclear, delaying containment and investigation and requiring additional time and effort from already taxed security leaders and internal teams. This session will dive into best practices for seamless MDR to IR handoffs in a crisis and will help security leaders and professionals understand the roles, responsibilities, and decision points when escalating an incident to a breach and invoking IR services either with their MDR provider or a third-party IR services firm.
Show More
|
2:05 pm - 2:40 pm
MT
8:05 pm - 8:40 pm UTC | In Person Speakers Making Sense of the Chaos: When to Conduct Structured and Unstructured Threat Hunts Making Sense of the Chaos explores two distinct threat hunting approaches. Structured, hypothesis-driven hunts, and Unstructured hutns, where data leads the way. We'll discuss when to apply each method, and examine how different triggers - like intel reports or APT activity, can initiate a structured hunt. The talk will also cover how unstructured hunts unfold through data discovery. Attendees will gain insights into leveraging both approaches to achieve different objectives in threat hunting.
Show More
|
2:40 pm - 3:15 pm
MT
8:40 pm - 9:15 pm UTC | In Person Speakers Does Slicing Onions Make You Cry - Forensic Analysis of TAILs Aaron Sparling, Principal Incident Response Engineer, Walmart - Cyber Security Incident Response Adversaries leverage the TAILs (The Amnesic Incognito Live System) operating system for conducting criminal activity. This presentation will address forensic imaging and analysis issues and illustrate techniques which can be used to access and analyze the much needed data. TAILs runs within the physical memory (RAM) of the host system, which if imaged and analyzed can provide numerous valuable forensic artifacts. This talk will address issued faced when confronted with systems running TAILs, options for imaging the TAILs instance and methods which can be applied to locate artifacts of interest for forensic analysis.
Show More
|
3:15 pm - 3:25 pm
MT
9:15 pm - 9:25 pm UTC | Break |
3:25 pm - 4:00 pm
MT
9:25 pm - 10:00 pm UTC | In Person Speakers Ensuring Data Integrity in Incident Response: Tools and Techniques for Forensically Sound Log Extraction Colin Meek, Consultant, Aon’s Stroz Friedberg Digital Forensics and Incident Response Logs are foundational to nearly all DFIR engagements, yet reliably extracting logs from sources such as network appliances, SaaS applications, and cloud environments can be challenging. When standard UI-based exports fail, due to volume restrictions, technical limitations, or undocumented interfaces, investigators must turn to APIs for programmatic log collection. This session will share practical tips for API-driven log extraction, including a detailed real-life case study involving extraction from an undocumented API of a proprietary client application. Additionally, we will discuss real-life cases where log data was discovered to be incomplete during collection and highlight the impact this could have had on investigative outcomes. This presentation will also introduce an open-source log-analysis tool designed to assist DFIR professionals in quickly identifying potential issues in collected logs. The tool helps quickly highlight suspicious patterns, such as unexpected time gaps, duplicate events, suspiciously rounded event counts, JSON formatting errors, or indicators of potential redactions. Incorporating this tool into investigative workflows helps examiners proactively recognize potential data-quality concerns, supporting more informed decisions in high-stakes investigations.
Show More
|
4:00 pm - 4:35 pm
MT
10:00 pm - 10:35 pm UTC | In Person Speakers Fueling Danger: Drone Threats to Critical Infrastructure and the Digital Forensic Examiner's Response Sarah Frances, Senior Director, Engineering, Aon’s Stroz Friedberg Digital Forensics and Incident Response The vulnerability of critical energy infrastructure came under increasing scrutiny as drones became a favored tool for espionage and potential sabotage. With the ability to deliver explosives or gather intelligence undetected, drones present a significant threat to the global energy supply chain. This session will explore the forensic investigation of a simulated drone attack, detailing how evidence is collected, analyzed, and used to identify the perpetrators. Attendees will gain insights into the step by step process and understand the challenges and importance of securing vital assets against emerging aerial threats.
Show More
|
4:35 pm - 5:05 pm
MT
10:35 pm - 11:05 pm UTC | In Person Speakers MacOS Endpoint Security Framework: Not Another MacOS Log Source As many Mac DFIR professionals know, MacOS is constantly changing. New features are regularly being added to the platform that may provide a new source of information that an examiner can use during an investigation. One such feature, the Endpoint Security Framework, was added in MacOS Catalina and new features are added in every major OS version update. In this talk, we will dive into the Endpoint Security Framework and discuss how to take advantage of the information it collects to complement other sources, such as the Apple Unified Log, to perform threat hunts. Although ESF is primarily used by EDRs for detection, practitioners can leverage it to baseline a system and monitor for anomalous activity. This talk targets DFIR professionals who need to determine what is currently happening on a system, rather than what happened in the past. We'll start with going over features of ESF and we'll dive in to using eslogger to stream events firing on the system. We will go over examples of running malware with relevant Endpoint Security records side-by-side and discuss how the records can be leveraged as evidence. Lastly, we'll discuss how to cut through the noise and filter on relevant events. With this talk, we hope to educate audience members on an additional feature of MacOS that can be used in DFIR investigations that involve an actively compromised system. Listeners will walk away with a better understanding of the information that MacOS tracks and how to synthesize that information to focus on what matters.
Show More
|
5:00 pm - 5:10 pm
MT
11:00 pm - 11:10 pm UTC | Closing Remarks |