AVFA
Certification

Magnet Forensics - Putting the RD Pieces Back Together Certificate for Marc Robinson

Magnet Forensics - Putting the RD Pieces Back Together

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Magnet Forensics - Putting the RD Pieces Back Together Certificate for Marc Robinson
Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:How did the attacker get in?How long did the attacker have access to system(s)What files/folders did the attackers access?Was there any data exfiltration?A majority of ransomware now does “cleanup” after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked-at artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together “what had happened was...”





Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:How did the attacker get in?How long did the attacker have access to system(s)What files/folders did the attackers access?Was there any data exfiltration?A majority of ransomware now does “cleanup” after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked-at artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together “what had happened was...”