pts2024

Incident response with DFIR-ORC
2024-07-04, 09:00–12:00 (Europe/Paris), Workshop room 2

This workshop serves as a primer on utilizing DFIR-Orc for incident response, offering practical, hands-on learning. Additionally, it will highlight the use of FastFind, an integrated tool within DFIR-ORC, designed for executing widespread searches for indicators of compromise across your enterprise network.


DFIR ORC, an acronym for the French "Outil de Recherche de Compromission" (Tool for Compromise Research), is an open-source suite of tools designed for the reliable extraction and collection of essential artifacts like the MFT, registry hives, or event logs. This suite has the capability to incorporate external tools along with their configurations. While DFIR ORC is adept at data collection, it does not perform data analysis or machine triage, nor is it equipped to monitor attackers like an EDR or HIDS/HIPS system. Instead, it offers a forensically sound snapshot of Microsoft Windows-running machines. Over time, DFIR ORC has matured into a stable and dependable tool for the accurate collection of pristine data. It is scalable for deployment across large enterprise networks and can be adjusted to minimize its impact on operational environments.

Prerequisites

For this workshop, the following requirements should be met beforehand:

- having a Windows environment, with a X86 CPU ( ARM, Mx is not supported)  in which an elevated shell is available (cmd or powershell). A VM will work fine and Visual Studio is not required

- retrieving (or cloning) the GitHub project for the configuration of DFIR-ORC (to have a working configuration): https://github.com/DFIR-ORC/dfir-orc-config

in the tools directory from the dfir-orc-config repository:

      -  retrieving the latest version of the unconfigured binaries for DFIR-ORC (32 and 64 bit) (DFIR-Orc_x86.exe et DFIR-Orc_x64.exe):  https://github.com/DFIR-ORC/dfir-orc/releases/latest

        - retrieving the binary autorunsc.exe  (https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)

        either retrieving the extra binaries that are used in the configuration or creating an empty file with the right name:

                - handle.exe (https://learn.microsoft.com/en-us/sysinternals/downloads/handle)

                - Tcpvcon.exe (https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview)

                - PsService.exe (https://learn.microsoft.com/en-us/sysinternals/downloads/psservice)

                - Listdlls.exe (https://learn.microsoft.com/en-us/sysinternals/downloads/listdlls)

2 executables files are needed but could be empty ( just create a empty file with name) : DumpIt.exe and winpmem.exe. I'll explain why during the workshop

15 seats will be available for this workshop