Open Source Live Data Collection for Incident Response (an OSDFCon presentation)


With this year’s topics and speakers now lined up for OSDFCon, we thought we’d take the time to highlight each speaker’s work that led them to join us in Herndon, VA this October 28.

Our first interview is with speaker Brian Moran, a Baltimore-based digital forensics/incident response (DFIR) analyst and owner of BriMor Labs. Brian talked with us about why open source data collection tools matter to incident responders and their clients, and how Tiger Woods golf games influenced his entry into the DFIR field.

BT: Your talk topic this year is “Live Response Collection Overview.” What drove you to develop this toolkit?

BM: The primary driving force behind the development of the Live Response Collection (LRC) was a that a few of the solutions that proceeded it (like Mike Ahrendt’s TriageIR and Corey Harell’s Tr3Secure) didn’t quite do everything that I was looking for in a collection program. I also wanted to create something that could be run from an external drive with minimal user input, so anyone would be able to perform front-line data collection.

There were a few commercial solutions that did the easy collection that I was after, but they were VERY expensive (although they relied almost entirely on open source tools and methods). Collecting data is fairly straightforward, and although there are always exceptions to the norm, I sought to make the collection of data automated and repeatable.

From that, a couple of scenarios could happen:

  • It could save me time collecting the data, which translates to lower costs for the client during the collection phase.
  • It could also mean that a client could collect their own data ahead of my arrival (or they could collect it and mail it to my office directly) which saves the client time, money, and resources on the data collection phase. Businesses are better served by putting their limited amount of time, money, and resources into the analysis of that collected data.
  • The third possibility is that they could collect their own data, analyze it, and decide that they don’t have a problem after all or that they feel confident that they can remediate whatever it is themselves. That saves the business the expense of an incident responder altogether.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn? 

BM: Collecting data to respond to a cybersecurity incident (be it an external breach, a malware outbreak, or an insider threat) is one of the most important “early stage” steps that a company or business can take. The goal of the LRC is to make that process automated and repeatable to make data collection possible for ANYONE, regardless of their level of technological expertise, as we’ve found many times that businesses, unsure if they have a problem or not, trample all over needed evidence while trying to determine if there is a problem or not. This attempts to prevent that.

BT: What brought you into the digital forensics domain?

BM: Tiger Woods golf, an Xbox 360 controller, and the Department of Defense. I was in the Air Force for 13 years, and my first all-expenses-paid trip to Iraq brought me into the realm of investigations, primarily focused on mobile devices.

My second all-expenses-paid trip to Iraq was going to involve intelligence analysis; however, thanks to playing video games on my laptop before getting into country, I was designated the “most qualified person” to perform digital forensics in support of detainee operations.

Yes, I really do owe my “start” in this field to playing a video game. I was using an Xbox 360 controller hooked up to my laptop to play Tiger Woods golf, which was nothing “extraordinary” because it is just another USB device as long as you have the proper driver installed. Once we actually got into country, the need arose for someone to perform digital forensics. I was tapped because I “knew all about computers.”

Fortunately, I met two contractors who had much more extensive backgrounds than myself, who took me under their wings and taught me what they knew. The rest, as they say, is history.

BT: What is your favorite aspect of digital forensics?

BM: This is one of the very few career fields where you can literally learn something new every day. There are so many aspects (memory forensics, network forensics, mobile forensics, vehicle forensics, drone forensics) that no one person can ever claim to be an “expert” in everything. There are always new operating systems coming out, new file systems, new methods and techniques that you continually have to adapt and adjust.

BT: How do open source digital forensics tools make your research and/or your investigative work easier? 

BM: I personally try to rely on open source tools as much as possible because that allows me to share and train the clients that I work with on how to perform some of the basic analysis and triage of data. The old adage of “teaching a man to fish” is definitely true, because oftentimes a problem or issue can be solved remotely, which saves time, money, and resources.

It is very satisfying to be able to help others gain experience and knowledge in the forensics and incident response field, because as I stated before, the field is in a constant state of change. The biggest breakthroughs of the past few years have all been because someone looked at data differently than everyone else. You never know where the next breakthrough will come from, and it can just as easily come from someone just entering the field as it can be from someone with 25 years of experience!

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

BM: Networking and learning. OSDFCon is unique in my eyes because “marketing” presentations are strictly prohibited. All of the presenters are there to share their own experiences in an effort to make the community better . This aspect is very important to me, as our adversaries are sharing their own experiences, tactics, and methodologies, so why can’t we?

BT: What’s next for your toolkit and/or research?

BM: I am looking forward to exploring Windows 10 and finding out what “new” artifacts should be added to the collection and analysis processes. I am also hoping to be able to devote some more time to the OSX and Linux versions of the LRC, but since a very overwhelming majority of my cases involve a Windows environment; I don’t quite have as much time as I would like to do that!

Learn more about the Live Response Collection Toolkit and the wealth of other research being presented at OSDFCon — register to attend here. We look forward to seeing you October 28!