2024-07-04, 14:00–17:00 (Europe/Paris), Workshop room 2
This workshop will show participants how to set up instances of Yeti and Timesketch and interconnect them. After the infrastructure is set up, participants will learn how to add data, run feeds, and set up Yeti to automatically augment Timesketch sketches with useful threat and forensics intelligence data. Once all that is ready, we’ll upload some forensics data to Timesketch and run through a full investigation, using intelligence from Yeti to hit the ground running. We’ll also curate intelligence as we go, and see how this intelligence will be fed back into Yeti, and be made accessible in future cases. If time permits, we’ll do an end-to-end run of the OSS DFIR pipeline using GRR and dfTimewolf.
Full details of the workshop and steps we'll follow are available here: https://yeti-platform.io/guides/indicators-timesketch/
Start by pulling the docker images so that we don't saturate the Internet connection the day of the workshop.
Yeti
git clone https://github.com/yeti-platform/yeti-docker
cd yeti-docker/prod
docker compose pull
Timesketch
git clone https://github.com/google/timesketch
cd timesketch/docker/dev
docker compose pull
Download the evidence
https://drive.google.com/drive/folders/1AA8mOkUOOxQj-IjbvN9MPNzCA4CJRkT4 (all-plaso-files.zip contains all the .plaso files in that directory.)
Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.
A lecturer and researcher at ESIEA and an independent consultant in Threat Intelligence, he contributes to numerous open source projects such as MISP and Yeti. He is also the author of numerous articles, an international speaker and lecturer on malware analysis, digital forensics and Cyber Threat Intelligence at ESIEA, and co-author of the book "Cybersécurité et Malwares Détection, analyse et Threat Intelligence (4e édition)".